Wednesday, May 31, 2023

C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:


 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()










Related posts
Posted by at No comments:

eWPT - Web Application Penetration



 The eWPT - Web Application Penetration Testing Professional course from the popular eLearnSecurity Institute and INE is an advanced web penetration testing course. Prerequisites for this course Completion of the eJPT courseIs. The eWPT course is one of the most popular courses in the field of web penetration testing or web hacking. This course is usually compared to the AWAE course from Offensive-Security and the SEC542 course from SANS. This course starts from a complete beginner in the field of web penetration testing and its topics continue to an advanced level. In this course you will gain an in-depth understanding of OWASP, Burpsuite software, complete web application analysis, data collection, common bugs such as XSS and SQL Injection, Session-based vulnerabilities, as well as LFI / RFI, attacks On HTML, content management systems (CMS) penetration testing such as WordPress, penetration testing of SQL and non-SQL databases. 


Course pre requisites

Completion of the eJPT course
Course specifications
Course level: Intermediate
Time: 16 hours and 18 minutes
Includes: ‌ 30 videos | 18 labs | ‌ 15 slides
Professor: Dimitrios Bougioukas
EWPT Course Content - Web Application Penetration Testing Professional
Web Application Penetration Testing
Penetration Testing Process
Introduction
Information Gathering
Cross Site Scripting
SQL Injections
Authentication and Authorization
Session Security
Flash
HTML5
File and Resources Attacks
Other Attacks
Web Services
XPath
Penetration Testing Content Management Systems
Penetration Testing NoSQL Databases

Related posts


  1. Hack Tools Download
  2. Hacker Tools Github
  3. Hacking Tools
  4. World No 1 Hacker Software
  5. How To Make Hacking Tools
  6. Hacking Tools For Pc
  7. Hacking Tools
  8. Hak5 Tools
  9. Hacker Tools Software
  10. Pentest Tools Kali Linux
  11. Blackhat Hacker Tools
  12. Game Hacking
  13. Hacker Tools Windows
  14. Beginner Hacker Tools
  15. Hacking Tools And Software
  16. Hacker Tool Kit
  17. Hacking Tools For Mac
  18. Hacking Tools Name
  19. Pentest Tools Linux
  20. Hacking Tools Windows 10
  21. Hacker Tools Hardware
  22. Pentest Tools Windows
  23. Pentest Tools Free
  24. Hacker Tools Apk
  25. Hacks And Tools
  26. Pentest Tools Github
  27. Hack Tools Mac
  28. Hacker Tool Kit
  29. Pentest Tools Apk
  30. Hack Tools For Pc
  31. Hacking Tools Usb
  32. Hacker Tools List
  33. Hacking Tools Online
  34. Nsa Hack Tools
  35. Wifi Hacker Tools For Windows
  36. Hacker Tools For Pc
  37. Pentest Tools For Ubuntu
  38. Hacking Tools Free Download
  39. Hacking Tools 2019
  40. Hacking Tools For Windows Free Download
  41. Beginner Hacker Tools
  42. Pentest Tools List
  43. Pentest Tools Github
  44. Hack Tools
  45. Nsa Hack Tools Download
  46. Pentest Tools Port Scanner
  47. Hacking Tools Name
  48. Hack Tools For Games
  49. Pentest Tools Review
  50. Pentest Tools Port Scanner
  51. Tools For Hacker
  52. Pentest Tools List
  53. Hacker Tools Github
  54. Hacker Tools Free Download
  55. Hacking Tools For Windows 7
  56. Easy Hack Tools
  57. Growth Hacker Tools
  58. Hack Tool Apk No Root
  59. Best Hacking Tools 2019
  60. Hacking Tools Free Download
  61. Hack Tools Download
  62. Hack Tools For Mac
  63. Beginner Hacker Tools
  64. Hacking Tools Pc
  65. Pentest Tools Download
  66. Pentest Tools Online
  67. Hacking Tools Pc
  68. Pentest Tools Framework
  69. How To Install Pentest Tools In Ubuntu
  70. Hacker
  71. Hacker Techniques Tools And Incident Handling
  72. Nsa Hacker Tools
  73. Hacker Tools Software
  74. Pentest Tools
  75. Pentest Tools Url Fuzzer
  76. Pentest Tools Website
  77. Hack Rom Tools
  78. Pentest Reporting Tools
  79. Hacking Tools Free Download
  80. Pentest Tools Tcp Port Scanner
  81. Hacker Tools For Mac
  82. Hack And Tools
  83. Hack Rom Tools
  84. Pentest Tools Alternative
  85. Nsa Hacker Tools
  86. Pentest Tools Nmap
  87. Hack Tools Pc
  88. Hack And Tools
  89. Hacking Tools Kit
  90. Hacking Tools Usb
  91. Hacking Tools For Beginners
  92. Nsa Hack Tools Download
  93. Hack Tools For Pc
  94. Nsa Hacker Tools
  95. Hacker Tools Free Download
  96. Pentest Tools Tcp Port Scanner
  97. Termux Hacking Tools 2019
  98. Hacking Tools Download
  99. Pentest Tools Kali Linux
  100. Best Hacking Tools 2020
  101. Hacking Tools For Windows Free Download
  102. Hacker Tools For Windows
  103. Hacker Tools Github
  104. Hack Tools Online
  105. Pentest Tools Apk
  106. Computer Hacker
  107. Hacking Tools Kit
  108. Hacker Tools Apk Download
  109. Hackrf Tools
  110. Hack Tools For Pc
  111. Hack Tools Online
  112. Hacking Tools Download
  113. Pentest Tools
  114. Best Pentesting Tools 2018
  115. Bluetooth Hacking Tools Kali
  116. Hacker Tool Kit
  117. Pentest Tools Apk
  118. Hacking Tools Kit
  119. What Are Hacking Tools
  120. Hack Tool Apk
  121. Pentest Tools Free
  122. Hack Tools Pc
  123. Hacks And Tools
  124. Hacking Tools For Windows 7
  125. Hacking Tools Windows
  126. Install Pentest Tools Ubuntu
  127. Pentest Tools For Mac
  128. Hak5 Tools
  129. Hack Tools
  130. Pentest Recon Tools
  131. Pentest Tools Alternative
  132. Hacking Tools For Mac
  133. Hacker Tools 2020
  134. Pentest Tools Review
  135. Hacker Tools Mac
  136. Hacker Tools Online
  137. Tools For Hacker
  138. Pentest Tools Bluekeep
  139. Pentest Tools Online
  140. Hacking Tools Github
Posted by at No comments:

Tuesday, May 30, 2023

How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?



These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.


Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

More information
Posted by at No comments:

Vulcan DoS Vs Akamai

In the past I had to do several DoS security audits, with mĂșltiples types of tests and intensities. Sometimes several DDoS protections were present like Akamai for static content, and Arbor for absorb part of the bandwith.

One consideration for the DoS/DDoS tools is that probably it will loss the control of the attacker host, and the tool at least has to be able to stop automatically with a timeout, but can also implement remote response checks.

In order to size the minimum mbps needed to flood a service or to retard the response in a significant amount of time, the attacker hosts need a bandwith limiter, that increments in a logarithmic way up to a limit agreed with the customer/isp/cpd.

There are DoS tools that doesn't have this timeouts, and bandwith limit based on mbps, for that reason I have to implement a LD_PRELOAD based solution: bwcontrol

Although there are several good tools for stressing web servers and web aplications like apache ab, or other common tools used for pen-testing, but I also wrote a fast web flooder in c++ named wflood.

As expected the most effective for taking down the web server are the slow-loris, slow-read and derivatives, few host were needed to DoS an online banking. 
Remote attacks to database and highly dynamic web content were discarded, that could be impacted for sure.

I did another tool in c++ for crafting massive tcp/udp/ip malformed packets, that impacted sometimes on load balancers and firewalls, it was vulcan, it freezed even the firewall client software.

The funny thing was that the common attacks against Akamai hosts, where ineffective, and so does the slow-loris family of attacks, because are common, and the Akamai nginx webservers are well tunned. But when tried vulcan, few intensity was enough to crash Akamai hosts.

Another attack vector for static sites was trying to locate the IP of the customer instead of Akamai, if the customer doesn't use the Akamai Shadow service, it's possible to perform a HTTP Host header scan, and direct the attack to that host bypassing Akamai.

And what about Arbor protection? is good for reducing the flood but there are other kind of attacks, and this protection use to be disabled by default and in local holidays can be a mess.

Related posts
Posted by at No comments: