Targeting V-Table Tips

Targeting V-Table TipsA typical assault vector with regard to software program created within C++ is actually V-table tip overwrites. Whenever C++ items tend to be allotted about the pile, for example once the “new” key phrase can be used, they frequently obtain place alongside additional items which are additionally about the pile. When there is a good unbounded create in order to among the items about the pile prior to a good item utilizing V-tables, this kind of assault is actually achievable.

Home windows offers mitigations within it’s userland pile supervisor which makes it hard in order to speculate that items is going to be following to one another about the pile. Which means that even though a good assailant understands that there’s a good unbounded create for an item about the pile, the actual assailant wouldn’t understand what item is actually following this about the pile, which makes it a lot more hard in order to take advantage of dependably.

The next instance signal utilizes Digital features, that suggest V-table utilization whenever put together using the Ms Visible C++ compiler:

/*

the next course meanings had been altered through Wikipedia’s Digital perform desk description post.

*/

#include

usingnamespace a sexually transmitted disease;

classB1 //base course

(

open public:

digital emptiness f0() ()

digital emptiness f1() ()

);

classB2 //base course

(

open public:

digital emptiness f2() ()

digital emptiness f3() ()

);

classD: open public B1, open public B2 ( //derived course inherits each bottom courses

open public:

emptiness d() ()

emptiness f0() () // override B1:: f0()

emptiness f1() () // override B1:: f1()

emptiness f2() () // override B2:: f2()

emptiness f3() () // override B2:: f3()

);

intmain(int argc, char* argv[])

(

B2 *b2 = brand new B2();

Deb *d = brand new D();

d->f0(); //vtable research

d->f1(); //vtable research

d->f2(); //vtable research

d->f3(); //vtable research

)

The most popular design within many of these digital perform searches is really as comes after:

Dereference the item tip that offers the V-table.
Dereference the actual appropriate V-Table tip inside the item through step one.
Dereference the actual appropriate perform tip within the V-table through 2.
Phone the actual perform present in step three.

Within Windbg, we are able to confirm which deb had been certainly allotted about the pile simply because the nearby parameters tend to be:

0: 000> dv

argc = 0n1

argv = 0x00574660

deb = 0x00574720

b2 = 0x005746e0

More information regarding exactly where the deb item is actually allotted:

0: 000>! pile -p -a 0x00574720

tackle 00574720 present in

_HEAP @ 570000

HEAP_ENTRY Dimension Prev Red flags UserPtr UserSize — condition

005746f8 0009 0000 [00] 00574700 0002c — (busy)

All of the over signal had been put together using the Ms Visible Facilities 2010 C++ compiler. This is actually the default compiler that may be down loaded along with Visible Facilities Incorporated Improvement Atmosphere. Additional compilers for example gcc upon Linux possess comparable item storage designs.

Both comments and pings are currently closed.

Comments are closed.

Powered by WordPress | Designed by: free Drupal themes | Thanks to hostgator coupon and cheap hosting