I was recently reading about buffer overflows and dangling pointers. I read "Smashing the stack for fun and Profit " by Aleph1 and that paper was really clear and concise in explaination. On the contrary when I search for dangling pointers, I get some resources on what they are. I also found a BlackHat presentation about it and I understood it (not totally though). It gives a high level overview on how the exploit would work. Is there a "Smashing the stack" kind of explanation of dangling pointers using a C/C++ program? Or someone could please explain exploiting dangling pointers in a easy way which I test using some code of my own?
Asked
Active
Viewed 3,553 times
2
-
How to exploit them, or how to create them? – Andrew Hoffman Jun 26 '14 at 20:44
-
Actually both. I want to write my own code to create it. And then exploit it. – Pervy Sage Jun 26 '14 at 20:50
-
In c++ its easy, create a class, reference it with a pointer, then dispose of it. Your pointer now points to where the instance of that class used to be, and is now a dangling pointer. – Andrew Hoffman Jun 26 '14 at 20:54
-
How do I dispose off a class? – Pervy Sage Jun 26 '14 at 21:45
-
Andrew meant create an object, not a class. Just create an object, delete the object immediately, and allocate something sensitive right after. If you're lucky enough the sensitive thing will be allocated where you just deleted or relatively close. – Steve Dodier-Lazaro Jun 26 '14 at 22:07
2 Answers
3
I just wrote a very simple example for demonstrating one possible form of dangling pointer vulnerability. You can directly run it and type "aaaaaaaaS" to reach the goal statement. Hope it would be helpful.
int main(){
char* data = (char *)malloc(32); // Assuming that the 9th char is critical...
data[8] = 'L';
printf("data buffer at address %x\n", data);
/* ...
* some complex program code here
* ...
*/
free(data); //the data buffer could be accidentially freed.
/* ...
* some complex program code here
* ...
*/
/* Here, the allocator could allocate the chunk of data buffer for the input buffer.
* Whether this will happen depends on multiple factors (allocation algorithm,
* the size of the buffer, etc.). For example, if you set the input buffer with
* size 64, this might not happen because the allocator will use a new chunk
* instead of reusing the old one.
*/
char* input = (char *)malloc(32);
printf("input buffer at address %x\n", input);
/* Assuming that the attacker can control the input. Now, the attacker can
* type aaaaaaaaS to write char 'S' to the critical space.
*/
scanf("%s", input);
/* The dangling pointer is used here to do a critical operation.
* Note that this bug might be hard to find because it will
* almost never trigger a crash.
*/
if(data[8] == 'S'){
printf("Pwn!\n"); // This is the goal of the attacker
}else{
printf("Pew!\n");
}
return 0;
}
ZillGate
- 354
- 4
- 11
-
`"this bug might not be hard to find because it will almost never trigger a crash"` <- You seem to be contradicting yourself here. A bug which doesn't cause a crash is usually harder to find than one which does. – Philipp Jun 27 '14 at 07:17
-
1
In C or C++, a dangling pointer is what you (as a programmer) get when you have a pointer to dynamically allocated memory, delete/free that memory, but keep using the pointer.
The pointer now points to unallocated memory and trying to access it will likely crash the program. However, under certain circumstances it can happen that the memory gets reallocated to something entirely different. The pointer is now suddenly valid again, but points to data it isn't supposed to point to, like data the user isn't supposed to access.
Philipp
- 48,867
- 8
- 127
- 157