This repository was archived by the owner on Mar 28, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy pathcfg_vcall.cpp
More file actions
91 lines (74 loc) · 2.5 KB
/
cfg_vcall.cpp
File metadata and controls
91 lines (74 loc) · 2.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#include <iostream>
#include <intrin.h>
struct Base {
Base() {}
virtual ~Base() {}
virtual void printMe() {
std::cout << "Base::printMe\n";
}
};
struct Derived : Base {
Derived() {}
virtual ~Derived() {}
virtual void printMe() {
std::cout << "Derived::printMe\n";
}
};
// imagine this is an attacker-created structure
// in memory
struct Evil {
Evil() {}
virtual ~Evil() {}
virtual void makeAdmin() {
std::cout << "CFG does *not* prevent this control flow\n";
std::cout << "Evil::makeAdmin\n";
}
};
static void evilFunction() {
// create a nop sled so we can jump into the middle of this function
// this is a very realistic scenario, as one is very unlikely to find
// a function that does exactly what one needs, and you'd normally start
// a ROP chain in the middle of some function
__nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop();
__nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop();
__nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop();
__nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop(); __nop();
std::cout << "CFG Prevents this control flow\n";
std::cout << "in evilFunction() by simulating a fake C++ object\n";
exit(-1);
}
#pragma pack(push,1)
// a bare minimum virtual function table for a "Derived" object
// mem1 will be the printMe() function
struct vtbl {
void* mem0;
void* mem1;
};
// create a fake version of a "Derived" object
// the bare minimum we need is a virtual function table pointer
struct FakeObj {
vtbl *table;
};
#pragma pack(pop)
int main(int argc, const char *argv[]) {
Evil *eptr = new Evil();
Derived* dptr = new Derived();
// set up a fake object to simulate an attacker
// doing a type confusion or use-after-free or similar vulnerability
// The slow for printMe is populated by evilFunction
vtbl table = {nullptr, (void*)((uintptr_t)evilFunction+0x20) };
FakeObj fake = {&table};
(void)(argc);
(void)(argv);
dptr->printMe();
// imagine a type confusion vulnerability
// that does something similar
dptr = reinterpret_cast<Derived*>(eptr);
dptr->printMe();
// again, imagine an attacker could craft their own
// fake object and use it.
dptr = reinterpret_cast<Derived*>(&fake);
// CFG will block this call
dptr->printMe();
return 0;
}