The document contains technical information about software vulnerabilities and security exploits. It discusses memory corruption issues like buffer overflows, use-after-free vulnerabilities, and heap overflow attacks. It also covers injection attacks, deserialization of untrusted data, container escapes, and other common software vulnerabilities. The document emphasizes the importance of secure coding practices, threat modeling, code reviews, and security testing to identify and address vulnerabilities.
28. int vuln() {
char buf[512];
gets(buf);
return 0;
}
0x0804841d <+0>: push ebp
0x0804841e <+1>: mov ebp,esp
0x08048420 <+3>: sub esp,0x204
0x08048426 <+9>: lea eax,[ebp-0x200]
0x0804842c <+15>: mov DWORD PTR [esp],eax
0x0804842f <+18>: call 0x80482f0 <gets@plt>
0x08048434 <+23>: mov eax,0x0
0x08048439 <+28>: leave
0x0804843a <+29>: ret
. . .
return address
old ebp at main
buf
. . .
A A A A
A A A A
A A A A
. . .
A A A A
A A A A
A A A A
512 bytes
29. void vuln(unsigned width, unsigned height, char *src) {
char *img = malloc(width * height);
for (i = 0; i < height; ++i)
memcpy(&img[i*width], &src[i*width], width);
}
img C++ object ... ...A A A A A A A A A A A . . . A A A
↑ virtual function table
42. •
•
SELECT id FROM users WHERE username='user' AND password='pass' OR 1=1'
uname = request.POST['username']
passwd = request.POST['password']
sql = "SELECT id FROM users WHERE username='" + uname + "' AND password='" + passwd + "'"
database.execute(sql)
Username: user
Password: pass' OR 1=1
98. b0 b1 b2 b3 b1019 b1020 b1021
array (PropertyArray)
Scavenger::ScavengeObject
array->synchronized_length() == 0
Scavenger::EvacuateObject
HeapObject::SizeFromMap
PropertyArray::synchronized_length
LengthField::decode
Scavenger::SemiSpaceCopyObject
Scavenger::PromoteObject
Scavenge/GC:
returns 0
Allocate the new memory using
the result of SizeFromMap
99. b0 b1 b2 b3 b1019 b1020 b1021
array (PropertyArray)
After Scavenge/GC:
? ? ? ? ? ? ?
array (PropertyArray)
Now in Old Space with size of 0, but we can still access up to 1022 properties!
!
100. •
for (let i = 0; i < 1022; i++) {
generator.prototype['b' + i] = 0x1234;
}
for (let i = 0; i < 1022; i++) {
try {
document.write(i + " ==> " + generator.prototype['b' + i] + "<br>");
} catch (e) { }
}