Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I saw a conclusion that a C++ variadic function using C-style ellipsis can be vulnerable when an attacker designs some kind of input into the function to run arbitrary code. But how can it be done? I mean, how to design an attack vector to exploit the vulnerability?
If you mean a format string exploit to run arbitary code it works as such:
printf allows you to give a format string not matching the argument counts. In such a case variables are pulled off the stack. A function call (like printf) is done by putting all the function's arguments onto the stack, roughly like this:
(low addresses)
^^^^^^ stack growth direction ^^^^^^
---------printf-stack------------
printf function arguments
stack base pointer of caller
return address for when printf() ends
---------printf-stack------------ <-- stack base pointer register (cpu)
---------caller-stack------------
stack variables (int a = 5, char cstr[500] = "hello world!", etc)
caller function arguments
stack base pointer of caller-caller
return address for when caller() ends
---------caller-stack------------
(high addresses)
Reading out more arguments than were given will print the stack base pointer of the calling function, then the return address and eventually variables of the caller function.
To allow arbitrary code execution you need to overwrite the return address of any function. Unfortunately printf allows you to write a variable with %n (which, really is just a bad idea.). This will write the number of characters printed so far to the int pointer provided at the argument's position.
This doesn't seem useful at first, but the user could alter some stack variable to point to the return address on the stack. Then he could print an arbitrary number of characters and use &n to write that number of characters to that stack location (containing the return pointer for the function). The user can place his shellcode whereever and execute by returning into it.
A detailed video by LiveOverflow explaining all this can be found here.
I imagine similar behavior (writing to a pointer given as an argument) can be exploited in other variadic functions.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 3 years ago.
Improve this question
I am trying to read the documentation of the DOLFIN c++ library for finite element modelling located on this link:
https://fenicsproject.org/olddocs/dolfin/1.3.0/python/programmers-reference/index.html
but the documentation is hard to read, so for someone without c++ knowledge how you will read the following specification of parameters for the c++ method eval_cell() of the Expression class (https://fenicsproject.org/docs/dolfin/2017.2.0/python/programmers-reference/cpp/function/Expression.html):
Parameters:
double > & values (Array<) – (Array<double>) The values at the point.
Array< double > & x (const) – (Array<double>) The coordinates of the point.
ufc::cell & cell (const) – (ufc::cell) The cell which contains the given point.
After taking a look at the page t.niese linked in the comments I think this is a automatically generated documentation, with a really bad generator (like really really bad).
So, if we fix the butchered first line, realign some braces here and there and fix the position of const it might become clearer:
Parameters
const Array<double>& values1 – The values at the point.
const Array<double> &x – The coordinates of the point.
const ufc::cell &cell – The cell which contains the given point.
Meaning
You are dealing with a function that takes three parameters, the first and second are of type Array<double>, which seems to be generic container. The third parameter is of type ufc::cell, whatever this is. All three parameters are passed by reference (see the & before each variable name) and not by value. But they are not just passed as reference but actually as const reference (see the const), meaning that the function can't modify the objects you give to it.
I can't however say much about the comments for each parameter.
1 I assume the first parameter is also const, because it got the brackets, where the const is noted in the other two parameters, but this is just guessing.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
my question is write function prototypes for
A function, isAbleToVote, which accepts the age of a potential voter (as a double). The
function should return true if the value of the double is greater than 18 and return false
otherwise.
I wrote bool isAbleToVote(double)
A function, named printPrice, to print a product name and its price to the screen. Both
outputs (i.e., the product name and its price) are passed in as arguments.
I wrote Void printPrice(string product_name, double price)
A function, sizeOf, which accepts a string as its argument. The function should return the length of the string.
I wrote string.length sizeOf(string)
4.A function, named getInt, to print the following message to the screen “Please enter an integer”, and to return the value of the user input.
I wrote cout getInt("please enter an integer")
Am I write? if not what am i doing wrong?
You did well on 1 and 2, those are function prototypes. Though remember, C and C++ function prototypes are followed by a semicolon (to be pedantic)
3 is close, but string.length isn't a return type. Find the return type that best represents the length of a string (hint check the std::string::length() function or strlen() function).
4 is not a prototype. It is a statement. prototypes are simple the signature, without any code body. Read the requirement again and think of the minimal input and output data for the function. Hint there is nothing wrong with a void function that takes no arguments, if you don't need any input or output values.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I'm getting the error 'term does not evaluate to a function taking 1 arguments' on the following line in my code:
steerToSpiralRefPoint(m_CentrePos);
But I'm not sure why this is... Is it that the function will only take 1 argument as a parameter, but since the 'm_centrePos' variable holds more than 1 attribute, the function is effectively receiving several parameters?
I have defined 'steerToSpiralRefPoint' with the line:
CDirectOverflyItem steerToSpiralRefPoint = new CDirectOverflyItem::SteerStep(const CHeloData aHeloData);
'm_CentrePos' has been assigned the value 'cCentrePos' at the start of this file ('cCentrePos' is a variable of type 'CCoordinate', which has a number of attributes- latitude, longitude, altitude, etc).
'CDirectOverflyItem's also has a number of attributes- ground speed, wind speed, wind angle, etc.
Can anyone point out to me why I'm getting this error, and how I should correct it?
This expression
steerToSpiralRefPoint(m_CentrePos);
is a postfix expression of a function call. However as it follows from your post steerToSpiralRefPoint is not a function (or function pointer) but a pointer to an object. If you want to assign a value to the pointer then you have to write
steerToSpiralRefPoint = m_CentrePos;
Or if there is an operator function for this type then the code should look as
( *steerToSpiralRefPoint )( m_CentrePos );
And this construction
CDirectOverflyItem steerToSpiralRefPoint = new CDirectOverflyItem::SteerStep(const CHeloData );
is also invalid. You may not use qualifiers before variables in expressions. They may be used only in declarations.
It seems that the issue was that I was trying to pass the wrong data type into the parameter- it was expecting a 'CHeloData', but I was trying to give it a 'CCoordinate'.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I want to know how I can identify if my tuple is empty?
Note that I use std::tuble in conjunction with std::map as below:
typedef std::tuple<SDESType,INT32,std::string> SDesItem;
typedef std::map<SDESType,SDesItem> SDesItemMap;
Now I want to check if the second value of SDesItemMap, that is a tuple, is empty or not?
if(SDesItems[SDESType] != NULL) // this is error
std::tuple acts like three values tied together. It has no predefined "empty" or "zero" state, other than empty states of each of its members. Empty value is always contextual, and in general means a value lying outside the domain of the regular type's values.
For example, a natural number can only be 0 (or 1, depending on your definition) upward. Thus, using an int gives you a convenient way to represent a value that's outside of the domain, and should be treated irregularly.
To represent that cleanly in your example, use optional<tuple<...>> as a map value (if you want to specifically state "there's an empty value at a given key"). This type states that the possible values of the type you get by instantiating the optional template are now all of the values of the original type, and a special, nothing (/empty/none) value.
You can also state that parts of the tuple can be empty (nothing), like
tuple <
std::string, // empty string ("") can be treated as "empty state"
optional<int>, // if you don't want to treat 0 (or -1) as "empty"
>
optional<> is not a part of std:: yet, so you have to write your own implementation or use the Boost one. Another way would be using value_ptr (Boost again), but here it wouldn't probably give you any benefits.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Ive moved from autoit and am now learning C++ and some problems keep coming up.
The first one is storing character input. The problem is that I have no idea how many characters are in that line of the file (if you are reading a file) or how many letters a user is going to type (in a console application).
What is the best way to approach this problem?? I have heard about the string class, but I want to avoid it becuase I dont know how it works and that leads to vunerabilities etc.
Secondly...
In C you can load shellcode into memory, create a function pointer, and execute that code.
Is there any mechanism for this in C++???
Thirdly...
How does the interpreter iterate through char arrays for string output??? (char array[3];) Does the compiler keep track of the size of the array, or does it just keep reading from memory until it hits that \0 thing???
Lastly...
If Char * are just pointers to data in memory, then why does:
char * title = "Program Title";
this work??? where is the string literal stored in memory?? how is it referenced???
Thankyou very much. I greatly appreciate your help.
-Hyperzap
Investing your time in learning std::string is well worth the effort, as it takes care of a lot of hassle for you. If you don't want to take advantage of the features in C++, then why use C++ and not just C?
You can use the same code for this as you would in C.
Yes, iostream-output of C-style strings outputs until terminating zero. Once again, if you use std::string you do not have to care about such details.
Correct me if I'm wrong, but I think title would be a const char[] stored on the stack.
Example:
const char* hello = "Hello\0World";
cout << hello; // Prints only "Hello", i.e. up to terminating zero (\0)
The reason this works:
const char* hello = "Hello world";
cout << hello;
is because hello is really "Hello world\0"; - in other words, the compiler inserts a terminating zero.
Note that std::string doesn't do any magic. It too reads until the terminating zero:
string hello = "Hello\0World\n";
cout << hello; // Still only gives "Hello"
char* title = "String Literal" works because the compiler preallocates a memory location to store your string literal, thus you then get back a pointer to this memory location.
In c++, an array for which you know the size at compile time (as in your example: char array[3] is a type in itself, so the compiler does keep track of the size. However, if you do not know the size (ie. char array[]), it is just a pointer to char. However, you should be using std::vector in c++ (better safety and performance).
I'm not too sure about your other two questions (didn't quite understand them)