Exploiting Golang Unsafe Pointers


There are situations when c interacts with golang for example in a library, and its possible to exploit a golang function writing raw memory using an unsafe.Pointer() parameter.

When golang receive a null terminated string on a *C.Char parameter, can be converted to golang s tring with  s2 := C.GoString(s1) we can do string operations with s2 safelly if the null byte is there.

When golang receives a pointer to a buffer on an unsafe.Pointer() and the length of the buffer on a C.int, if the length is not cheated can be converted to a []byte safelly with b := C.GoBytes(buf,sz)

Buuut what happens if golang receives a pointer to a buffer on an unsafe.Pointer() and is an OUT variable? the golang routine has to write on this pointer unsafelly for example we can create a golangs memcpy in the following way:



We convert to uintptr for indexing the pointer and then convert again to pointer casted to a byte pointer dereferenced and every byte is writed in this way.

If b is controlled, the memory can be written and the return pointer of main.main or whatever function can be modified.

https://play.golang.org/p/HppcVpLfuMf


The return addres can be pinpointed, for example 0x41 buffer 0x42 address:



We can reproduce it simulating the buffer from golang in this way:


we can dump the address of a function and redirect the execution to it:


https://play.golang.org/p/7htJHJp8gUJ

In this way it's possible to build a rop chain using golang runtime to unprotect a shellcode.

More articles


  1. Pentest Tools Apk
  2. Bluetooth Hacking Tools Kali
  3. Hacker Tool Kit
  4. Hacker Tools Mac
  5. Hacking Tools Software
  6. Hacking Tools Name
  7. Pentest Tools Online
  8. Hacker Tools 2019
  9. Hack Tools Github
  10. Hacker Tools Apk
  11. Pentest Tools For Ubuntu
  12. Hacker Tools Free
  13. Hacker Tools Hardware
  14. Physical Pentest Tools
  15. Hack Tools For Pc
  16. Pentest Tools Nmap
  17. Hack Tools Online
  18. Hackrf Tools
  19. Computer Hacker
  20. Hacking Tools Hardware
  21. Hacker Hardware Tools
  22. Hacker Tools For Mac
  23. Hacker
  24. Pentest Tools Nmap
  25. Ethical Hacker Tools
  26. Usb Pentest Tools
  27. Hacking Tools Usb
  28. Pentest Tools Alternative
  29. Hacking Tools And Software
  30. Hacking Apps
  31. Pentest Tools Port Scanner
  32. Hack Tools Github
  33. Hacking Tools Mac
  34. Pentest Tools Windows
  35. Hack Tools Mac
  36. Hack Apps
  37. Hacker Tools Software
  38. Pentest Tools Open Source
  39. Ethical Hacker Tools
  40. Hacker Tools For Mac
  41. Pentest Tools Url Fuzzer
  42. World No 1 Hacker Software
  43. Hacker Tools 2020
  44. Pentest Tools Download
  45. Hack Tools For Mac
  46. Pentest Tools For Windows
  47. Hacking Tools 2019
  48. Hack Tools Download
  49. Hacker Tool Kit
  50. Pentest Tools Framework
  51. Hacking Tools For Kali Linux
  52. Black Hat Hacker Tools
  53. Pentest Tools Framework
  54. Hacks And Tools
  55. Hack Tools For Pc
  56. Android Hack Tools Github
  57. Hack Tools Pc
  58. Hacker Tools Online
  59. Hack Tools For Games
  60. Hack Tools For Mac
  61. Best Pentesting Tools 2018
  62. Hacker Tools Linux
  63. Hack App
  64. Hacking Tools For Beginners
  65. Tools 4 Hack
  66. Hack Tools
  67. Hack Tool Apk
  68. Pentest Reporting Tools
  69. Best Hacking Tools 2020
  70. Usb Pentest Tools
  71. Pentest Tools For Windows
  72. Pentest Tools Bluekeep
  73. Hacker Tools Free Download
  74. Hack Tools Online
  75. Hack Tools Mac
  76. Pentest Tools Framework
  77. Pentest Tools Online
  78. Hack Tools For Pc
  79. Hacking Apps
  80. New Hack Tools
  81. Pentest Tools For Android
  82. Hack Tools Pc
  83. Wifi Hacker Tools For Windows
  84. Pentest Tools Apk
  85. Hacker Tools Apk
  86. Hacker Tools For Ios
  87. Hackrf Tools
  88. Nsa Hack Tools Download
  89. Pentest Tools For Ubuntu
  90. Pentest Tools Kali Linux
  91. Pentest Tools Tcp Port Scanner
  92. Hacking Tools Online
Posted by dashmo FREESTUFF at 3:53 am  

0 comments:

Post a Comment

Request Item or Service

Subscribe to: Post Comments (Atom)
Powered by Blogger.