Exploiting Golang Unsafe Pointers

There are situations when c interacts with golang for example in a library, and its possible to exploit a golang function writing raw memory using an unsafe.Pointer() parameter.

When golang receive a null terminated string on a *C.Char parameter, can be converted to golang s tring with  s2 := C.GoString(s1) we can do string operations with s2 safelly if the null byte is there.

When golang receives a pointer to a buffer on an unsafe.Pointer() and the length of the buffer on a C.int, if the length is not cheated can be converted to a []byte safelly with b := C.GoBytes(buf,sz)

Buuut what happens if golang receives a pointer to a buffer on an unsafe.Pointer() and is an OUT variable? the golang routine has to write on this pointer unsafelly for example we can create a golangs memcpy in the following way:

We convert to uintptr for indexing the pointer and then convert again to pointer casted to a byte pointer dereferenced and every byte is writed in this way.

If b is controlled, the memory can be written and the return pointer of main.main or whatever function can be modified.

https://play.golang.org/p/HppcVpLfuMf

The return addres can be pinpointed, for example 0x41 buffer 0x42 address:

We can reproduce it simulating the buffer from golang in this way:

we can dump the address of a function and redirect the execution to it:

https://play.golang.org/p/7htJHJp8gUJ

In this way it's possible to build a rop chain using golang runtime to unprotect a shellcode.

Related news

1. Pentest Tools Kali Linux
2. Pentest Tools Tcp Port Scanner
3. Github Hacking Tools
4. Best Pentesting Tools 2018
5. Hacker Tool Kit
6. Hacker Tools For Pc
7. Hacking Tools Windows 10
8. Hack Tools 2019
9. Pentest Tools
10. Nsa Hack Tools Download
11. Underground Hacker Sites
12. Hack Tools Download
13. Pentest Tools Download
14. Pentest Tools Windows
15. Pentest Tools Android
16. Hack Tools Github
17. Physical Pentest Tools
18. Best Pentesting Tools 2018
19. Hack Website Online Tool
20. Pentest Recon Tools
21. Beginner Hacker Tools
22. Hacker Tools Free
23. Pentest Tools Online
24. Bluetooth Hacking Tools Kali
25. Pentest Tools Download
26. How To Make Hacking Tools
27. Hacking Tools For Kali Linux
28. Hacking Tools For Windows 7
29. Hack Tools
30. Hacker Tools Windows
31. Best Pentesting Tools 2018
32. Tools 4 Hack
33. Hacking Tools Name
34. Termux Hacking Tools 2019
35. Best Hacking Tools 2019
36. Underground Hacker Sites
37. Hak5 Tools
38. Hacker
39. Hacking Tools Download
40. Hacking Tools Online
41. Nsa Hacker Tools
42. Hack Tools Online
43. Hacking Tools For Windows 7
44. Hacker Tools Linux
45. Usb Pentest Tools
46. Hak5 Tools
47. Free Pentest Tools For Windows
48. Pentest Tools Website Vulnerability
49. Hacking Tools Windows
50. Hacking Tools For Kali Linux
51. Hack Tools For Pc
52. Hacker Search Tools
53. Ethical Hacker Tools
54. Pentest Tools Review
55. Pentest Tools Nmap
56. Pentest Tools Github
57. Ethical Hacker Tools
58. Hack Rom Tools
59. Bluetooth Hacking Tools Kali
60. Pentest Tools Website Vulnerability
61. Tools 4 Hack
62. Install Pentest Tools Ubuntu
63. Hack Tools Download
64. Hacking Tools Usb
65. Install Pentest Tools Ubuntu
66. Pentest Tools Bluekeep
67. Hack Tools Github
68. Underground Hacker Sites
69. Pentest Recon Tools
70. Hacker Tools Github
71. Pentest Tools Nmap
72. Hacker Tools Apk
73. Nsa Hack Tools
74. Hacking Tools
75. Pentest Tools Android
76. Pentest Tools Website
77. Pentest Tools For Ubuntu
78. Pentest Tools
79. Hacker Tools Free Download
80. Bluetooth Hacking Tools Kali
81. Pentest Tools Nmap
82. Tools Used For Hacking
83. Pentest Tools Nmap
84. Hacker Tools Apk
85. Hacker Tools 2020
86. Best Hacking Tools 2020
87. Hack Tools Mac
88. Hacker Tools Mac
89. Pentest Tools Windows
90. Pentest Tools Website Vulnerability
91. Hacker Tools For Pc
92. Pentest Tools Framework
93. Pentest Box Tools Download
94. Pentest Tools For Mac
95. Pentest Recon Tools
96. Hack Tools Download
97. Hacking Tools Kit
98. Hacking Tools Software
99. Pentest Tools Website