Exploitable | Django application full of security holes | TLS library

ReadOnlySpan could work.

Have a look at All About Span: Exploring a New .NET Mainstay

A second variant of Span, called System.ReadOnlySpan, enables read-only access. This type is just like Span, except its indexer takes advantage of a new C# 7.2 feature to return a “ref readonly T” instead of a “ref T,” enabling it to work with immutable data types like System.String. ReadOnlySpan makes it very efficient to slice strings without allocating or copying, as shown here:

If you want the file name from the path, use Path.GetFileName method:

https://docs.microsoft.com/en-us/dotnet/api/system.io.path.getfilename?view=net-5.0

Example code from documentation:

%10$n means write the number of characters printed to the address pointed to by the 10th element on the stack, not the actual 10th element of the stack. This means that if the 10th element doesn't point to valid, writable memory, which it likely doesn't, then you will segfault upon trying to write to it.

I suspect SIMPLE is defeating the throughput benchmark by CSEing and hoisting a/3+b/3 and a%3+b%3 out of the loop, reusing those results for all 16 avg0..15 results.

(The SIMPLE version can hoist much more of the work than the tricky version; really just a ^ b and a & b in that version.)

Forcing the function to not inline introduces more front-end overhead, but does make your version win, as we expect it should on a CPU with deep out-of-order execution buffers to overlap independent work. There's lots of ILP to find across iterations, for the throughput benchmark. (I didn't look closely at the asm for the non-inline version.)

https://godbolt.org/z/j95qn3 (using __attribute__((noinline)) with clang -O3 -march=skylake on Godbolt's SKX CPUs) shows 2.58 nanosec throughput for the simple way, 2.48 nanosec throughput for your way. vs. 1.17 nanosec throughput with inlining for the simple version.

-march=skylake allows mulx for more flexible full-multiply, but otherwise no benefit from BMI2. andn isn't used; the line you commented with mulhi / andn is mulx into RCX / and rcx, -2 which only requires a sign-extended immediate.

Another way to do this without forcing call/ret overhead would be inline asm like in Preventing compiler optimizations while benchmarking (Chandler Carruth's CppCon talk has some example of how he uses a couple wrappers), or Google Benchmark's benchmark::DoNotOptimize.

Specifically, GNU C asm("" : "+r"(a), "+r"(b)) between each avgX = average_of_3 (a, b, avgX); statement will make the compiler forget everything it knows about the values of a and b, while keeping them in registers.

My answer on I don't understand the definition of DoNotOptimizeAway goes into more detail about using a read-only "r" register constraint to force the compiler to materialize a result in a register, vs. "+r" to make it assume the value has been modified.

If you understand GNU C inline asm well, it may be easier to roll your own in ways that you know exactly what they do.

If you import this as a panda frame, which lets call it df, you can do df.groupby[‘exploitable’].mean You could do .histogram or something for distribution.

the variables should be one after another on the stack

No, there is no such rule. Compiler should do anything, as long as side effects stay. A good compiler with optimizations should remove both variables from your code.

What are these weird bytes? The only thought I have in mind is the protection mechanism, but I disabled this, then what else it could be?

Padding between variables allocated on stack. Your non-optimizing compiler allocates stack variables aligned to an address divisible by 4. Hence 3 bytes padding between the next char variable. The values of the bytes are most probably left-over garbage left on stack by program initialization routines.

\x15\x45\x41\x42\x17\x45\x41\x42%16940c%7$hn%563c%8$hn does indeed refer to a sequence of 30 chars/bytes. snprintf (s.usr, 31, "%s", user); would therefore be needed to copy it.^[1] The extra count is because snprintf reserves a space for a NUL.

Since you need s.usr to be the start of a sequence of 30 characters, and you can only place 15 of the necessary characters there, your exploit can't work as-is.

This doesn't mean that the bug can't be exploited. It may be possible to write a shorter exploit that jumps to the remaining exploit located somewhere else, e.g. in user.^[2] But I don't have the necessary knowledge to asses the feasibility of this.

1. Of course, you would also need a larger area in s.usr, at least under normal circumstances.
2. user would contain <15-byte exploit>. The 15-byte exploit would jump to the remainder of the exploit.

I finally figured out where the risk is, and I had to figure it out for myself. Maybe all the people explaining this CORS exploit think that their readers will automatically know what's going on with cookies in a situation like this, and don't think it's even worth mentioning.

It certainly would have helped me if they'd mentioned it, however!

What I understand now is this:

1. You set up an API on myservice.com that allows CORS access, it lets anyone from any domain in, and it responds to XHR requests where withCredentials is true with the host's origin reflected back in the Access-Control-Accept-Origin header, rather than sending back *.
2. A user on mylegitapicustomer.com, which legitimately uses myservice.com, logs into your API, and gets back a session cookie that belongs to the myservice.com domain.
3. That user, using the same web browser, then visits evilhacker.com.
4. If the webpage from evilhacker.com issues an XHR request to myservice.com, all of the cookies that belong to the myservice.com domain go along for the ride!
5. Your website at myservice.com sees the session cookie it issued to the legit user who had visited via mylegitapicustomer.com and happily responds to the above request by making any requested changes to the user's account, or responds with any info about the user requested.
6. evilhacker.com can now receive any of this info, and/or perform any API actions, that legit access via mylegitapicustomer.com would have allowed.

It looks like you want everything after the first "- ". For this use instr() and substr():