Tagged Questions
4
votes
1answer
119 views
Is this fprintf statement potentially vulnerable?
Here's the statement: fprintf(stderr, "Some random string\n").
Is it okay not to have a format specifier, such as %s, even though the statement doesn't take any user input? Is it still potentially ...
1
vote
1answer
127 views
Can exploit vulnerability if program started with gdb, but segfaults if started without gdb
i'm currently trying to exploit a simple program called basic_vuln.c
#include <stdio.h>
int main(int argc, char** argv) {
char buf[64];
strcpy(buf, argv[1]);
}
I'm using xubuntu ...
5
votes
1answer
155 views
ROP Exploitation on ARM
I was wondering about since, Ret2Libc attack doesn't works on ARM, and we have to rely on ROP for that. How different is ROP on ARM from the x86 architecture.
Are there any tools, such as mona.py ...
2
votes
2answers
349 views
Stack Overflow on ARM : Null Bytes Issue
I am trying to follow the research paper by Tiger Security for ARM Exploitation : Link
For the simple stack overflow exploitation, the code is :
#include <stdio.h>
#include <string.h>
...
1
vote
1answer
53 views
sigsegv in php5.3.10
I found an overflow situation in php5.3.10.
Probably it's not 'something new', but if I can understand this,
it will help me to find this kind of bug faster in the future.
What can I do to check ...
1
vote
1answer
171 views
SafeSEH and x64
I read here that
/SAFESEH is only valid when linking for x86 targets. /SAFESEH is not
supported for platforms that already have the exception handlers
noted. For example, on x64 and Itanium, ...
3
votes
1answer
126 views
Stack canaries protection and ROP
As far as I know stack canaries are values written on the stack that, if overwritten by a buffer overflow, force the application to close at return.
My question is: if I overwrite both EIP and stack ...
3
votes
2answers
194 views
Do I always have to overwrite EIP to get to write on the stack in a buffer overflow?
Do I always have to overwrite EIP to get to write on the stack in a buffer overflow? How's the memory organized? I can't find a proper graph with google
4
votes
2answers
637 views
How to get this to buffer overflow?
I'm trying to understand buffer overflow, and am working with a simple piece of code, as below.
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
{
...
12
votes
3answers
3k views
Stack Overflows - Defeating Canaries, ASLR, DEP, NX
To prevent buffer overflows, there are several protections available such as using Canary values, ASLR, DEP, NX. But, where there is a will, there is a way. I am researching on the various methods an ...
1
vote
1answer
53 views
Dangers of a vulnerability in a local installer?
I sent a message to my dev manager about a buffer overflow in our (widely distributed) installer, and received a response that it didn't matter as it wasn't server code.
Other than the fact that if ...
1
vote
1answer
2k views
Finding environment variables with gdb, to exploit a buffer overflow
I have to exploit a very simple buffer overflow in a vulnerable C++ program for an assignment and I am not being able to find the environment variable SHELL.
I have never worked with BoF before, and ...
3
votes
1answer
152 views
How do attackers gather remote feedback for identifying and exploiting buffer overflows?
Local buffer overflows are relatively easy to understand: throw some input at an interface and see if the process fails with a core dump or similar. However, in my mind, this kind of exploit works ...
3
votes
5answers
973 views
What programming language does this code use?
Watching this article:
http://www.exploit-db.com/exploits/13474/
I can see this:
/*
* NetBSD
* execve() of /bin/sh by humble of Rhino9
*/
char shellcode[] =
"\xeb\x23"
"\x5e"
"\x8d\x1e"
...
6
votes
3answers
417 views
Remote return into libc attack
It is often shown that non-executable data segemnts are possible to bypass through return-to-libc attacks. It's evident on /bin/sh but is it also possible to invoke a remote shell?
