A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
1
vote
1answer
53 views
How non-executable are implemented? [duplicate]
In the "Hacking the art of Exploitation" its said that the basic idea of stack overflows attacks is that the operating system can't differentiate instructions from data inside the stack ,and the ...
1
vote
1answer
47 views
Bypass va_randomize_space and stack-protector
Is a program compiled with the GCC -fstack-protector option and running in a Linux environment with the va_randomize_space kernel variable set to 1, totally protected against buffer overflow attacks?
...
4
votes
1answer
118 views
Is this fprintf statement potentially vulnerable?
Here's the statement: fprintf(stderr, "Some random string\n").
Is it okay not to have a format specifier, such as %s, even though the statement doesn't take any user input? Is it still potentially ...
1
vote
1answer
126 views
Can exploit vulnerability if program started with gdb, but segfaults if started without gdb
i'm currently trying to exploit a simple program called basic_vuln.c
#include <stdio.h>
int main(int argc, char** argv) {
char buf[64];
strcpy(buf, argv[1]);
}
I'm using xubuntu ...
1
vote
2answers
66 views
How do I sanitize and check large numbers that will be sent to an unmanaged BigNum library like GMP?
I need to process data that is sent by users in a LargeNumber format. My current choices are
BigInteger (.Net Managed Code)
IntX (Managed Code, faster for some operations)
GMP / MPIR (Unmanaged ...
2
votes
1answer
130 views
Occurence of ROP gadget
I'm researching various buffer overflow techniques, one I encounter and is pretty interested in the moment is Return Oriented Programming (ROP), and the use of small groups of instructions known as ...
0
votes
3answers
128 views
if Noscript is secure is that possible our system still compromise by crypto?
perhaps all of us use no-Script when we visit untrusted web pages to block all scripts plugins etc. but still there is something beside plain HTML codes that we don't block; SSL connection! in Https ...
2
votes
1answer
122 views
Stack Smashing problem
I'm currently reading the popular article "Smashing the Stack for fun and profit" by Aleph One but I have a problem. I will try to isolate the problem and present to you only that detail.
Even if I ...
1
vote
1answer
110 views
Using an off-by-one buffer overflow can I manipulate EIP to execute code located outside the target program?
This is for a Computer and Network Security class. I am not asking for the solution, rather just a pointer in the right direction.
The target program has an off-by-one vulnerability and is compiled ...
1
vote
2answers
152 views
Linux kernel 3.2 syscalls
Just trying to get the assembler instructions for <__execve> of the code below because i want to build the shell spawn opcode list:
#include <stdio.h>
int main()
{
char *happy[2];
...
5
votes
1answer
155 views
ROP Exploitation on ARM
I was wondering about since, Ret2Libc attack doesn't works on ARM, and we have to rely on ROP for that. How different is ROP on ARM from the x86 architecture.
Are there any tools, such as mona.py ...
5
votes
1answer
160 views
NX bit causes segfault on NOP slide?
doing an assignment for university.
We have to exec a shell on a remote server. We're told the NX bit is not set, however, when we redirect to our injected code, the server has a segmentation fault. ...
1
vote
2answers
99 views
Auditing EXEs to ensure buffer overflow protections are in place? (such as SEHOP, ASLR, and DEP)
According to this answer, it's possible to compile a GCC-based application without certain buffer overflow techniques. Perhaps this is even possible with Visual Studio.
How can I audit a given EXE ...
2
votes
2answers
348 views
Stack Overflow on ARM : Null Bytes Issue
I am trying to follow the research paper by Tiger Security for ARM Exploitation : Link
For the simple stack overflow exploitation, the code is :
#include <stdio.h>
#include <string.h>
...
22
votes
2answers
657 views
What is the most hardened set of options for GCC compiling C/C++?
What set of GCC options provide the best protection against memory corruption vulnerabilities such as Buffer Overflows, and Dangling Pointers? Does GCC provide any type of ROP chain mitigation? Are ...
14
votes
2answers
1k views
How can vending machines be hacked? And how can I prevent it?
I am developing a vending machine and want to make it secure.
In a comment to my previous question, @Polynomial said "Vending machines (and similar devices) can often be pwned via buffer overflows on ...
1
vote
1answer
53 views
sigsegv in php5.3.10
I found an overflow situation in php5.3.10.
Probably it's not 'something new', but if I can understand this,
it will help me to find this kind of bug faster in the future.
What can I do to check ...
1
vote
1answer
171 views
SafeSEH and x64
I read here that
/SAFESEH is only valid when linking for x86 targets. /SAFESEH is not
supported for platforms that already have the exception handlers
noted. For example, on x64 and Itanium, ...
3
votes
1answer
124 views
Stack canaries protection and ROP
As far as I know stack canaries are values written on the stack that, if overwritten by a buffer overflow, force the application to close at return.
My question is: if I overwrite both EIP and stack ...
3
votes
2answers
192 views
Do I always have to overwrite EIP to get to write on the stack in a buffer overflow?
Do I always have to overwrite EIP to get to write on the stack in a buffer overflow? How's the memory organized? I can't find a proper graph with google
5
votes
1answer
460 views
“Hello World” example of a Buffer Overflow attack in many programming languages
I'm looking for a very simple application that has an intentional Buffer Overflow embedded in it. I'm assuming this possible in systems where DEP and ASLR are not being used
Ideally (and if ...
4
votes
2answers
637 views
How to get this to buffer overflow?
I'm trying to understand buffer overflow, and am working with a simple piece of code, as below.
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof(char *str)
{
...
2
votes
1answer
645 views
Stack smashing keep getting segmentation fault
I have a homework assignment to do stack smashing,
The exploit code creates a badfile in which the vulnerable file reads and buffer over flow occurs.
I have already did the 2 commands below to ...
2
votes
1answer
185 views
How to completely prevent bufferoverflows in networking software?
Is that possible to make software which is not vulnerable to any type of buffer overflow? For example, a software that receives data packets and transfers it to destination after data analysis.
1
vote
1answer
167 views
Determining the target address in a heap overflow
For a heap overflow to occur and arbitrary code to be executed, the function free() performs the step :
hdr->next->next->prev = hdr->next->prev
I understand that the address of ...
12
votes
3answers
3k views
Stack Overflows - Defeating Canaries, ASLR, DEP, NX
To prevent buffer overflows, there are several protections available such as using Canary values, ASLR, DEP, NX. But, where there is a will, there is a way. I am researching on the various methods an ...
7
votes
4answers
395 views
Why don't computers check whether there are memory contents in some memory space?
Buffer overflow occurs because it writes to memory spaces that are used by, or will be used by other parts of the program.
Computer programs usually write to the memorylocation that has been ...
1
vote
1answer
531 views
Any reasons to why not use randomize_va_space?
I've been looking a bit into kernel options for hardening, and there is one that seems to be a good idea to deploy - randomize_va_space. But before I activate that feature I started a google search, ...
10
votes
2answers
297 views
AMD64 overflows and null bytes
In the past, I have managed to overflow my own vulnerable programs, and those of others, but only ever in a 32bit environment. Every time I try even a simple stack smash on a 64bit machine, I run into ...
1
vote
1answer
53 views
Dangers of a vulnerability in a local installer?
I sent a message to my dev manager about a buffer overflow in our (widely distributed) installer, and received a response that it didn't matter as it wasn't server code.
Other than the fact that if ...
2
votes
1answer
171 views
What to do next for this possible buffer overflow?
I've been instructed to test a few of our newer applications before user release, and managed to find a buffer overflow on one of the fields.
Here is where I've run into a brick wall though, and ...
3
votes
1answer
192 views
buffer/heap overflow - register of what is executed
When buffer overflow/heap overflow is executed, is EIP the one that tells which part will be executed next? Also, when exploiting the part that has buffer overflow vulnerability, after execution, will ...
3
votes
1answer
84 views
php_register_variable_ex vulnerability question
Vulnerability I am referring to is:
http://www.securityfocus.com/bid/51830
And here in more detail:
http://auntitled.blogspot.com/2012/02/mini-poc-for-php-rce-cve-2012-0830.html
So basically what ...
0
votes
2answers
1k views
Snort false positive?
I've set up snort and am configuring it for my network. I have one vpn server making a connection to my dns/AD server. This connection sets off:
GPL SHELLCODE x86 inc ebx NOOP
The payload is as ...
6
votes
1answer
255 views
Sulley - optional element and command check
I'm currently using Sulley to fuzz my FTP server, but I'm having problems. I want to specify the STRU command, which has a syntax:
STRU [<SP> F|R|P] <CRLF>
I tried to specify the ...
1
vote
1answer
2k views
Finding environment variables with gdb, to exploit a buffer overflow
I have to exploit a very simple buffer overflow in a vulnerable C++ program for an assignment and I am not being able to find the environment variable SHELL.
I have never worked with BoF before, and ...
3
votes
1answer
152 views
How do attackers gather remote feedback for identifying and exploiting buffer overflows?
Local buffer overflows are relatively easy to understand: throw some input at an interface and see if the process fails with a core dump or similar. However, in my mind, this kind of exploit works ...
3
votes
1answer
864 views
Why do I get “Cannot find bound of current function” when I overwrite the ret address of a vulnerable program?
I want to exploit a stack based buffer overflow for education purposes.There is a typical function called with a parameter from main which is given as input from the program and a local buffer where ...
4
votes
2answers
468 views
Difference between vulnerabilities on windows/linux/mac for same program
If someone finds a vulnerability like buffer overflow in a program such as Google Chrome or Mozilla Firefox running on a linux machine, are there any chances that this vulnerability will persist on ...
3
votes
5answers
972 views
What programming language does this code use?
Watching this article:
http://www.exploit-db.com/exploits/13474/
I can see this:
/*
* NetBSD
* execve() of /bin/sh by humble of Rhino9
*/
char shellcode[] =
"\xeb\x23"
"\x5e"
"\x8d\x1e"
...
6
votes
3answers
416 views
Remote return into libc attack
It is often shown that non-executable data segemnts are possible to bypass through return-to-libc attacks. It's evident on /bin/sh but is it also possible to invoke a remote shell?
14
votes
4answers
641 views
Does compiling from sources “kinda” protects from buffer overflow attacks?
While discussing buffers overflows, somebody told me that compiling your own binary for an application (with specific compilation flags) instead of using the "mainstream binary" makes it more ...
10
votes
7answers
1k views
Secure memcpy for pure C
Buffer overflows are nothing new. And yet they still appear often, especially in native (i.e. not managed) code...
Part of the root cause, is usage of "unsafe" functions, including C++ staples ...
31
votes
8answers
2k views
Should I bother teaching buffer overflows any more?
The students are skeptical that turning off non-executable stacks, turning off canaries and turning off ASLR represents a realistic environment. If PaX, DEP, W^X, etc., are effective at stopping ...
5
votes
5answers
885 views
Suggested reading list: OS exploits
In computer security, my areas of interest include x86 processors, binary exploitation and reverse engineering. I'm also interested in the certain aspects of the minix and the linux kernel(memory ...
12
votes
3answers
715 views
Bypassing Address Space Layout Randomization
How effective is ASLR in preventing arbitrary code execution in a buffer overflow type exploit? How hard is it for an attacker to bypass this without simply guessing where the addresses are?
0
votes
1answer
138 views
Does using many XML parsers (XDocument, XMLDocument) from the public Internet increase attack surface area?
I am coding an anonymous WCF service that allows others to post XML into it.
Does using different kinds of XML parsers XDocument, XMLDocument, or even 3rd party parsers increase the attack surface ...
