In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a ...
0
votes
1answer
48 views
Stack buffer overflow confusion
I am trying to dig deeper into the nuts and bolts a stack buffer overflow using the classical NOP-sled technique.
Reading some articles and watching videos brought me to a confusion which can be ...
15
votes
1answer
416 views
Could someone explain parts of the FBI's Firefox 0-day?
Here is the full Javascript (and related iframes) that the FBI apparently injected into all "Freedom Hosting" pages in the course of their recent takedown.
http://pastebin.mozilla.org/2776374
The ...
1
vote
3answers
87 views
How do determine the size of payloads available in MetaSploit
I've noticed that there are a lot of different payloads to choose from in MetaSploit, and the choice (assuming there's enough room in the target) usually depends on what you're trying to do.
However, ...
-3
votes
0answers
52 views
C code explanation [migrated]
Could anybody help me explaining these lines of code?
char code[] = "paste your shellcode here";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
...
5
votes
3answers
109 views
Buffer overflow stack adjustment
I am quite new to buffer overflows and I am practicing right now different types of buffer overflow attacks. the shellcode was not executed until it was padded with NOPs although its set properly in ...
1
vote
2answers
69 views
How to deal with MySQL's Errcode 13 when trying to write a shell
My attack machine is running Kali and the server is running CentOS 6.4 with DVWA.
I'm trying to write a shell through an SQL injection. The payload is
' UNION SELECT '', '<?PHP ...
21
votes
2answers
1k views
Is it possible to write shellcode in C++?
Usually I write assembly programs and then dump their contents to get the shellcode. What I was wondering is whether I could write a C++ program instead of assembly, then dump and use that instead of ...
4
votes
3answers
261 views
Is writing shellcode still a valid skill to have/learn?
Following up from this question: Should I bother teaching buffer overflows any more?
I am a it sec researcher and also security course instructor. Recently questions have been raised about the ...
9
votes
1answer
192 views
NOPS in Metasploit
Problem
I do not know what a "NOP" is in Metasploit Framework or otherwise.
What I do know
MS Unleashed says, "Nops keep the payload sizes consistent."
A few question posts mention buffer ...
3
votes
2answers
351 views
ASLR and how a program can actually call its functions
I'm studying protection techniques and I've got a doubt about how ASLR works for a program in a Windows environment.
As far as I know ASLR works by randomizing part of the imagebase address when ...
-1
votes
1answer
112 views
E-mail with obfuscated code / no trace in e-mail server
I've got a situation where one of my clients sent me an e-mail with what appears to be obfuscated shell code. The really bizarre thing here is that I see no trace of this e-mail showing up in the mail ...
0
votes
1answer
62 views
Shellcode Segfault mid execution?
In doing a university assignment, we are launching a shell on a remote server. That's all fine, I have connect back shell code, and when I hardcode the hex attack string into the server and jump to ...
5
votes
1answer
220 views
NX bit causes segfault on NOP slide?
doing an assignment for university.
We have to exec a shell on a remote server. We're told the NX bit is not set, however, when we redirect to our injected code, the server has a segmentation fault. ...
8
votes
1answer
336 views
Better way to import Win32 APIs from injected shellcode
I'm injecting native x86 code into a .NET application, via a TLS callback in the binary image. Unfortunately, .NET executables only import mscorlib.dll within the PE, and have kernel32.dll mapped ...
1
vote
1answer
224 views
SafeSEH and x64
I read here that
/SAFESEH is only valid when linking for x86 targets. /SAFESEH is not
supported for platforms that already have the exception handlers
noted. For example, on x64 and Itanium, ...
0
votes
1answer
142 views
Does filtering HTML syntax prevent a web shell from being dropped through a textbox? [closed]
I have an admin panel that is running off a mysql db. On that panel, I have text boxes that allow an "Admin" to input plain text OR HTML Styling that will be displayed on a section of the site that is ...
3
votes
1answer
158 views
Stack canaries protection and ROP
As far as I know stack canaries are values written on the stack that, if overwritten by a buffer overflow, force the application to close at return.
My question is: if I overwrite both EIP and stack ...
3
votes
2answers
308 views
Do I always have to overwrite EIP to get to write on the stack in a buffer overflow?
Do I always have to overwrite EIP to get to write on the stack in a buffer overflow? How's the memory organized? I can't find a proper graph with google
9
votes
2answers
1k views
How “leaking pointers” to bypass DEP/ASLR works
I was wondering if anyone could give me some clues on how "leaking pointers" to bypass DEP/ASLR work. I read here:
The only way to reliably bypass DEP and ASLR is through an pointer
leak. This ...
2
votes
1answer
758 views
Stack smashing keep getting segmentation fault
I have a homework assignment to do stack smashing,
The exploit code creates a badfile in which the vulnerable file reads and buffer over flow occurs.
I have already did the 2 commands below to ...
2
votes
1answer
175 views
How to achieve interactive shell attack?
Usually when a person gets a shell by attacking some vulnerabilities, what a person gets is non-interactive shell.
So when I call FTP interactive client, shell fails.
Is there any way I can do ...
3
votes
2answers
261 views
Shellcode that is smaller than 295 bytes that spawns a shell [closed]
Metasploit payloads produce more than 300-byte shellcodes.
But I want my shell-spawning shellcodes to be less than 295 bytes.
Can anyone show me the links to these shellcodes?
Thanks.
6
votes
3answers
389 views
What methodologies are useful when reverse-engineering malware / shellcode?
Whilst I'm familiar with reverse engineering techniques from a technical standpoint, I've never found a good methodology for approaching and dissecting malware / shellcode. I've found hundreds of ...
2
votes
1answer
220 views
What tricks can be used to prevent debugging?
What tricks can be used to prevent or hinder debugging?
Examples:
IsDebuggerPresent API on Windows
Exception handlers used for program flow.
GetTickCount / rdtsc checks.
Are there any good ...
4
votes
3answers
784 views
Are there any tools that focus on shellcode analysis?
Shellcode presents certain challenges for disassembly. It often self-modifies, jumps to the stack (where the shellcode will likely be placed), and relies on certain unusual tricks that standard ...
21
votes
2answers
4k views
How do ASLR and DEP work?
How do Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) work, in terms of preventing vulnerabilities from being exploited? Can they be bypassed?
