A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
3
votes
0answers
30 views
Return-oriented programming: how to find a stack pivot
I have a program with a heap overflow. It contains some code that is not randomized (is not using ASLR). I want to do a return-oriented programming exploit. Since this is a heap overflow, the first ...
0
votes
1answer
28 views
Buffer overflow and memory attacks on AAA server [on hold]
I understand that it is quite possible to perform buffer overflow on an AAA server, but are there any other memory attacks I should consider? and by using this attack may the attacker recieve ...
0
votes
1answer
89 views
Stack Guard vs Stack Shield
I would like to know why nowadays Stack Guard is used everywhere (example: ProPolice in GCC, /GS in Visual Studio), instead of Stack Shield.
Both the approaches (i.e. Stack Guard & Stack Shield) ...
3
votes
3answers
267 views
How is printf() in C/C++ a Buffer overflow vulnerability?
According to an article I just read, the functions printf and strcpy are considered security vulnerabilities due to Buffer overflows. I understand how strcpy is vulnerable, but could someone possibly ...
0
votes
2answers
68 views
Can I read/write canary values from %gs register?
I would like to know if it is possible to read (or write) the canary values from %gs register.
If "yes", how; and if "no", why?
Also, I have been reading somewhere that the canary values are stored ...
2
votes
1answer
176 views
Explaining a buffer overflow vulnerability in C
Given this C program:
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buf[1024];
strcpy(buf, argv[1]);
}
Built with:
gcc -m32 -z execstack prog.c -o ...
0
votes
1answer
55 views
What's the point of storing an copy of args? (the /gs flag)
When you add the /gs argument to microsoft's compiler, it would place a copy of args below the buffer variable.
So, what's the point of keeping a copy of arg?
2
votes
0answers
125 views
How does SEH based exploit bypass DEP and ASLR?
I am new to structured exception handling based exploits.
Why don't we put our return address directly in SE handler to jump to our shellcode? (with no safe SEH)
Can anybody explain the reason of ...
3
votes
2answers
127 views
How stack smashing is prevented?
I just read AlephOne's paper on smashing the stack, and implemented it on my machine (Ubuntu 12.04), it was a bit old so had to take a lot of help from the internet but I enjoyed it.
Now, I want to ...
-1
votes
3answers
94 views
There could be still buffer overflows in ex.: C?
I recently read about the $subject.
Q: Why does a programming language has built-in trivial insecurity? Or.. it was just in the old times? How could this be?
0
votes
1answer
91 views
Stack buffer overflow confusion
I am trying to dig deeper into the nuts and bolts a stack buffer overflow using the classical NOP-sled technique.
Reading some articles and watching videos brought me to a confusion which can be ...
5
votes
3answers
136 views
Buffer overflow stack adjustment
I am quite new to buffer overflows and I am practicing right now different types of buffer overflow attacks. the shellcode was not executed until it was padded with NOPs although its set properly in ...
1
vote
2answers
186 views
Linux Memory Protection from buffer overflow
I am practicing Linux buffer overflow exploitation. when trying to exploit a vulnerability in crossfire, everything works well and I get the shellcode placed in the right place, and the program flow ...
4
votes
3answers
125 views
What is a buffer overflow?
I'm learning C in a tutorial and have reached the point where the term "buffer" s being mentioned regularly.
It has also mentioned how certain bad programming practises involving memory can be ...
2
votes
1answer
89 views
How to implement canaries to prevent buffer overflows?
This is probably a very basic question. I've read about canaries, and how they work in theory. You have a global variable that you set to a random number in the prolog of a function, do your function, ...
