Usually occurs when you attempt to copy data into a buffer without checking for sufficient space, causing data to be overwritten in neighboring cells.
3
votes
1answer
567 views
Buffer overflow on remote server
I'm a computer security student and I'm doing a project about remote buffer overflows. I developed a vulnerable server in C, with an unsafe use of strncpy function which actually copies 1024 bytes on ...
2
votes
1answer
104 views
Cannot access return address on x86-32
I am trying my luck with buffer overflows, however, I am stuck at one point. I overwrite the return address, so that EIP will point into the address of the nop sled of my shellcode. However, when ret ...
2
votes
1answer
84 views
Win32::SerialPort constructor goes buffer-overflow when reference variable is given
This works well:
my $PortObj;
$PortObj = new Win32::SerialPort ("COM12") || die "Can't open COM\n";
However when I try to provide a variable instead of "COM12" from TK Entry, like this:
my ...
2
votes
1answer
266 views
Weird execution path caused by stack buffer overflow
I read some articles about Stack Buffer Overflow, like this one, and learned how attackers can exploit a Stack Buffer-Overflow bug by overwriting function pointers. Then I wrote a small program to ...
2
votes
1answer
351 views
Printer buffer overflow over serial port
I have a printer (specifically, a Braillo 200 embosser) that is connected via a serial port to a computer running Windows 7. I installed a "generic text" printer in Windows and set it to use the ...
2
votes
1answer
2k views
Is it possible to download Android SDK components without using the Android SDK management utility?
During the installation of my Android SDK, I am getting stuck during the process where the manager goes out and downloads all the revisions of the APIs and the SDKs.
It is potentially due to a socket ...
1
vote
1answer
73 views
Modifying return address with a buffer overflow attack
So I am trying to modify the return address of this function to make it run forever. I realize that I need to change the return address with the address of the function this way it will loop forever.
...
2
votes
0answers
255 views
Exploiting a string-based overflow on x86-64 with NX (DEP) and ASLR enabled
Consider the following vulnerable code/program:
#include <string.h>
int main(int argc, char *argv[]) {
char buf[16];
strcpy(buf, argv[1]);
return 0;
}
On IA-32 (x86, 32-bit) ...
2
votes
0answers
168 views
Possible buffer overflow bug in std::use_facet::out()
I think I have found a buffer overflow bug in the VC++10 std::locale object. I would be grateful for second opinions as to whether I am doing something wrong.
The code below is simplified to ...
visual-studio-2012
2
votes
0answers
174 views
Basic buffer overflow practice
I've been practicing some basic stack-based buffer overflow task recently
and I wrote an vulnerable program like this:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
...
1
vote
0answers
49 views
How can I Buffer Overflow 64 Bit Applications?
Firstly I'd like to say that I've looked online and have yet to find anything of value. I have here a very VERY simple, standard BOF file to attack. I've compiled it in 64 bit mode:
#include ...
1
vote
0answers
44 views
Buffer Overflow With Stncpy Vulnerability
I'm currently in a hacking class and am having trouble overflowing a buffer and overwriting the return address. I can get to the write address, I am just having trouble formatting the return address ...
1
vote
0answers
102 views
Buffer overflow when launching program with system()
I'm currently using UNIX sockets to communicate between my C++ program and Webots (a robotic simulator). However, I've noticed that after some time (1~2 hours), Webots unexpectedly shuts down, without ...
1
vote
0answers
161 views
Cleaning up stack in Buffer Overflow
I am performing a buffer overflow for educational purposes only. I have a function called that uses gets to receive input from the terminal. I want to force this function to return a specific value ...
1
vote
0answers
63 views
Generating AlephOne-style visualizations of the stack?
In the widely-read "Smashing The Stack For Fun And Profit" tutorial, Aleph One presents C code examples like this:
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
}
...
1
vote
0answers
207 views
Overwriting saved eip to point to stdin?
A student in my class came up with a technique for exploiting buffer overflows that I have never seen before. (Frankly, I am surprised that it works.) I am curious if (1) anyone has seen a reference ...
1
vote
0answers
897 views
BEX error on Windows Web Server 2008 R2 x64
I have built an application that causes a buffer overflow exception with the following signature on Windows Web Server 2008 R2 x64
Problem signature:
Problem Event Name: BEX
...
1
vote
0answers
167 views
.NET - Buffer overflow
I've a .NET application that is crashing a couple of times a day, in our production env, I'm running process monitor on an effected PC and its reporting buffer overflows in the following location ...
1
vote
0answers
2k views
Android SDK installation error - "no buffer space available (maximum connections reached?): recv failed
I am trying to get my environment setup to develop an android app so I downloaded the SDK (http://developer.android.com/sdk/installing.html).
After unpacking the files and running the SDK Setup.exe, ...
0
votes
0answers
28 views
Why do I still get stack cookie exception although I disabled /GS flag in VS11 when compiling? Scenario: buffer overflow tutorial test
recently I have tried to test a tutorial application on demonstrating buffer overflows, written in C. I used the Visual Studio 2012 toolchain to compile and link the sources, and made sure the ...
0
votes
0answers
10 views
List of Programming Language that possible to have buffer overflow
I wonder, which programming languages that has no defined standard about buffer overflow checking?
for example:
C and C++ by default does not check for index out of bound, solution: use C++ STL
...
0
votes
0answers
56 views
buffer overflow on x86_64 - return to libc attack (linux)
After having studied and tested various types of attack on 32-bit linux machine (shellcode injection, return to libc, GOT overwriting) I focused on the 64-bit world. I hadn't any problems in the ...
0
votes
0answers
28 views
Check for too long input
I'm using a queue of char[40] values, but I must protect against too long input. The only way I thought of is to create a 1 byte bigger array and check if \0 exists in it, but this clearly doesn't ...
0
votes
0answers
19 views
Bufferoverflow working with no breakpoints set, but not with a breakpoint set
I am developing a stack-based buffer overflow for a class. The entire payload is delivered through an environment variable due the nature of the application. This environment variable is set before ...
0
votes
0answers
17 views
How to insert complex input in gdb dynamically
I need to insert shellcode and its address, but I can detect the address of the buffer only after I run the program in gdb.
The input is complex. If I knew the address, I would run the program like ...
0
votes
0answers
35 views
Strange Klocwork issues reported for C++ project
I am finding some of the issues reported by Klocwork is very strange. For example -
if(NULL == m_pMutex.get())
{
Log("found unexpected sharedPtr m_pMutex");
return -1;
}
...
0
votes
0answers
61 views
What would an instruction in assembly (x86) be that could cause a buffer overflow?
I'm trying to get my head around buffers / buffer overflows in assembly language. I understand that if a buffer is created and the data being put into is larger than the buffer, it will overflow.
...
0
votes
0answers
22 views
vc6 ado execute buffer overflow
So I've been having a problem in production that was seemingly exposed by a service pack upgrade. It appears to be some kind of buffer overflow in the Execute method of an ado _ConnectionPtr object. ...
0
votes
0answers
22 views
Buffer Overflow EIP Not Pointing to Where I Tell it to Point
I'm having an issue. My EIP points wherever it damn well pleases. I am 100% sure I have the correct offset. For example:
run `python -c 'print ...
0
votes
0answers
48 views
Where RET points and why SEGFAULT happens
I am studying the art of exploitation and I have the following problem related to the "notesearch" exploit. I have my shellcode in the environment
root@bt:~/tests/c-tests# env | grep SHELL
...
0
votes
0answers
44 views
Buffer Overflow: Format String
Which input string should an attacker enter to get exactely the content of pw ?
void func(char *in)
{
char *pw = "53cr37p455";
printf(in);
}
void func2(void)
{
printf("Dummy string.\n");
}
...
0
votes
0answers
119 views
Starting a new shell in a strcpy exploit using buffer overflow
I'm learning about buffer overflows and have this vulnerable code which I'm trying to start a shell from:
#include <string.h>
void myfunction(char *arg);
int main(int argc, char **argv)
{
...
0
votes
0answers
77 views
Passing parameter to a function reached via a buffer overflow
I have written this simple main that I compiled with the flag -fno-stack-protector.
#include <stdio.h>
int pos;
char c = 0;
void
bof(unsigned int i)
{
fprintf(stderr, "BOF %u\n", i);
}
...
0
votes
0answers
94 views
How to Write in Arbitrary Memory Addresses
Regarding topic about "Writing to Arbitrary Memory Addresses" From hacking the art of exploitation".
When I issues to change value of test_val, but the value of test_val doesn't change. Anyone could ...
0
votes
0answers
191 views
Problems exploiting a buffer overflow
Some days ago I coded a simple code to test a buffer overflow exploitation on x86 system. In order to keep it simple I disabled ASLR and NX so there are no protection that could cause weird ...
0
votes
0answers
119 views
Buffer Overflow exploit
#include <stdio.h>
#include <stdlib.h>
#define TABLELEN 7
int table[] = {2, 3, 5, 7, 11, 13, 17};
void loadTable(int *hashtable) {
int i;
for (i = 0; i < TABLELEN; i++) {
...
0
votes
0answers
178 views
how does SEH based exploit bypass DEP and ASLR?
I am new in SEH based exploit
Why didn't we put our return address directly in SE handler to jump to our shellcode? (with no safeSEH)
can't any body explain the reason of using pop pop ret?
I read ...
0
votes
0answers
89 views
Why the EIP contents do not execute?
I used buffer overflow and wrote on ret address in stack. When I debug it with gdb, I understood that the eip sets to the address that I want. The address is a gadget in libc. The opcode of the ...
0
votes
0answers
70 views
missing got.plt entry in C?
I'm currently messing with this paper on stacksmashing http://www.exploit-db.com/papers/24085/ , trying to first overflow item1.next with the adress of exit()'s entry in got.plt. After that an address ...
0
votes
0answers
67 views
locating null bytes in shellcode
I have injected my exit syscall shellcode
bb 14 00 00 00
b8 01 00 00 00
cd 80
inspite of having null bytes it works.I don't know why.
On the other hand,when I try to execute a ...
0
votes
0answers
99 views
what does this assembly exploitation code mean?
I want a help to understand this exploitation demo which im studying for my exam.. I don't have any idea about anything of it, so please help.. If you can please comment on each line so i can ...
0
votes
0answers
67 views
Java NativeBufferOverflow Exception - Can anyone explain why this happens?
I have created an application which reads data from 2 sensors over a TCP-IP connection.
The data is transmitted in the form of a byte stream, received by a socketchannel object, where it is then ...
0
votes
0answers
119 views
bufferover exploit not working on gcc
I was trying to run this buffer overflow exploit on a vulnerable code vuln.c on gcc (I found this on some tutorial and code is not mine).The shellcode spawns a shell.
exploit.c code
#include ...
0
votes
0answers
141 views
Jack ringbuffer
I have a problem with jack_ringbuffer, when the jack ringbuffer is full it does not get any more new data. I want to ring bufer when it will release full of old data and new data received.
I using ...
0
votes
0answers
117 views
Buffer Overflow using environmental variable - problems
I'm taking a class on security. I have this C code that I have to exploit on a linux system.
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv){
char buffer[500];
...
0
votes
0answers
279 views
Buffer Overflow Detaching after fork from child process
I'm trying a basic buffer overflow attack which spawns a root shell. I am facing problem with "dispatching after fork from child process **"
How do I get rid of this and spawn the root shell?
I'm ...
0
votes
0answers
146 views
Finding the address of /bin/bash for buffer overflow attack
I am trying out ret-to-libc attacks and use the following piece of code to get the address of environment variable /bin/bash
#include <unistd.h>
int main(void)
{
printf("bash address: ...
0
votes
0answers
135 views
Getting a large amount of data with traceview
I'm running some benchmarks and some overflow the traceview buffer, I'm already using the max buffer size that I can (400MB).
How can I get these data? (I need the hole benchmark to be traced, not ...
0
votes
0answers
287 views
(Another) Return to Libc Attack: Won't Segfault or Return to Libc With Malicious Input. Works in GDB though
I'd like to learn how return to libc attacks work, so I have written a vulnerable program so that I can change the return address of a function to that of system(). However, the program doesn't appear ...
0
votes
0answers
996 views
32 bit BEX runtime error c++, works in 64 bit
I'm encountering a strange runtime error when running a program in 32 bit windows (both xp and 7). This error does not occur for 64 bit windows, nor does it occur for 32 bit when I am running it ...
Community Bulletin
Related Tags
c × 36
security × 12
gdb × 11
linux × 11
shellcode × 10
exploit × 9
assembly × 9
buffer × 9
c++ × 9
stack × 7
x86 × 6
hacking × 5
sockets × 5
stack-smash × 4
android × 4
buffer-overrun × 3
serial-port × 2
.net × 2
arrays × 2
java × 2
installation × 2
gcc × 2
scanf × 2
dep × 2
more related tags
Hot Network Questions
- Turn off Windows Phone keys vibration
- How to make this hand-colored drawing even more fancier?
- will hosting provider have access to my dedicated server?
- How to explain Heartbleed without technical terms?
- Why are sine/cosine always used to describe oscillations?
- How do Time Lords prove to others that they are the same person as their past regenerations?
- install application/http services to "/srv"?
- Why is router considered to be a layer 3 device while it can handle layer 4 headers too?
- How can I print out all but the last n characters in bash?
- Is it necessary that every function is a derivative of some function?
- Sum of binomial coefficients with three variables
- Why did early telephones use a rotary dial instead of 10 individual buttons?
- What does the "phase margin" parameter of an opamp imply?
- Creating variable of type <base class> to store <derived class> object in C#
- Does `sl` ever show the current directory?
- Is it OK for an MSc Student to Review a Scientific Paper?
- Algebra: What does "is defined for" mean?
- How can I see when package has been upgraded?
- Find last n for which 2^n has a 0.
- How to use special characters like the question mark as a variable in a formula?
- How anticommunist was Robert Heinlein?
- How can I avoid getting the error message Goto::nolabel in my code?
- Should I unsubscribe uninterested mailing-list members?
- Examples and applications of the pigeonhole principle
