Usually occurs when you attempt to copy data into a buffer without checking for sufficient space, causing data to be overwritten in neighboring cells.
3
votes
0answers
499 views
Exploiting a string-based overflow on x86-64 with NX (DEP) and ASLR enabled
Consider the following vulnerable code/program:
#include <string.h>
int main(int argc, char *argv[]) {
char buf[16];
strcpy(buf, argv[1]);
return 0;
}
On IA-32 (x86, 32-bit) ...
2
votes
0answers
42 views
how to insert write protected memory
My need is to dynamically analyse a c program for its buffer overflow condition. I'm doing my code in python. For this I need to run the c program through python which is done by subprocess module in ...
2
votes
0answers
91 views
modify the return address to shellcode
i have tow C program. one is shellcode and the other vulnerable program.
i want to change the return address with out buffering the vulnerable program.
like for example:-
__asm__("movl $shellcode, ...
2
votes
0answers
212 views
Possible buffer overflow bug in std::use_facet::out()
I think I have found a buffer overflow bug in the VC++10 std::locale object. I would be grateful for second opinions as to whether I am doing something wrong.
The code below is simplified to ...
2
votes
0answers
222 views
Basic buffer overflow practice
I've been practicing some basic stack-based buffer overflow task recently
and I wrote an vulnerable program like this:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
...
1
vote
0answers
38 views
PHP breaks string when bigger than 2^16
I'm currently struggling with a weird behaviour of PHP (at least it seems weird to me).
I've got this code (it matches all src and href attributes inside a buffered HTML page, which may be not yet ...
1
vote
0answers
15 views
No bash shell generated from ExecV
I'm trying to learn about buffer overflows on my Ubuntu 12.04 32 bit machine by following along with the videos at http://www.securitytube.net/groups?operation=view&groupId=4 . Currently, I'm on ...
1
vote
0answers
70 views
Rewriting ret adress when leaving a function
I'm trying to rewrite ret adress from function foo() to skip first instruction after leaving function foo(). I'm following Smash stack for fun or profit and Hacking by Jon Erickson. Here is simple ...
1
vote
0answers
83 views
Difference between buffer overflow attack on 64 vs 32 bit system
I have both scripts in both c and Perl. The c code is:
#pragma check_stack(off)
#include <string.h>
#include <stdio.h>
void good_fn(){
printf("GOOD CODE \n");
}
void mlc_fn(){
...
1
vote
0answers
106 views
How to buffer overflow the 'gets' method in Ruby?
I wrote a client that gets input from the keyboard and stores it in a variable, like so:
x = gets
In C, normally memory is allocated for standard input and thus I can easily overflow the buffer ...
1
vote
0answers
31 views
why is gcc allocating more space to char buffer
I am kind of confused by the latest version of gcc. A simple piece of code is compiled:
int main()
{
char buffer[1];
scanf("%s",buffer);
printf("You Entered %s\n", buffer );
return 0;
...
1
vote
0answers
19 views
non printable charaters in memory
In heart bleed exploit, I basically get a lot of weird characters(non-printable) from server.
Can somebody tell me, when I read a continuous memory segment, how to interpret those non-printable ...
1
vote
0answers
30 views
extended Acsii to Ascii conversion in C
We want to simulate a buffer overflow attack by sending a payload through sending a payload in HTTP head.
We have the correct length of the payload which just overwrites the return address of the ...
1
vote
0answers
32 views
Bufferoverflow working with no breakpoints set, but not with a breakpoint set
I am developing a stack-based buffer overflow for a class. The entire payload is delivered through an environment variable due the nature of the application. This environment variable is set before ...
1
vote
0answers
79 views
How can I Buffer Overflow 64 Bit Applications?
Firstly I'd like to say that I've looked online and have yet to find anything of value. I have here a very VERY simple, standard BOF file to attack. I've compiled it in 64 bit mode:
#include ...
1
vote
0answers
122 views
Buffer overflow when launching program with system()
I'm currently using UNIX sockets to communicate between my C++ program and Webots (a robotic simulator). However, I've noticed that after some time (1~2 hours), Webots unexpectedly shuts down, without ...
1
vote
0answers
177 views
Cleaning up stack in Buffer Overflow
I am performing a buffer overflow for educational purposes only. I have a function called that uses gets to receive input from the terminal. I want to force this function to return a specific value ...
1
vote
0answers
77 views
Generating AlephOne-style visualizations of the stack?
In the widely-read "Smashing The Stack For Fun And Profit" tutorial, Aleph One presents C code examples like this:
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
}
...
1
vote
0answers
237 views
Overwriting saved eip to point to stdin?
A student in my class came up with a technique for exploiting buffer overflows that I have never seen before. (Frankly, I am surprised that it works.) I am curious if (1) anyone has seen a reference ...
1
vote
0answers
1k views
BEX error on Windows Web Server 2008 R2 x64
I have built an application that causes a buffer overflow exception with the following signature on Windows Web Server 2008 R2 x64
Problem signature:
Problem Event Name: BEX
...
1
vote
0answers
171 views
.NET - Buffer overflow
I've a .NET application that is crashing a couple of times a day, in our production env, I'm running process monitor on an effected PC and its reporting buffer overflows in the following location ...
1
vote
0answers
2k views
Android SDK installation error - "no buffer space available (maximum connections reached?): recv failed
I am trying to get my environment setup to develop an android app so I downloaded the SDK (http://developer.android.com/sdk/installing.html).
After unpacking the files and running the SDK Setup.exe, ...
0
votes
0answers
28 views
Why is eip not being overwritten with the shellcode I am overflowing with?
So I am having to do a buffer overflow for an assignment and I feel like I am very close. I must note that my teacher has set up a VM for us to use in which if we are able to get shellcode into the ...
0
votes
0answers
22 views
Constructing a tainted string for arc injection
I'm new to security and currently referring to Robert Seacord's Secure Coding in C and C++. In chapter 2 of the same, the author talks about arc injection, wherein he passes the flow of control in the ...
0
votes
0answers
19 views
Can I do bufferflow attack on my iOS application (under test), on iphone 5 which is not jail broken ?
I need to find vulnerabilities related to buffer over flow in my iOS app. I have basic understanding of what buffer over flow is, but I don't know about any tools/techniques to find bugs in my iOS ...
0
votes
0answers
42 views
fgets() not waiting for input with no stdin overflow?
It is It's probably something simple but after a few hours of googleing and debugging I can not figure it out. Basically basically I want to get user input, then another function validates the input ...
0
votes
0answers
63 views
Exploit works in gdb but not on the command line
I've been going through "hacking: The art of exploitation" and following the examples. On page 145, the author demonstrates how to exploit the notesearch.c program with shellcode stored in an ...
0
votes
0answers
21 views
-z noexecstack doesnt prevent shell from executing
I'm doing a classic buffer overflow attack exercise, in which I place a shellcode that executes when the overflow occurs.
I was asked to check what happens when I compile the vulnerable program usin ...
0
votes
0answers
23 views
buffer overflow to point stack pointer to specific location
I am trying to do buffer overflow attack.
I have disabled address space layout randomization (ASLR) using command:
sudo sysctl -w kernel.randomize_va_space=0
Instead of crashing the program I want ...
0
votes
0answers
19 views
-fno-stack-protector disassembly
I am trying to understand the difference in assmebly between using -fno-stack-protector and not, but I cannot figure out what the canary value being used is.
My function opens like this
push %rbp ...
0
votes
0answers
58 views
C :execute shell code in data segment(Fedora 32 bit)
I am trying to execute the below program
//testsc.c
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
...
0
votes
0answers
39 views
how to bufferoverflow on netcat
I am having a huge difficulty understanding how exactly to buffer overflow on netcat. I have successfully buffer overflowed on my own machine with NOPS and shell addresses and played around with the ...
0
votes
0answers
75 views
change the return address to point to shellcode
Im using linux and I have c program, I would like to change the return address to point to my shellcode, im unable to do it.
Here is my shellcode
...
0
votes
0answers
48 views
Why did Nano just mangle my code?
Using VM VirtualBox I'm running a copy of 32bit Linux which is itself running a VM for an ARM environment. This entire setup is needed to have an environment that lets me do buffer overflows for a ...
0
votes
0answers
59 views
Format String for Bufbomb Sparkler - Format String Vulnerability
As part of the Sparkler, I am trying to call fizz and modify the value of the argument with that of my cookie. I am first trying to overwrite the return address byte by byte and then writing to $ebp+4 ...
0
votes
0answers
59 views
unknown pseudo-op: `.globl_start'
I have some assembly code written for 32-bit machines but I need to run that on x86-64 bit architecture. Please suggest ways to achieve this.
I'm compiling using certain flags in the following ...
0
votes
0answers
13 views
Does the address of particular variable vary in stack over consecutive executions of a C program?
[Assuming that stack randomization is off.]
For example, assume the address of a variable 'name' is 0x7fffffffe070.
I observe that sometimes, the memory address is the same even if I execute the C ...
0
votes
0answers
40 views
PHP function fuzzing doubts and crash monitoring through Python?
I'm writing a Python fuzzer to fuzz some specific php functions. But i have both doubts and problems. Generally speaking the fuzzer works as follows: it generates some payloads and then invokes the ...
0
votes
0answers
227 views
Kryonet: How to to serialize HashMap<String, byte[]>
I've been having this issue.
Exception in thread "Server" com.esotericsoftware.kryo.KryoException: java.nio.BufferOverflowException
Serialization trace:
worldByteMap ...
0
votes
0answers
80 views
How to beat NX stack + ALSR
I'm trying to write an exploit for a program that has a buffer overflow. This program was compiled with non-executable stack and it randomizes his stack addresses. Also, it contains a null byte on ...
0
votes
0answers
31 views
getservbyname crashes with long service name
I've found out that if you pass a long string to getservbyname function, it crashes on both Windows and Linux.
I'm trying to see what is the maximum length the name can be
this is my code.
int ...
0
votes
0answers
50 views
Packet/buffer overflow
Today I've got a problem with a packet or buffer overflow. Some Hackers are attacking my server by sending too much packets. The first time the programm they attack starts to lag and it doesnt ...
0
votes
0answers
115 views
Why do I still get stack cookie exception although I disabled /GS flag in VS11 when compiling? Scenario: buffer overflow tutorial test
recently I have tried to test a tutorial application on demonstrating buffer overflows, written in C. I used the Visual Studio 2012 toolchain to compile and link the sources, and made sure the ...
0
votes
0answers
19 views
List of Programming Language that possible to have buffer overflow
I wonder, which programming languages that has no defined standard about buffer overflow checking?
for example:
C and C++ by default does not check for index out of bound, solution: use C++ STL
...
0
votes
0answers
78 views
What would an instruction in assembly (x86) be that could cause a buffer overflow?
I'm trying to get my head around buffers / buffer overflows in assembly language. I understand that if a buffer is created and the data being put into is larger than the buffer, it will overflow.
...
0
votes
0answers
103 views
Buffer Overflow: Format String
Which input string should an attacker enter to get exactely the content of pw ?
void func(char *in)
{
char *pw = "53cr37p455";
printf(in);
}
void func2(void)
{
printf("Dummy string.\n");
}
...
0
votes
0answers
225 views
How to Write in Arbitrary Memory Addresses
Regarding topic about "Writing to Arbitrary Memory Addresses" From hacking the art of exploitation".
When I issues to change value of test_val, but the value of test_val doesn't change. Anyone could ...
0
votes
0answers
325 views
Problems exploiting a buffer overflow
Some days ago I coded a simple code to test a buffer overflow exploitation on x86 system. In order to keep it simple I disabled ASLR and NX so there are no protection that could cause weird ...
0
votes
0answers
292 views
Buffer Overflow exploit
#include <stdio.h>
#include <stdlib.h>
#define TABLELEN 7
int table[] = {2, 3, 5, 7, 11, 13, 17};
void loadTable(int *hashtable) {
int i;
for (i = 0; i < TABLELEN; i++) {
...
0
votes
0answers
232 views
how does SEH based exploit bypass DEP and ASLR?
I am new in SEH based exploit
Why didn't we put our return address directly in SE handler to jump to our shellcode? (with no safeSEH)
can't any body explain the reason of using pop pop ret?
I read ...
Related Tags
c × 49
linux × 15
shellcode × 15
exploit × 14
security × 13
assembly × 11
buffer × 11
gdb × 10
c++ × 9
x86 × 7
android × 6
java × 5
stack-smash × 5
sockets × 5
stack × 5
gcc × 4
python × 3
stack-overflow × 3
installation × 2
buffer-overrun × 2
perl × 2
visual-c++ × 2
serial-port × 2
more related tags
Hot Network Questions
- Forgotten old results break my motivation
- Logic gate using transistor
- Does the square or the circle have the greater perimeter? A surprisingly hard problem for high schoolers
- The Remorhaz in the Glacial Rift of the Frost Giant Jarl
- IEEE-format author line when one author is "Senior Member" and another is unaffiliated with IEEE
- how do I count LANs and WANs given a network topology?
- Displaystyle for "lim" (global) in tabular-environment
- has been called all three
- Can unpaid tax debt to IRS lead to a bad credit?
- Geometric intuition behind pullback?
- Decreasing begin() iterator and then increasing it again
- How to undo a stubborn knot without using fingers
- What is it called when someone hates disabled people?
- How do you raise an intelligent and happy daughter in a sexist world?
- In theory, could gravitational waves be used to make a "gravity laser"?
- Is there any ethical issue which prevents me from paying high quality authors monetary compensation, to agree to write papers with me?
- Messages : Warnings / Errors
- Monte Carlo estimator of Pi
- Find the derivative using the chain rule and the quotient rule
- Efficient way to find & open files
- Shell command/script to see if a host is alive?
- Consequences of the Inverse Galois Problem
- Switching tenses?
- How do I handle large paragraphs of centered text?
