A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
-1
votes
0answers
26 views
Understanding and trying out buffer overflow attacks [on hold]
I came to read this article (It's a bit old) demonstrating stack based buffer overflow attack in an unpatched version of Windows XP Service Pack 1 (Later versions of Windows are reasonably secure to ...
5
votes
1answer
46 views
Return oriented programming without int 0x80
I have a program with a stack based buffer overflow. It is running PIE with ASLR and DEP, however there is a section of executable code that is at a fixed location.
However, this region does not ...
2
votes
1answer
58 views
exploiting Heap Overflow in gdb segfaults
I have been trying to exploit the heap overflow vulnerability for the program below, I am running Linux 14.04.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int n = 5;
...
0
votes
1answer
37 views
is return-to-libc attacks possible Now?
I'v read that to make a successful return to lib-c attack, the attacker should store the address of the command (for example "bin/sh") in stack exactly after the return address to 'system' function ...
1
vote
0answers
25 views
ROP attack on x64, zero bytes trouble
I have found ROP tutorial on x86. Now i try to exploit simple buffer overflow case on x64:
int main(int argc, char **argv)
{
char buf[10];
strcpy(buf, argv[1]);
...
}
I figured out, ...
2
votes
1answer
51 views
How to find stack pointer for overflow bug?
I've read that stack usually starts in same address so the attacker may guess the starting point of the buffer to overflow. This is necessary to know this address to make the malicious code run. I ...
8
votes
3answers
574 views
Evading IDS in exploit development
In the context of buffer overflow exploit development, I was asked:
Discuss how your exploit may be modified to evade an Intrusion Detection System.
I'm not asking for my homework to be done, but ...
1
vote
1answer
32 views
Buffer Overflow and Segments
I know by overwriting the return address in vulnerable program we can change the offset of next instruction and make it to point to our injected buffer. but this buffer is in stack segment and the ...
1
vote
0answers
28 views
unable to execute shellcode,which is place on stack [duplicate]
I am trying to execute the shellcode to spawn an "sh" shell.
I have taken shellcode as command line arguement,copied it to stack and tried to overwrite the return address of main function with the ...
1
vote
0answers
20 views
EIP getting changed in fgetc() Buffer Overflow Homework
Here is the gist of the code:
main(){
char s1[64], s2[64];
int a = 0, b = 0;
FILE *fp1, fp2*;
char temp;
scanf("%s", s1);
scanf("%s", s2);
...
//some checks happen, fp1 is opened to ...
0
votes
0answers
15 views
Constructing a tainted string for arc injection
I'm new to security and currently referring to Robert Seacord's Secure Coding in C and C++. In chapter 2 of the same, the author talks about arc injection, wherein he passes the flow of control in the ...
0
votes
2answers
47 views
Does preventing buffer overflow attacks prevent ROP attacks?
Would preventing buffer overflow attacks prevent Return Oriented Programming (ROP) attacks?
5
votes
2answers
366 views
Why are buffer overflows executed in the direction they are?
I'm following The Security Tube’s video here.
He overviews buffer overflows, and mentions how memory is executed from highest to lowest in the stack (at least with his implementation I assume). So we ...
1
vote
1answer
44 views
Are Sun/Oracle's SPARC processors invulnerable to buffer overrun exploits?
We all use Intel architectures these days, in small part because Oracle has totally dropped the ball regarding SPARC CPU development. But with so many now saying that protection against viruses is ...
2
votes
0answers
38 views
When is memory allocation/layout deterministic?
I'm trying to learn about buffer overflow attacks, both on the stack and on the heap. However, I'm confused about when it's possible to determine the address of the buffer.
The classic "Smashing the ...
4
votes
2answers
160 views
Long character sequence in first string of HTTP GET request breaks the web service's HTTP response. Buffer overflow?
During my current security audit test I've stumbled on something I can't possibly comprehend. The behavior exhibits signs of a buffer overflow in the target or in some intermidiate service (HTTP ...
0
votes
1answer
24 views
Getting a DEP exception when trying to call SetProcessDEPException(false)
I'm demonstrating an exploit for an old app.
On Windows XP SP3 32bit (EN), the address of SetProcessDEPPolicy() is usually 0x7C8622A4. I have that version of Windows (in English as well) and I've ...
0
votes
0answers
125 views
Stack buffer overflow: Is compiler changing variables order, preventing me to overwrite EIP properly?
I am learning about stack buffer overflow. A little info about my target: A x86 little endian intel-based computer, with a target compiled with TCC Compiler with no protections of any kind running on ...
0
votes
0answers
20 views
Execute form environmental variable while stack is not executable
Strange thing happened. I created EGG=NOPs + shellcode. Then i get the address of EGG;
I made buffer overflow and jumped to it and get the shell(address of shell is the second parametr). How is this ...
1
vote
3answers
287 views
How to gain root privilege after injecting code using a buffer overflow vulnerability?
Once the attacker finds an exploitable vulnerability in a user program, e.g., buffer overflow. Assume his goal is to gain root privilege and typical countermeasures are not present in the system ...
0
votes
2answers
124 views
Are buffer overflows on websites stoppable?
Recently, I was at the bookstore checking out books on computers. I found an interesting book on various types of hacks and how to stop them on your servers.
One that caught my eye was the "buffer ...
1
vote
1answer
122 views
Program exiting after executing int 0x80 instruction when running shellcode
In school I was given an assignment to perform a buffer overflow, which would execute some shellcode and open a new shell. After a bit of fiddling the buffer overflow succeeded, and when I ran the ...
9
votes
1answer
942 views
Exploiting buffer overflow leads to segfault
I am trying to exploit simple stack overflow vulnerability. I have a basic code in c:
#include <cstring>
int main( int argc, char** argv )
{
char buffer[500];
strcpy(buffer, ...
-3
votes
1answer
69 views
Buffer overflow without using environment variables [closed]
I was trying to overflow buffers and I was wondering ,
Is there anyway to do a buffer overflows without using environment variables ?
3
votes
1answer
116 views
Bypass Full ASLR+DEP exploit mitigation
Let's assume that a vulnerabled process is set up with an ASLR and DEP against all the imported modules used in this process and there is no way to find a module that is aslr free..
More over, the ...
0
votes
1answer
198 views
In buffer overflow exploit, 0x20 (space character) not appearing in memory and is replaced by null
The situation:
I'm currently working on shellcode (I modified the assembly code from Project Shellcode) that runs "cmd.exe /c calc.exe". The shellcode itself works fine. However, when I use the ...
1
vote
1answer
607 views
Buffer overflow - terminator canaries
I am reading an article on buffer overflow protection here.
For terminator canaries, I follow the part that if a terminator like a zero is used for a canary, the attacker would have a terminator in ...
3
votes
3answers
278 views
C++ memset() memory overflow
I am new to C++.
Can any C++ expert tell me would this causing buffer overflow?
Sample Code:
MyObject op;
memset(&op, 0, sizeof(MyObject));
On my view it is ok to be this since the limit is ...
2
votes
1answer
79 views
Are stack buffer overflows even possible in this instance?
Let's say there is a C program that simply takes a string argv[1] and uses sprintf to copy it in a finite buffer. Classic stack buffer overflow. Let's even say the program is more complicated, ...
1
vote
3answers
516 views
Drive-by downlad VS buffer and stack overflow attacks
Today malware is mainly spread thanks to vulnerabilities exploited in browsers and their plugins. The attackers use JavaScript to target those vulnerabilities. Two examples of such attacks are ...
0
votes
1answer
135 views
Does glibc use canary checking to prevent heap buffer overflow?
Since canary is used by gcc to prevent stack overflow (e.g. -fstack-protector), I am wondering whether glibc uses canary-based approach to defend heap buffer overflow? For example, this paper proposes ...
11
votes
4answers
2k views
Adding 65K buffer to protect from buffer overflows?
If you had a very complex and important function in C that you wanted to protect, would it be worth it to put a 65K buffer at the top of the stack to protect from buffer overflows? You would put your ...
2
votes
2answers
117 views
Possible to use buffer overflow on DLL-injected code?
Is it possible to apply buffer overflow on code that was injected using DLL injection?
For instance, if I inject a function foo() into the process, is it possible to call foo() using buffer overflow?
...
0
votes
0answers
90 views
Is OpenSSL 0.9.8h affected by CVE-2014-0195?
I have spent time on finding out if OpenSSL 098h is affected by the CVE-2014-0195 ..but it seems I will have to understand the entire file d1_both.c to answer this question.
1) Preliminary look at ...
4
votes
2answers
241 views
Heap canaries, to protect function pointers in heap objects
I'm wondering if anyone has previously proposed, evaluated, or deployed the following measure to harden systems against heap-based buffer overruns: basically, stack canaries, but applied before ...
1
vote
2answers
262 views
Heap spray against 64-bit processes - possible?
Are heap spray exploits possible, if the process we're attacking is a 64-bit process?
Naively, it seems like the 64-bit address makes it difficult to mount a heap spray: to fill all (or a significant ...
4
votes
1answer
176 views
Why are countermeasures against control-flow hijacking attacks mostly implemented in software?
I wonder why countermeasures against code-injection and control-flow hijacking attacks (e.g. stack-based buffer overflows and heap-based buffer overflows) are mostly implemented in software.
Examples ...
5
votes
1answer
238 views
Information disclosure attack, using a heap overflow
A typical strategy for defeating ASLR is to find both a buffer overflow bug and an information disclosure bug. But when attacking servers that are automatically restarted whenever they crash/die, is ...
-2
votes
1answer
158 views
Buffer Overflow Exploit Shellcode for Windows
Using a buffer overflow, I have been able to override return addresses. But the problem is that Windows addresses contain zeros at the beginning (e.g. 0x00401020). As a result, the objdump of any C ...
0
votes
1answer
70 views
libraries alternative to gcc stack-protector / fortity source feature on linux
is there external library/approach/whatever to add
canary protection (stack-protector equivalent)
extra buffer boundary check (fortity source equivalent)
on a C software without using glibc / ...
2
votes
1answer
93 views
Does ASLR protect against a buffer overflow within a struct?
Assume a simple struct:
struct test {
char variable[4];
char variable2;
}
If I write something like variable[4] = '\0' there is a buffer overflow which modifies variable2.
Does ASLR prevent ...
0
votes
1answer
92 views
3 byte address of system call and exit call
i am trying to exploit a buffer overflow vulnerability in ubuntu (kernel version 3.0.0-12 generic i686) by using the method return to libc and the stack is not exploiting ?
By while exploiting i ...
0
votes
2answers
71 views
8 extra bytes in stack
i am new to buffer overflow and learning from securitytube.net website but in 7th video i got stucked Buffer Overflow Primer Part 7 (Exploiting A Program Demo)
In this when the value of egg is passed ...
0
votes
0answers
126 views
Exploiting buffer overflow
When I download a copy of a vulnerable program and try to exploit it by buffer overflow (any internal function calling as a payload), it works.
However, when I made a same type of vulnerable program ...
1
vote
1answer
88 views
Examples of software web clients (web browsers, IM clients, etc) written in “secure” / managed languages
After reading this article ("Everything is broken" by Quinn Norton) I was about to ask a question similar to this one (Why are security-crucial software written in unsafe languages?)... but actually I ...
1
vote
1answer
239 views
Defend against Blind ROP
At IEEE Security & Privacy, the blind return-oriented programming attack (blind ROP) was just introduced. In some sense, this is just another variation on ROP attacks -- but the blind ROP attack ...
0
votes
1answer
307 views
In return to libc how do you know the address of system() in a remote machine?
I have the following scienarion:
a vulnerable program running in a server and can be accessed using netcat
I have a copy of that program locally and I can exploit it locally using ROP:
./vuln ...
2
votes
1answer
165 views
What should you do if you cannot spawn a shell in a buffer overflow attack?
I have successfully exploited a program using ret2libc but I am running into a problem.
Whenever I feed system() with /bin/sh I have nothing in return the program silently exit.
However, if I feed ...
-1
votes
1answer
178 views
Stack-based buffer overflow the program is interpreting the shellcode on its own
I'm beginner in exploits. So I had type simple program in C
#include <stdio.h>
void func(){
printf("asd");
}
main(){
char buf[100];
scanf("%s", &buf);
}
My goal is to run the ...
2
votes
2answers
143 views
Why is it so difficult to protect an application against buffer overflows?
For example, buffer overflow vulnerabilities in Flash are often discovered. Shouldn't a proper verification of all function parameters in Flash source code be enough to protect against buffer ...
