Usually occurs when you attempt to copy data into a buffer without checking for sufficient space, causing data to be overwritten in neighboring cells.
3
votes
0answers
132 views
Android MediaRecorder Sampling Rate and Noise
I have an issue using Android's MediaRecorder to record sound from microphone to .m4a files (AAC-LC, MPEG-4 container). Starting from API level 18, the default sampling rate drops from 44.1 or 48 kHz ...
3
votes
0answers
576 views
Exploiting a string-based overflow on x86-64 with NX (DEP) and ASLR enabled
Consider the following vulnerable code/program:
#include <string.h>
int main(int argc, char *argv[]) {
char buf[16];
strcpy(buf, argv[1]);
return 0;
}
On IA-32 (x86, 32-bit) ...
2
votes
0answers
45 views
how to insert write protected memory
My need is to dynamically analyse a c program for its buffer overflow condition. I'm doing my code in python. For this I need to run the c program through python which is done by subprocess module in ...
2
votes
0answers
232 views
Possible buffer overflow bug in std::use_facet::out()
I think I have found a buffer overflow bug in the VC++10 std::locale object. I would be grateful for second opinions as to whether I am doing something wrong.
The code below is simplified to ...
2
votes
0answers
223 views
Basic buffer overflow practice
I've been practicing some basic stack-based buffer overflow task recently
and I wrote an vulnerable program like this:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
...
1
vote
0answers
51 views
Hex character converter converting to wrong char
I'm working on a buffer overflow attack and I have this code that converts an 0xXX input to the equivalent 1 byte ASCII char.
int main(int argc,char **argv) {
char buffer[1024];
while ...
1
vote
0answers
35 views
Return-To-Libc Function Address Probing
I'm trying to implement a return-to-libc buffer overflow attack by finding the address of system() with gdb and returning to said address with /bin/sh passed as an argument to system() on the stack. ...
1
vote
0answers
45 views
How to find stackpointer for buffer overflow bug?
I've read that stack usually starts in same address so the attacker may guess the starting point of the buffer to overflow. This is necessary to know this address to make the malicious code run. I ...
1
vote
0answers
42 views
PHP breaks string when bigger than 2^16
I'm currently struggling with a weird behaviour of PHP (at least it seems weird to me).
I've got this code (it matches all src and href attributes inside a buffered HTML page, which may be not yet ...
1
vote
0answers
23 views
No bash shell generated from ExecV
I'm trying to learn about buffer overflows on my Ubuntu 12.04 32 bit machine by following along with the videos at http://www.securitytube.net/groups?operation=view&groupId=4 . Currently, I'm on ...
1
vote
0answers
92 views
Difference between buffer overflow attack on 64 vs 32 bit system
I have both scripts in both c and Perl. The c code is:
#pragma check_stack(off)
#include <string.h>
#include <stdio.h>
void good_fn(){
printf("GOOD CODE \n");
}
void mlc_fn(){
...
1
vote
0answers
147 views
How to buffer overflow the 'gets' method in Ruby?
I wrote a client that gets input from the keyboard and stores it in a variable, like so:
x = gets
In C, normally memory is allocated for standard input and thus I can easily overflow the buffer ...
1
vote
0answers
34 views
why is gcc allocating more space to char buffer
I am kind of confused by the latest version of gcc. A simple piece of code is compiled:
int main()
{
char buffer[1];
scanf("%s",buffer);
printf("You Entered %s\n", buffer );
return 0;
...
1
vote
0answers
22 views
non printable charaters in memory
In heart bleed exploit, I basically get a lot of weird characters(non-printable) from server.
Can somebody tell me, when I read a continuous memory segment, how to interpret those non-printable ...
1
vote
0answers
34 views
extended Acsii to Ascii conversion in C
We want to simulate a buffer overflow attack by sending a payload through sending a payload in HTTP head.
We have the correct length of the payload which just overwrites the return address of the ...
1
vote
0answers
40 views
Bufferoverflow working with no breakpoints set, but not with a breakpoint set
I am developing a stack-based buffer overflow for a class. The entire payload is delivered through an environment variable due the nature of the application. This environment variable is set before ...
1
vote
0answers
86 views
How can I Buffer Overflow 64 Bit Applications?
Firstly I'd like to say that I've looked online and have yet to find anything of value. I have here a very VERY simple, standard BOF file to attack. I've compiled it in 64 bit mode:
#include ...
1
vote
0answers
377 views
Problems exploiting a buffer overflow
Some days ago I coded a simple code to test a buffer overflow exploitation on x86 system. In order to keep it simple I disabled ASLR and NX so there are no protection that could cause weird ...
1
vote
0answers
122 views
Buffer overflow when launching program with system()
I'm currently using UNIX sockets to communicate between my C++ program and Webots (a robotic simulator). However, I've noticed that after some time (1~2 hours), Webots unexpectedly shuts down, without ...
1
vote
0answers
182 views
Cleaning up stack in Buffer Overflow
I am performing a buffer overflow for educational purposes only. I have a function called that uses gets to receive input from the terminal. I want to force this function to return a specific value ...
1
vote
0answers
78 views
Generating AlephOne-style visualizations of the stack?
In the widely-read "Smashing The Stack For Fun And Profit" tutorial, Aleph One presents C code examples like this:
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
}
...
1
vote
0answers
246 views
Overwriting saved eip to point to stdin?
A student in my class came up with a technique for exploiting buffer overflows that I have never seen before. (Frankly, I am surprised that it works.) I am curious if (1) anyone has seen a reference ...
1
vote
0answers
1k views
BEX error on Windows Web Server 2008 R2 x64
I have built an application that causes a buffer overflow exception with the following signature on Windows Web Server 2008 R2 x64
Problem signature:
Problem Event Name: BEX
...
1
vote
0answers
174 views
.NET - Buffer overflow
I've a .NET application that is crashing a couple of times a day, in our production env, I'm running process monitor on an effected PC and its reporting buffer overflows in the following location ...
1
vote
0answers
2k views
Android SDK installation error - "no buffer space available (maximum connections reached?): recv failed
I am trying to get my environment setup to develop an android app so I downloaded the SDK (http://developer.android.com/sdk/installing.html).
After unpacking the files and running the SDK Setup.exe, ...
0
votes
0answers
45 views
Segmentation fault when exploit string overwrites the return pointer with the starting address on stack
I'm doing the csapp buflab level 2. In this assignment I'm asked to input an exploit string using the getbuf() Mine looks like.
08048fe0 <getbuf>:
8048fe0: 55 push ...
0
votes
0answers
27 views
Buffer overflow and dmesg on 64 bits machines
I wrote a very simple program which has a buffer overflow vulnerability which I want to exploit. The program is the following:
#include <stdio.h>
void
foo(char *asd) {
char b [2];
...
0
votes
0answers
29 views
Vertex buffer overflow error when performing card flip animation
I am receiving some strange bug reports from my app.
The stack trace look like this:
From users email, the app crashes when trying to perform a card flip animation.
Only affected devices are Nexus ...
0
votes
0answers
15 views
Buffer overflow EDI overwritten. Now what?
I tried fuzzing an application and ended up with my fuzz string in the EDI register and my program stopped with access violation when reading ESI. I checked the SEH, but it seems un affected :( I am ...
0
votes
0answers
12 views
Buffer Overflow with Big Endian architecture
Could anyone help to solve the following practice problem related to buffer overflow?
On this problem, I am confused about how the variables and addresses should be stored within the stack. Here ...
0
votes
0answers
23 views
Findout address of shellcode dynamically, placed on stack
I am using shellcode to spawn a shell,I am curious to findout the starting address of shellcode dynamically,which is placed on stack and not hard code the address in the shellcode
kindly share your ...
0
votes
0answers
56 views
Writing a buffer overflow exploit
I understand there are quite a few tutorials on how to write a buffer overflow, but still can't write my own.
The following is the C code I want to hack:
#include <stdio.h>
#include ...
0
votes
0answers
64 views
Why variable 'pass' change it's value after stack buffer overflow?
I can't understand what's happening with buf1 and pass in main(). I understand that after buffer overflow in gets(buf1):
Firstly (by input more then 15 characters), we are actually
changing calling ...
0
votes
0answers
68 views
Creating buffer overflow in C (seg fault)
Since our security course doesn't have a lab, i'm trying to solve the Seed project's lab .
http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Software/Buffer_Overflow/Buffer_Overflow.pdf
But there seems ...
0
votes
0answers
38 views
Is Address randomization dependent to OS or compiler
With ASLR enabled after compiling a program with gcc every time the program starts, its stack pointer changes. But this does not happen to a similar program coded in assembly and compiled with 'as' ...
0
votes
0answers
72 views
Why is eip not being overwritten with the shellcode I am overflowing with?
So I am having to do a buffer overflow for an assignment and I feel like I am very close. I must note that my teacher has set up a VM for us to use in which if we are able to get shellcode into the ...
0
votes
0answers
31 views
Constructing a tainted string for arc injection
I'm new to security and currently referring to Robert Seacord's Secure Coding in C and C++. In chapter 2 of the same, the author talks about arc injection, wherein he passes the flow of control in the ...
0
votes
0answers
23 views
Can I do bufferflow attack on my iOS application (under test), on iphone 5 which is not jail broken ?
I need to find vulnerabilities related to buffer over flow in my iOS app. I have basic understanding of what buffer over flow is, but I don't know about any tools/techniques to find bugs in my iOS ...
0
votes
0answers
104 views
fgets() not waiting for input with no stdin overflow?
It is It's probably something simple but after a few hours of googleing and debugging I can not figure it out. Basically basically I want to get user input, then another function validates the input ...
0
votes
0answers
103 views
Exploit works in gdb but not on the command line
I've been going through "hacking: The art of exploitation" and following the examples. On page 145, the author demonstrates how to exploit the notesearch.c program with shellcode stored in an ...
0
votes
0answers
34 views
-z noexecstack doesnt prevent shell from executing
I'm doing a classic buffer overflow attack exercise, in which I place a shellcode that executes when the overflow occurs.
I was asked to check what happens when I compile the vulnerable program usin ...
0
votes
0answers
27 views
buffer overflow to point stack pointer to specific location
I am trying to do buffer overflow attack.
I have disabled address space layout randomization (ASLR) using command:
sudo sysctl -w kernel.randomize_va_space=0
Instead of crashing the program I want ...
0
votes
0answers
31 views
-fno-stack-protector disassembly
I am trying to understand the difference in assmebly between using -fno-stack-protector and not, but I cannot figure out what the canary value being used is.
My function opens like this
push %rbp ...
0
votes
0answers
85 views
C :execute shell code in data segment(Fedora 32 bit)
I am trying to execute the below program
//testsc.c
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
...
0
votes
0answers
60 views
how to bufferoverflow on netcat
I am having a huge difficulty understanding how exactly to buffer overflow on netcat. I have successfully buffer overflowed on my own machine with NOPS and shell addresses and played around with the ...
0
votes
0answers
52 views
Why did Nano just mangle my code?
Using VM VirtualBox I'm running a copy of 32bit Linux which is itself running a VM for an ARM environment. This entire setup is needed to have an environment that lets me do buffer overflows for a ...
0
votes
0answers
65 views
Format String for Bufbomb Sparkler - Format String Vulnerability
As part of the Sparkler, I am trying to call fizz and modify the value of the argument with that of my cookie. I am first trying to overwrite the return address byte by byte and then writing to $ebp+4 ...
0
votes
0answers
111 views
unknown pseudo-op: `.globl_start'
I have some assembly code written for 32-bit machines but I need to run that on x86-64 bit architecture. Please suggest ways to achieve this.
I'm compiling using certain flags in the following ...
0
votes
0answers
17 views
Does the address of particular variable vary in stack over consecutive executions of a C program?
[Assuming that stack randomization is off.]
For example, assume the address of a variable 'name' is 0x7fffffffe070.
I observe that sometimes, the memory address is the same even if I execute the C ...
0
votes
0answers
57 views
PHP function fuzzing doubts and crash monitoring through Python?
I'm writing a Python fuzzer to fuzz some specific php functions. But i have both doubts and problems. Generally speaking the fuzzer works as follows: it generates some payloads and then invokes the ...
Related Tags
c × 56
linux × 18
security × 18
shellcode × 17
assembly × 15
exploit × 15
buffer × 13
gdb × 11
x86 × 9
android × 8
c++ × 8
stack-smash × 6
gcc × 6
java × 5
stack × 5
sockets × 5
stack-overflow × 4
python × 3
aslr × 3
shell × 2
.net × 2
format-string × 2
memory-leaks × 2
arrays × 2
more related tags
Hot Network Questions
- Why does a YoYo sleep, and then awaken?
- Is it really ok to supply more current than what the component is rated for?
- Trouble applying water pressure analogy to electrical circuits
- Why can't epsilon depend on delta instead?
- What's the function that takes X[Y[z___]] to Y[X[z___]]? ("swap heads")
- Why (and since when) is the name "Sol" used instead of "The Sun"?
- Word for 'one who steals books'
- How do I create a teardrop in HTML?
- When using && and sudo on the first command, is the second command run as sudo too?
- Triangle style output, incrementing max line length
- Why is there a huge air-conditioner in the foyer in MIB?
- How can I deal with people asking to switch seats with me on a plane?
- What are the advantages of squawking 7700?
- Percentile vs quantile vs quartile
- Sphere curvature as calculated from Liouville's equation
- Normal body text within tcolorbox
- What is the order of the reaction with respect to NO?
- Applying to work where I said "no" in the past?
- How to help students remember Half vs. Whole rests
- Is there a Firefox utility that can convert webpages to PDF?
- Stop keyboard wobble due to uneven desk
- I have been asked to complete a project without any concrete specifications
- long explanation in align environment; would like to split over two lines
- Why does rand() + rand() produce negative numbers?
