A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
-4
votes
1answer
50 views
Understanding Buffer Overflows
Buffer overflows.
I've been hearing & reading about them for quite some time now but I've never really understood them properly. So..
Buffer overflows...
What are they and how do they work?
...
1
vote
1answer
36 views
Problems executing shellcode via nop-sled
My shellcode instructions are changing during execution. I'm not sure why.
Here is what my shellcode looks like:
=> 0xbffff0b3: nop
0xbffff0b4: nop
0xbffff0b5: xor eax,eax
...
1
vote
0answers
15 views
Limited Buffer Size for shellcode on 64 bits machine
This question bother me for so long and I hope someone can give me an answer for that.
I have a code snippet which have the classic strcpy vulnerability
int main(int argc, char argv[][]){
char ...
6
votes
2answers
46 views
Is using separate stacks for return addresses and function arguments a viable security measure?
As far as I know, many exploits rely on overwriting return address of the function they try to exploit. They do it by buffer overruns. But what if the compiler set up two separate stacks far from each ...
3
votes
1answer
53 views
How did the Code Red worm work?
So I've been reading a bit about the Code Red worm, and I get the gist but the overflow string doesn't make sense to me.
From this site, it says that the overflow string the worm used was
...
15
votes
4answers
1k views
Security Implications of Neglecting the Extra Byte for NULL Termination in C/C++ Arrays
Please Consider: English is my second language.
On the Security Now! podcast episode 518 (HORNET: A Fix for TOR?), at the 27:51 mark Steve Gibson quotes an example of vulnerable code in C/C++:
...
5
votes
2answers
92 views
Is it possible to encode bytes in an buffer overflow exploit that bypass string functions?
Disclaimer: this exploit is purely for educational use. In this exploit I play the role of the victim and the software exploited is written by me alone.
I have a simple HTTP server that I want to ...
3
votes
0answers
48 views
Metasploit pattern not working for buffer overflow for SLMail 5.5 [closed]
I'm trying to do a buffer overflow on SLMail 5.5. I see where EIP is when I send 2606 A's to the program using my script. However, I cannot get the Metasploit pattern creator to work. I want to use ...
0
votes
0answers
36 views
Passing arrays to a function call (Bufer Overflow)
I need to execute a call to cat on a target file using a buffer overflow in a challenge app (can't execute on the stack, but can use libc). For reference, in C this is valid code for what I'm trying ...
2
votes
2answers
72 views
How to overwrite ebp on stack alignment?
I want to exploit a simple program
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buf[128];
strcpy(buf, argv[1]);
return 0;
}
The disassembly ...
2
votes
1answer
90 views
Removing null bytes from shell code
I am learning the basics of shell coding so that I can learn to exploit buffer overflows. The problem is, the example byte code that I wrote contains null bytes. Here is the example:
xor ...
4
votes
1answer
78 views
Buffer Overflow due to wrong data type
I am reading the OWASP page on buffer overflow. It mentions:
buffer overflow can be prevented using higher-level programming languages that are strongly typed and
developer should validate input to ...
-1
votes
3answers
134 views
How can I avoid buffer overflows when programming an Android app? [closed]
I'm just starting out in Android and I've gotten my head around general programming within Android, but I've recently started trying to research security within Android.
What coding practices would ...
0
votes
0answers
95 views
Buffer overflow and register contents?
I am doing an exam practice question, suppose I have a function like;
void func(char* arg)
{
char buf[32];
strcpy(buf, arg);
}
command break func:
-buf begins at 0xbffebfb0
-(gdb) x/2wx ...
2
votes
0answers
36 views
ESI and EDI Overflow [duplicate]
I tried fuzzing an application and ended up with my fuzz string in the EDI register and my program stopped with access violation when reading ESI. I checked the SEH, but it seems un affected :( I am ...
1
vote
1answer
75 views
Buffer Overflow with Big Endian architecture
Could anyone help to solve the following practice problem related to buffer overflow?
On this problem, I am confused about how the variables and addresses should be stored within the stack. Here ...
1
vote
0answers
34 views
Having trouble reproducing PHP heap based buffer overflow in quoted_printable_encode [closed]
I am trying to follow the test script provided here. I've installed an apache web server with PHP version 5.3.25 and created a script with the following code:
<?php
// file: test.php
$str = ...
6
votes
1answer
593 views
stack buffer overflow in the main function? [closed]
I am trying to exploit a stack based overflow vulnerability. All the examples I can find make use of a ret address though. The buffer overflow I found is inside the main function, and I cannot find ...
6
votes
2answers
145 views
Modify C code with buffer overflow vulnerability to skip code
I'm trying to find a way to exploit the buffer overflow vulnerability in the following source code so the line, printf("x is 1") will be skipped:
#include <stdio.h>
#include <stdlib.h>
...
2
votes
1answer
173 views
Why should canary values be chosen at runtime instead of compile time?
For buffer overflow attacks, my exam review says that there are drawbacks to choosing canary values at compile time vs runtime. Why would it be better to choose the canary value at runtime?
1
vote
0answers
34 views
Can you get infected by viewing an image? [duplicate]
Lets say I have an infected image by some malware, I double-click it and that triggers the default program that handles images to open it for viewing. Will this also trigger the malware inside the ...
0
votes
0answers
118 views
how does ASLR prevent return to libc / ROP and similar attacks?
I am trying to understand ASLR and how it is implemented. I understand it does not actually "prevent" buffer overflow etc from happening, it will only make it more difficult. But i am not able to ...
5
votes
2answers
230 views
How do compilers detect buffer overflow?
I just started researching about security at the systems level and challenges, especially with respect to low level languages such as C/C++ and Objective-C. I have understood buffer overflow and how ...
5
votes
1answer
165 views
Return oriented programming without int 0x80
I have a program with a stack based buffer overflow. It is running PIE with ASLR and DEP, however there is a section of executable code that is at a fixed location.
However, this region does not ...
2
votes
1answer
182 views
exploiting Heap Overflow in gdb segfaults
I have been trying to exploit the heap overflow vulnerability for the program below, I am running Linux 14.04.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int n = 5;
...
0
votes
1answer
60 views
is return-to-libc attacks possible Now?
I'v read that to make a successful return to lib-c attack, the attacker should store the address of the command (for example "bin/sh") in stack exactly after the return address to 'system' function ...
1
vote
0answers
90 views
ROP attack on x64, zero bytes trouble
I have found ROP tutorial on x86. Now i try to exploit simple buffer overflow case on x64:
int main(int argc, char **argv)
{
char buf[10];
strcpy(buf, argv[1]);
...
}
I figured out, ...
2
votes
1answer
119 views
How to find stack pointer for overflow bug?
I've read that stack usually starts in same address so the attacker may guess the starting point of the buffer to overflow. This is necessary to know this address to make the malicious code run. I ...
8
votes
4answers
698 views
Evading IDS in exploit development
In the context of buffer overflow exploit development, I was asked:
Discuss how your exploit may be modified to evade an Intrusion Detection System.
I'm not asking for my homework to be done, but ...
1
vote
1answer
59 views
Buffer Overflow and Segments
I know by overwriting the return address in vulnerable program we can change the offset of next instruction and make it to point to our injected buffer. but this buffer is in stack segment and the ...
1
vote
0answers
35 views
unable to execute shellcode,which is place on stack [duplicate]
I am trying to execute the shellcode to spawn an "sh" shell.
I have taken shellcode as command line arguement,copied it to stack and tried to overwrite the return address of main function with the ...
1
vote
0answers
41 views
EIP getting changed in fgetc() Buffer Overflow Homework
Here is the gist of the code:
main(){
char s1[64], s2[64];
int a = 0, b = 0;
FILE *fp1, fp2*;
char temp;
scanf("%s", s1);
scanf("%s", s2);
...
//some checks happen, fp1 is opened to ...
0
votes
0answers
31 views
Constructing a tainted string for arc injection
I'm new to security and currently referring to Robert Seacord's Secure Coding in C and C++. In chapter 2 of the same, the author talks about arc injection, wherein he passes the flow of control in the ...
0
votes
2answers
76 views
Does preventing buffer overflow attacks prevent ROP attacks?
Would preventing buffer overflow attacks prevent Return Oriented Programming (ROP) attacks?
7
votes
2answers
523 views
Why are buffer overflows executed in the direction they are?
I'm following The Security Tube’s video here.
He overviews buffer overflows, and mentions how memory is executed from highest to lowest in the stack (at least with his implementation I assume). So we ...
1
vote
1answer
58 views
Are Sun/Oracle's SPARC processors invulnerable to buffer overrun exploits?
We all use Intel architectures these days, in small part because Oracle has totally dropped the ball regarding SPARC CPU development. But with so many now saying that protection against viruses is ...
2
votes
0answers
49 views
When is memory allocation/layout deterministic?
I'm trying to learn about buffer overflow attacks, both on the stack and on the heap. However, I'm confused about when it's possible to determine the address of the buffer.
The classic "Smashing the ...
3
votes
2answers
279 views
Long character sequence in first string of HTTP GET request breaks the web service's HTTP response. Buffer overflow?
During my current security audit test I've stumbled on something I can't possibly comprehend. The behavior exhibits signs of a buffer overflow in the target or in some intermidiate service (HTTP ...
0
votes
1answer
83 views
Getting a DEP exception when trying to call SetProcessDEPException(false)
I'm demonstrating an exploit for an old app.
On Windows XP SP3 32bit (EN), the address of SetProcessDEPPolicy() is usually 0x7C8622A4. I have that version of Windows (in English as well) and I've ...
0
votes
0answers
182 views
Stack buffer overflow: Is compiler changing variables order, preventing me to overwrite EIP properly?
I am learning about stack buffer overflow. A little info about my target: A x86 little endian intel-based computer, with a target compiled with TCC Compiler with no protections of any kind running on ...
0
votes
0answers
34 views
Execute form environmental variable while stack is not executable
Strange thing happened. I created EGG=NOPs + shellcode. Then i get the address of EGG;
I made buffer overflow and jumped to it and get the shell(address of shell is the second parametr). How is this ...
1
vote
3answers
781 views
How to gain root privilege after injecting code using a buffer overflow vulnerability?
Once the attacker finds an exploitable vulnerability in a user program, e.g., buffer overflow. Assume his goal is to gain root privilege and typical countermeasures are not present in the system ...
0
votes
2answers
244 views
Are buffer overflows on websites stoppable?
Recently, I was at the bookstore checking out books on computers. I found an interesting book on various types of hacks and how to stop them on your servers.
One that caught my eye was the "buffer ...
1
vote
1answer
315 views
Program exiting after executing int 0x80 instruction when running shellcode
In school I was given an assignment to perform a buffer overflow, which would execute some shellcode and open a new shell. After a bit of fiddling the buffer overflow succeeded, and when I ran the ...
10
votes
1answer
1k views
Exploiting buffer overflow leads to segfault
I am trying to exploit simple stack overflow vulnerability. I have a basic code in c:
#include <cstring>
int main( int argc, char** argv )
{
char buffer[500];
strcpy(buffer, ...
-3
votes
1answer
114 views
Buffer overflow without using environment variables [closed]
I was trying to overflow buffers and I was wondering ,
Is there anyway to do a buffer overflows without using environment variables ?
3
votes
1answer
282 views
Bypass Full ASLR+DEP exploit mitigation
Let's assume that a vulnerabled process is set up with an ASLR and DEP against all the imported modules used in this process and there is no way to find a module that is aslr free..
More over, the ...
0
votes
1answer
338 views
In buffer overflow exploit, 0x20 (space character) not appearing in memory and is replaced by null
The situation:
I'm currently working on shellcode (I modified the assembly code from Project Shellcode) that runs "cmd.exe /c calc.exe". The shellcode itself works fine. However, when I use the ...
1
vote
1answer
1k views
Buffer overflow - terminator canaries
I am reading an article on buffer overflow protection here.
For terminator canaries, I follow the part that if a terminator like a zero is used for a canary, the attacker would have a terminator in ...
3
votes
3answers
557 views
C++ memset() memory overflow
I am new to C++.
Can any C++ expert tell me would this causing buffer overflow?
Sample Code:
MyObject op;
memset(&op, 0, sizeof(MyObject));
On my view it is ok to be this since the limit is ...
