A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
1
vote
0answers
10 views
How do self-contained executable program exploits work, when considering virtual memory?
My understanding of virtual memory is that the operating system allows each process to have access to the entire pool of memory, and creates this illusion by paging.
As a consequence, a program can ...
0
votes
0answers
29 views
Can I use process crash information to detect buffer overflow attacks?
Buffer overflow is a very common vulnerability, often targeted with zero-day exploits. Successful attacks often result in arbitrary code execution, while failed attempts tend to crash the target ...
4
votes
0answers
53 views
C program - exploit program (after seg fault)
The program below takes three parameters - Base to convert from, base to convert to and the number to convert in binary
As part of learning security - I am trying to buffer overflow this program. I ...
2
votes
1answer
82 views
Is my understanding of buffer overflows correct?
I am new to pentesting and wondering if my current understanding of buffer overflow exploits is correct. Assuming an operating address space of 3 addresses, an instruction space of 2 addresses, and an ...
2
votes
2answers
80 views
why can't i overwrite stack frame
I'm currently reading Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition and I have a question with an exercise in the book. The lab "Lab 10 - 1 Overflow of meet.c" is a lab in which we ...
119
votes
7answers
17k views
Why are programs written in C and C++ so frequently vulnerable to overflow attacks?
When I look at the exploits from the past few years related to implementations, I see that quite a lot of them are from C or C++, and a lot of them are overflow attacks.
Heartbleed was a buffer ...
4
votes
0answers
65 views
Buffer overflow vulnerability [migrated]
The following program:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int check_authentication(char *password)
{
int auth_flag = 0;
char password_buffer[16];
...
3
votes
1answer
78 views
return-to-libc attack
I was trying to attempt at return-to-libc buffer overflow attack for my Computer Software Security assignment. As far as my understanding goes, we can do these kind of attacks regardless of stack ...
6
votes
1answer
71 views
using cat to overcome 'Stack smash detected'
I'm trying now buffer overflow exercise from the site http://pwnable.kr
I found the string that should be entered to the gets frunction but got "Stack Smash Detected" then I found a solution in
...
0
votes
0answers
29 views
Put shellcode in writable sections -> .bss & .data
so, I have following issue. Let's say, I have a simple vulnerable program, such as this one:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void vuln_function(char *);
...
4
votes
3answers
108 views
Strange address change during Buffer Overflow
I was testing out a buffer overflow and the following strange thing happened:
The return address is at 0xbffff7bc which I discovered from testing. I replaced it with the value I wanted 0xbffff636.
...
3
votes
1answer
48 views
Will Intel's MPX extension make C/C++ completely safe to use?
This is apparently an extension that will eliminate buffer overflow and format string vulnerabilities in C/C++ programs, I would guess by providing hardware support for, e.g. converting scanf to fgets ...
3
votes
0answers
46 views
ASCII Armoring in a little endian system
With regard to the question: How does ASCII-Armoring help to prevent buffer-overflow attacks?:
How the armored region prevents the attack?
If the most significant byte of the return address is 0x00 ...
2
votes
1answer
71 views
Buffer overflow exploit works with gdb but not without
I am learning about buffer overflows and I’m developing my very first exploit.
There is a server process that listens to a socket and forks a new process for each client. The child process has a ...
4
votes
5answers
205 views
What are attackers trying to achieve when doing attacks on local programs such as buffer overflows?
In attacks on programs, such as stack buffer overflows, what is the objective of the attacker? I’m having trouble learning the technical details of the attack (such as overwriting the function’s ...
1
vote
1answer
69 views
Arduino buffer overflow and arbitrary code execution
Is it possible to overflow a buffer on an Arduino Uno R3 ? The following code is vulnerable on modern computers:
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
...
0
votes
1answer
72 views
Shellcode to buffer overflow not working linux m32
What my purposely insecure program does is to check if a username matches a specific string by copying user input into a buffer and comparing it.
I have compiled the program
cc -o real real.c -g ...
3
votes
3answers
82 views
Preventing buffer overruns when performance is no concern
Anti-exploitation technologies (DEP, ASLR, stack protector, etc.) do not provide complete protection. One reason for this is performance; these technologies are designed to work with a low performance ...
0
votes
0answers
62 views
Buffer overflow, unable to overwrite return address
I can't write over return address completely and I don't know why.
Here is gdb when I put 30 'A's:
Stopped reason: SIGSEGV 0x00000a4141414141 in ?? ()
It overwrites RIP but not completely, so I ...
-1
votes
1answer
88 views
how to execute /bin/sh at stdout
Below is objdump output of a C program (source code at bottom of this post) where I am doing buffer overflow to overwrite the group offset table (GOT) entry:
-$ objdump -R ./vuln
./vuln: file ...
1
vote
0answers
67 views
Address of DLL changes in Win XP SP3: CoreLan Exploit writing Tutorial part 1
I was following the CoreLan Exploit writing Tutorial Part 1.
OS used: Windows XP SP3
I tried to use “C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll” for the instruction “jmp esp” [ff e4] ...
5
votes
3answers
164 views
How to mitigate heartbleed like attacks prior to zero day
Whenever sensitive data such as a password is used on a server it resides in memory for a short time. Given that security flaws like heartbleed exist which have the ability to 'bleed' memory for their ...
3
votes
2answers
165 views
Problems with overflowing the return address on stack x86_64
To note before compiling the program I disabled ASLR via:
$ sudo -i
root@laptop:~# echo "0" > /proc/sys/kernel/randomize_va_space
root@laptop:~# exit
logout
I then compiled the program via:
...
2
votes
1answer
185 views
How a buffer underflow can lead to remote code execution on 64‐bits?
I have the following summarized pseudo code in C89 from an ssh server library that provide only access to things like git‑shell (/bin/bashis replaced with the program to run, so it’s not possible to ...
5
votes
2answers
231 views
Can Silicon Secured Memory prevent buffer overruns?
Oracle have recently announced the new SPARC M7 chip. It has an interesting feature called Silicon Secured Memory which claims to prevent memory corruption bugs like Heartbleed and Venom.
The idea is ...
4
votes
1answer
112 views
Never heard of compiler vulnerabilities when compiling?
Does there exist any real source code that exploits a compiler vulnerability? I mean code that during compilation causes a buffer overflow in the compiler resulting in execution of arbitrary code.
...
1
vote
1answer
38 views
Possible threats on the memory buffer
If an adversary could identify a buffer's capacity, what would be the possible consequences?
8
votes
2answers
250 views
Compiling a buffer overflow example in modern Linux?
I'm trying to compile a simple buffer overflow example on a Debian i386 VM. The executable builds ok, but EIP does not get overwritten correctly despite being supplied a sufficiently large input to ...
2
votes
1answer
81 views
Problems executing shellcode via nop-sled
My shellcode instructions are changing during execution. I'm not sure why.
Here is what my shellcode looks like:
=> 0xbffff0b3: nop
0xbffff0b4: nop
0xbffff0b5: xor eax,eax
...
3
votes
0answers
55 views
Limited Buffer Size for shellcode on 64 bits machine
This question bother me for so long and I hope someone can give me an answer for that.
I have a code snippet which have the classic strcpy vulnerability
int main(int argc, char argv[][]){
char ...
9
votes
2answers
106 views
Is using separate stacks for return addresses and function arguments a viable security measure?
As far as I know, many exploits rely on overwriting return address of the function they try to exploit. They do it by buffer overruns. But what if the compiler set up two separate stacks far from each ...
4
votes
1answer
95 views
How did the Code Red worm work?
So I've been reading a bit about the Code Red worm, and I get the gist but the overflow string doesn't make sense to me.
From this site, it says that the overflow string the worm used was
...
19
votes
4answers
2k views
Security Implications of Neglecting the Extra Byte for NULL Termination in C/C++ Arrays
Please Consider: English is my second language.
On the Security Now! podcast episode 518 (HORNET: A Fix for TOR?), at the 27:51 mark Steve Gibson quotes an example of vulnerable code in C/C++:
...
7
votes
2answers
234 views
Is it possible to encode bytes in an buffer overflow exploit that bypass string functions?
Disclaimer: this exploit is purely for educational use. In this exploit I play the role of the victim and the software exploited is written by me alone.
I have a simple HTTP server that I want to ...
3
votes
0answers
109 views
Metasploit pattern not working for buffer overflow for SLMail 5.5 [closed]
I'm trying to do a buffer overflow on SLMail 5.5. I see where EIP is when I send 2606 A's to the program using my script. However, I cannot get the Metasploit pattern creator to work. I want to use ...
1
vote
0answers
51 views
Passing arrays to a function call (Bufer Overflow)
I need to execute a call to cat on a target file using a buffer overflow in a challenge app (can't execute on the stack, but can use libc). For reference, in C this is valid code for what I'm trying ...
3
votes
2answers
158 views
How to overwrite ebp on stack alignment?
I want to exploit a simple program
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buf[128];
strcpy(buf, argv[1]);
return 0;
}
The disassembly ...
3
votes
1answer
319 views
Removing null bytes from shell code
I am learning the basics of shell coding so that I can learn to exploit buffer overflows. The problem is, the example byte code that I wrote contains null bytes. Here is the example:
xor ...
5
votes
1answer
89 views
Buffer Overflow due to wrong data type
I am reading the OWASP page on buffer overflow. It mentions:
buffer overflow can be prevented using higher-level programming languages that are strongly typed and
developer should validate input to ...
0
votes
3answers
359 views
How can I avoid buffer overflows when programming an Android app? [closed]
I'm just starting out in Android and I've gotten my head around general programming within Android, but I've recently started trying to research security within Android.
What coding practices would ...
1
vote
0answers
118 views
Buffer overflow and register contents?
I am doing an exam practice question, suppose I have a function like;
void func(char* arg)
{
char buf[32];
strcpy(buf, arg);
}
command break func:
-buf begins at 0xbffebfb0
-(gdb) x/2wx ...
2
votes
0answers
36 views
ESI and EDI Overflow [duplicate]
I tried fuzzing an application and ended up with my fuzz string in the EDI register and my program stopped with access violation when reading ESI. I checked the SEH, but it seems un affected :( I am ...
2
votes
1answer
110 views
Buffer Overflow with Big Endian architecture
Could anyone help to solve the following practice problem related to buffer overflow?
On this problem, I am confused about how the variables and addresses should be stored within the stack. Here ...
1
vote
0answers
41 views
Having trouble reproducing PHP heap based buffer overflow in quoted_printable_encode [closed]
I am trying to follow the test script provided here. I've installed an apache web server with PHP version 5.3.25 and created a script with the following code:
<?php
// file: test.php
$str = ...
6
votes
1answer
873 views
stack buffer overflow in the main function? [closed]
I am trying to exploit a stack based overflow vulnerability. All the examples I can find make use of a ret address though. The buffer overflow I found is inside the main function, and I cannot find ...
7
votes
2answers
302 views
Modify C code with buffer overflow vulnerability to skip code
I'm trying to find a way to exploit the buffer overflow vulnerability in the following source code so the line, printf("x is 1") will be skipped:
#include <stdio.h>
#include <stdlib.h>
...
3
votes
1answer
299 views
Why should canary values be chosen at runtime instead of compile time?
For buffer overflow attacks, my exam review says that there are drawbacks to choosing canary values at compile time vs runtime. Why would it be better to choose the canary value at runtime?
1
vote
0answers
35 views
Can you get infected by viewing an image? [duplicate]
Lets say I have an infected image by some malware, I double-click it and that triggers the default program that handles images to open it for viewing. Will this also trigger the malware inside the ...
1
vote
0answers
265 views
how does ASLR prevent return to libc / ROP and similar attacks?
I am trying to understand ASLR and how it is implemented. I understand it does not actually "prevent" buffer overflow etc from happening, it will only make it more difficult. But i am not able to ...
6
votes
2answers
459 views
How do compilers detect buffer overflow?
I just started researching about security at the systems level and challenges, especially with respect to low level languages such as C/C++ and Objective-C. I have understood buffer overflow and how ...