A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
2
votes
3answers
39 views
If the stack grows downwards, how can a buffer overflow overwrite content above the variable?
I realize how a buffer overflow works but I have a problem understanding the direction in which the overflow is directed. So if the stack grows downwards, that means that the return address is above ...
1
vote
0answers
27 views
Has any exploit leveraged a Video Driver flaw in WebGL?
Microsoft delayed support for WebGL due to the fact Javascript could exploit driver weaknesses.
In the years that have past, in WebGL's adoption, are there any exploits of WebGL that supports their ...
17
votes
5answers
2k views
How can buffer overflows be harmful in Android?
How can buffer overflows be potentially dangerous in Android?
Specifically, if each app has its own user id and it being run in Dalvik VM copy that has the same id. I thought that even if the ...
1
vote
1answer
41 views
Discover framebuffer address on unknown architecture?
Recently I got running unsigned code through an exploit on an device. Now I would like to discover the framebuffer address so I could write to the screen and output data.
The only way I can imagine ...
1
vote
0answers
23 views
Mobile processors with hardware support for efficient bounds checking
Are there any mobile or embedded processors that provide hardware support for efficient bounds checking?
Intel's newest x86 processors provide MPX, which enables compilers to add automatic bounds ...
0
votes
0answers
30 views
Is it possible to bypass stack protector (SSP)?
is it possible to exploit a simple stack buffer overflow vulnerability with stack smashing protector enabled? For example, this line of code code is vulnerable to a stack buffer overflow, is it ...
0
votes
2answers
34 views
How to pass HEX character with no corresponding ASCII to a C program as input
Your first answer would be to use perl or python and pipe the input to the C program, but unfortunately the variable I want to input is not taking the value from argument of the C program, rather it ...
-4
votes
1answer
43 views
After how many bytes stack overflow occurs [closed]
Let buffer size is 4 bytes. We give input of 4, 5, 6, 7 ,... bytes one by one. After how many bytes stack based overflow will occur. Buffer size is 4 bytes did input of 4 bytes will cause stack based ...
1
vote
1answer
25 views
How to perform buffer overflow on non-argument parameters?
I am new to buffer overflow attacks and I am trying to do the same on a sample c code which I have.
I have three variables a, b and buffer.
a and b have values assigned to them in the code itself. ...
0
votes
1answer
38 views
Why append an nop sled at the end of the shellcode?
I was trying to exploit an bufferoverflow by the following way:
NOP sled -> shellcode -> address of NOP sled (before it was save RIP)
But a guy on stackoverflow told me that I should do:
NOP ...
1
vote
0answers
37 views
Buffer overflow Rooting vs SU via recovery?
After researching on rooting processes low level details and techniques i found that it happens mostly through Buffer overflow to gain root access via running payload ( binaries ) at return call ...
0
votes
1answer
61 views
Buffer Overflow and Location of Return Address on Stack
I'm trying to exploit this code with a buffer overflow: http://pastebin.com/V8TS2hfi
I'm trying to overflow the return address to get the "Access Granted" message, which is simple enough. However, ...
0
votes
1answer
31 views
Offset in Stack
Offsets in buffer overflows I can't seem to get a grasp on. Here is a quote from the book I am reading about this topic.
The address of the variable "i" in main()'s stack frame is used as a point ...
0
votes
0answers
27 views
Bypassing SafeSEH in application without unprotected modules
I'm trying to write an exploit for a vulnerable Win32 application, which has DEP, SafeSEH and stack cookies enabled. I can write anything to the stack, as there is buffer overflow vulnerability in an ...
0
votes
1answer
113 views
EBP bypass problem
I am kinda new to exploit development using buffer overflows. I've come across a sample code in one book I refer to, and the sample code doesn't execute properly.
Here is my code...
#pragma ...
2
votes
3answers
109 views
Is this integer overflow vulnerability exploitable?
Is this integer overflow exploitable and if the answer is yes, how can i exploit it?
char buffer[20];
int len = atoi(argv[1]);
if(len < 20)
memcpy(buffer,argv[2],len);
If I set len to -1 the ...
0
votes
1answer
58 views
Does stack (UNIX x86, x86-64, ARM) grow up or down, buffer overflow tutorials wrong explained?
when I read something about buffer overflows on the stack, the most or some tutorials show me examples about overwriting local variables (pointers) and then overwriting pointers in the global offset ...
0
votes
0answers
42 views
Shellcode problem for a remote service (Encoding)
I have an excercise to exploit a remote service after a short dialog with it using stack buffer overflow. I've downloaded a binary on my local Ubuntu 14.04 and tested it with gdb.
What I do is ...
1
vote
1answer
45 views
How does the recent discovered PowerPoint exploit work?
One of the recent blogs in Project Zero described a bug in the Symantec virus scanner in relation with PowerPoint files.
But I do not understand how the rounding up to the length of the cache can ...
1
vote
1answer
63 views
Why do browsers not protect against scripts coming with images?
I understand that this is how it goes:
Malformed Image --> Buffer Overrun --> Stack Over Flow --> Execute Malware Pushed On Stack
And though I don't a huge amount about this, I know that I ...
5
votes
1answer
91 views
After a bufferoverflow does an attacker only have access to calls which are present in the library where the C code was compiled?
Or are there techniques to just get a shell?
What I am interested in is if I have compiled some C code using only a small library with insignificant possible calls, does this restrict the attacker ...
2
votes
1answer
81 views
How can I find the size of an array just from compiled C program?
I'm playing around with buffer and heap overflow vulnerabilities, and it is all fine to exploit stuff when you have the source code and can see all the variables, their sizes and values, etc. But, ...
1
vote
1answer
106 views
Is this an exploit attempt and howcan I analyse it?
Edited: Never mind the MinGW or .bash_history, I can see that is unlikely. Somebody attacking me and those bytes ending up in the frequently used file .bash_history by accident is not that unlikely ...
0
votes
0answers
76 views
Why there is no shell prompt by exploiting this script?
I tried to get a shell prompt in the following vulnerable code, I think that I found the vulnerability, actually it is a simple stack buffer overflow, but now I have a problem with exploiting the ...
4
votes
1answer
282 views
Unable to overwrite EIP register
Source code for both programs at the end of the post
So, I've working through Hacking: The Art Of Exploitation, and so far so good. I've managed to control EIP in the vulnerable program notesearch.c. ...
-1
votes
3answers
70 views
What is the future of exploitations? [closed]
With the advent of "Safe" languages like Rust, the prevalence of Software Correctness, and improved type checking in existing systems, memory based exploits are very hard if not possible at all, to ...
4
votes
1answer
131 views
What kind of bugs can be found by dumb fuzzing a desktop app?
I'm just starting out to learn about fuzzing and have made a dumb fuzzer that changes several random bytes in a pdf file to random values, opens it and detects if Acrobat Reader has crashed. What ...
3
votes
2answers
128 views
Exploit a buffer overflow without SIGSEGV
For my studies I try to create a payload so that it overflows the buffer and calls a "secret" function called "target"
This is the code I use for testing on an i686
#include "stdio.h"
#include "...
2
votes
3answers
400 views
Install a vulnerable service for Windows 7
I have some kind of a project or demonstration, where I have to exploit Windows 7 to get a remote shell.
I did a vulnerability scan with nessus on my Windows 7 machine, but I didn't find any kind of ...
4
votes
1answer
114 views
What is an example of arithmetic and buffer overflows in a php application?
I'm trying to find evidence whether it is possible to have overflows in a php application, whether buffer overflows or arithmetic overflows.
I believe it's possible to have these overflows in the ...
0
votes
0answers
102 views
How can I partially overwrite the EIP in order to bypass ASLR?
As far as I know, it is possible to overwrite the unchanged part of the EIP to bypass ASLR protection. Unfortunately, I do not understand how this can help me in order to jump to the location of my ...
1
vote
1answer
118 views
Are stack overflows using memcpy possible with modern compilers?
These days memcpy is protected by an interface named _memcpy_chk, which checks the size of the destination buffer at runtime. After reading the source code for _memcpy_chk at http://www.opensource....
3
votes
0answers
56 views
Bypass Stack Canary by going past the return address
I was testing a simple C program with stack canary protection.
I attempted to bypass the protection by overwriting past the function's return address and overwriting main's address. I am overwriting ...
4
votes
2answers
97 views
How do self-contained executable program exploits work, when considering virtual memory?
My understanding of virtual memory is that the operating system allows each process to have access to the entire pool of memory, and creates this illusion by paging.
As a consequence, a program can ...
0
votes
0answers
57 views
Can I use process crash information to detect buffer overflow attacks?
Buffer overflow is a very common vulnerability, often targeted with zero-day exploits. Successful attacks often result in arbitrary code execution, while failed attempts tend to crash the target ...
3
votes
0answers
94 views
C program - exploit program (after seg fault)
The program below takes three parameters - Base to convert from, base to convert to and the number to convert in binary
As part of learning security - I am trying to buffer overflow this program. I ...
2
votes
1answer
124 views
Is my understanding of buffer overflows correct?
I am new to pentesting and wondering if my current understanding of buffer overflow exploits is correct. Assuming an operating address space of 3 addresses, an instruction space of 2 addresses, and an ...
2
votes
2answers
129 views
why can't i overwrite stack frame
I'm currently reading Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition and I have a question with an exercise in the book. The lab "Lab 10 - 1 Overflow of meet.c" is a lab in which we ...
124
votes
7answers
18k views
Why are programs written in C and C++ so frequently vulnerable to overflow attacks?
When I look at the exploits from the past few years related to implementations, I see that quite a lot of them are from C or C++, and a lot of them are overflow attacks.
Heartbleed was a buffer ...
3
votes
1answer
163 views
return-to-libc attack
I was trying to attempt at return-to-libc buffer overflow attack for my Computer Software Security assignment. As far as my understanding goes, we can do these kind of attacks regardless of stack ...
8
votes
1answer
275 views
Using cat to overcome 'Stack smash detected'
I'm trying now buffer overflow exercise from the site pwnable.kr
I found the string that should be entered to the gets frunction but got "Stack Smash Detected" then I found a solution in
rickgray.me
...
0
votes
0answers
116 views
Put shellcode in writable sections -> .bss & .data
so, I have following issue. Let's say, I have a simple vulnerable program, such as this one:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void vuln_function(char *);
...
4
votes
3answers
140 views
Strange address change during Buffer Overflow
I was testing out a buffer overflow and the following strange thing happened:
The return address is at 0xbffff7bc which I discovered from testing. I replaced it with the value I wanted 0xbffff636.
...
4
votes
1answer
81 views
Will Intel's MPX extension make C/C++ completely safe to use?
This is apparently an extension that will eliminate buffer overflow and format string vulnerabilities in C/C++ programs, I would guess by providing hardware support for, e.g. converting scanf to fgets ...
3
votes
0answers
53 views
ASCII Armoring in a little endian system
With regard to the question: How does ASCII-Armoring help to prevent buffer-overflow attacks?:
How the armored region prevents the attack?
If the most significant byte of the return address is 0x00 ...
4
votes
1answer
192 views
Buffer overflow exploit works with gdb but not without
I am learning about buffer overflows and I’m developing my very first exploit.
There is a server process that listens to a socket and forks a new process for each client. The child process has a ...
4
votes
0answers
65 views
Environment variable and scripting for return-to-libc exploit
For school we have to perform a return-to-libc exploit. Doing this, we need to spawn a shell from /bin/xh which will print a message that we succeeded with our exploit.
To do this exploit, I used ...
4
votes
5answers
243 views
What are attackers trying to achieve when doing attacks on local programs such as buffer overflows?
In attacks on programs, such as stack buffer overflows, what is the objective of the attacker? I’m having trouble learning the technical details of the attack (such as overwriting the function’s ...
1
vote
1answer
146 views
Arduino buffer overflow and arbitrary code execution
Is it possible to overflow a buffer on an Arduino Uno R3 ? The following code is vulnerable on modern computers:
#include <stdio.h>
#include <string.h>
int main(void)
{
char buff[15];
...
0
votes
1answer
180 views
Shellcode to buffer overflow not working linux m32
What my purposely insecure program does is to check if a username matches a specific string by copying user input into a buffer and comparing it.
I have compiled the program
cc -o real real.c -g -...
