Usually occurs when you attempt to copy data into a buffer without checking for sufficient space, causing data to be overwritten in neighboring cells.
-2
votes
0answers
46 views
Whats wrong with my simple stack overflow exploit [duplicate]
I have a stack overflow
#include <stdio.h>
int main(int argc, char *argv[])
{
char buf[256];
memcpy(buf, argv[1],strlen(argv[1]));
printf(buf);
}
And all Im doing is ...
2
votes
2answers
59 views
Disabling stack protection in GCC not working
I'm trying to recreate a stack buffer overflow using the classic overflow with strcpy using this function:
#include <stdio.h>
#include <string.h>
void main(int argc, char **argv) {
...
5
votes
3answers
339 views
Why is my stack buffer overflow exploit not working?
So I have a really simple stackoverflow:
#include <stdio.h>
int main(int argc, char *argv[]) {
char buf[256];
memcpy(buf, argv[1],strlen(argv[1]));
printf(buf);
}
I'm trying to ...
1
vote
2answers
39 views
What parts of a process' virtual address space are overwriteable?
For instance, lets suppose that instead of buffers growing in the opposite direction of the stack, they grow in the same direction. If I have a character buffer containing the string "Hello world", ...
0
votes
0answers
19 views
Machine language changed temporary after buffer overflow
I'm trying buffer overflow about below code
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
int main(void)
{
char str[256];
printf("...
-4
votes
0answers
28 views
C++ when does a buffer overflow make arbitrary code execution possible?
After I discovered a buffer overflow in my source, I thought about if it was possible to execute code through this bug. I started playing a bit around but came to the conclusion that a code execution ...
0
votes
0answers
12 views
Buffer overflow does not work well in ubuntu
When I practiced bof(buffer overflow) in ubuntu, I found weird things.
I used this code. (test.c compiled file is "test")
#include <stdio.h>
int main(int argc, char* argv[])
{
char buffer[256]...
0
votes
1answer
36 views
Buffer overflow success only when using gdb
If I modify return address directly with GDB, buffer overflow success and I can get shell. However when I don't use GDB, I can't get shell with same shell code. I can't find any difference between ...
0
votes
2answers
48 views
Is it possible to generate a Local Buffer Overflow in Android via a compiled binary to gain root access?
I want to know if it is possible rooting any Android OS via Local Buffer Overflow , which I would generate using a compiled program that will contain the most simplest Local Buffer Overflow:
char buf[...
0
votes
1answer
45 views
Ubuntu 16.04 Buffer Overflow
I am trying to recreate a buffer overflow attack in my machine using Ubuntu 16.04. But no matter what I try I always get the error 'Segmentation fault(core dumped)'
I already disabled memory ...
0
votes
0answers
18 views
Missing __stack_chk_fail Symbol Using GCC
Based on what I've seen with hardening audit tools the way to detect stack cookies/canaries is to dump symbols with readelf -s and look for the __stack_chk_fail symbol.
I build my code with -fstack-...
0
votes
2answers
60 views
Possible security vulnerability from using fgets() and recommended solution?
I'm using coverity's SA tool for errors. I'm getting a few errors due to the usage of fgets(). This is a snippet (SA errors shown as comments)-
FILE *fp;
char my_pubkey[1024];
fp = fopen("publickey....
2
votes
0answers
46 views
Buffer overflow attack with shell code
I used this shell code for buffer overflow attack
$(python -c 'print "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x0f\x05\xc3"+"a"*31+"\x90\xe4\xff\xff\...
0
votes
0answers
24 views
Return to LibC Attack Unable to Work
//returntolibc.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
unsigned int xormask = 0xBE;
int i, length;
int overflow (FILE *filebad)
{
char buf[12];
/* ...
0
votes
0answers
30 views
Simple buffer overflow via xinetd
I'm trying to make a simple buffer overflow tutorial that runs the program below as a service on port 8000 via xinetd. Code was compiled using
gcc -o bof bof.c -fno-stack-protector
ubuntu has ...
5
votes
1answer
57 views
Would having the call stack grow upward make buffer overruns safer?
Each thread has its own stack to store local variables. But stacks are also used to store return addresses when calling a function.
In x86 assembly, esp points to the most-recently allocated end of ...
0
votes
1answer
12 views
Messy log from Keytool when getting Hash with -exportcert (Android)
I'm trying to get a Hash from my keystore file but instead I'm getting this messy log. Didn't find any info on this behaviour, looks like a Buffer Overflow Vulnerability. Tried regenerating keystores ...
0
votes
4answers
48 views
No error message when using system() to execute program with buffer overflow vulnerability
Consider the following program (vul.c) with buffer overflow vulnerability.
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buf[10];
strcpy(buf, argv[...
1
vote
1answer
58 views
static analysis tools for c++/c shared and static libraries
I have been looking for static analysis tools that detect buffer overrun in c++/c shared and static libraries, but without success.
Especially with c/c++ libraries that are integrated with programs ...
0
votes
2answers
14 views
How to pass HEX character with no corresponding ASCII to a C program as input
Your first answer would be to use perl or python and pipe the input to the C program, but unfortunately the variable I want to input is not taking the value from argument of the C program, rather it ...
7
votes
1answer
71 views
Is gcc reordering local variables at compilation time?
I'm currently reading (for the second time) "Hacking : The Art of Exploitation" and have stumbled on something.
The book suggests two different ways to exploit these two similar programs : ...
0
votes
0answers
81 views
How to use buffer overflow to execute shell code? [duplicate]
i am learning about how buffer overflow work and i tried some basic buffer overflow case, but i got an error while changing the return address. The return address is correct and the operation inside ...
-1
votes
1answer
21 views
Is it possible to ignore read overrun in google Address Sanitizer? [closed]
there,
I'm debugging a poorly written software in C++. There are many overruns. I want to focus on the write overrun before tackling the read ones. I'm using google's Address Sanitizer. Is it ...
0
votes
0answers
23 views
C++ code exploit
I am learning basic buffer overflow issues, can anyone please explain how this code can be exploited.
char gWelcome [] = "Welcome to our system! ";
void echo (int fd)
{
int len;
char name [...
3
votes
0answers
69 views
Shellcode Segfault - testcase vs strcpy
So after taking a Software Security class I became very interested in tinkering with how shellcode works with buffer overflows. Most threads I read about the topic involve having the shellcode as a ...
1
vote
0answers
42 views
What could be the possible reason of buffer overflow in snprintf command in C?
I have defined preprocessors and the code is structured as below. When I test my code using a code scanning software(fortify) it shows that there can be a potential buffer overflow error in snprintf() ...
3
votes
1answer
166 views
I'm trying to exploit a bufferoverflow, am I doing something wrong?
I'm trying to execute a buffer overflow exploit using this tutorial
Everything in my post will be execute directly inside GDB.
https://www.reddit.com/r/hacking/comments/1wy610/...
0
votes
3answers
35 views
Why is this code vulnerable to buffer overflow?
void cpy(char* b) {
char values[1024];
strcpy(b, values);
fprint(values);
}
int main(int argc, char** argv){
if(argc == 1 || strlen(argv[1]) > 1024) {
fprint("Nope!\n");
...
0
votes
1answer
17 views
buffer overflow when converting binary to base64
I'm running into a buffer overflow when I try to pull image data from mongoDB and try to convert it into base64. I know that storing images in mongo is not optimal, but I would like to do it, just to ...
2
votes
1answer
44 views
Reading a program's own memory as data
I'm watching Mario glitch
Where the Mario gameboy cartridge reads its own memory as level data.
How can I get access to the current memory of a program I'm running? (Any language though I'm thinking ...
-1
votes
1answer
38 views
No SEG_FAULT when copying large string to small buffer after integer overflow [duplicate]
I'm trying to demonstrate an integer overflow bug and its consequences by writing a small code as follows:
int main(int argc, char** argv)
{
size_t len = 0;
sscanf (argv[1], "%lu", &len);
...
2
votes
1answer
58 views
JAVA BufferOverflowException, while keeping buffer capacity?
So i have a method that creates an IntBuffer from an ByteBuffer:
public static IntBuffer directIntBuffer(int[]buffer){
ByteBuffer bb = ByteBuffer.allocateDirect(4*buffer.length);
bb....
1
vote
0answers
20 views
Shall Android AudioRecorder read all the sample or just a fraction?
This question is somehow related to Android AudioRecorder. How to reduce min read buffer size?.
When I used AudioRecorder to implemente a VOIP application, I find that getMinBufferSize() returns ...
0
votes
0answers
36 views
\x00 treated as null byte and doesnt count
im trying to learn about stack overflow,
when i want to overwrite the eip register i type in my shell this command:
run $(perl -e 'print "\xb8\x06\x40\x00" x 20;')
it supposed to overwrite the ...
2
votes
1answer
48 views
How to access address space of parent process from child process?
I am executing a program B from the main function of another program A by C library function system(). But when I am passing an address of the A to the B as an argument to replace the return address ...
0
votes
1answer
22 views
glTexImage2D reads beyond bounds of buffer (iOS)
In the following simple code, I load a 1-channel data to a texture. I use glTexImage2D() with GL_LUMINANCE (which is a 1-channel format) and GL_UNSIGNED_BYTE, so it should take one byte per pixel. I ...
0
votes
0answers
84 views
Difference between Heap Spraying, Heap Grooming and Heap Shaping
I fairly understand how a buffer overflow vulnerability is exploited and in my quest for further information I came across this article which I believe involves bypassing certain security features put ...
0
votes
0answers
13 views
Why is strlen(argv[0]) placed before strlen(argv[2]) in this program?
This is probably a very simple question, but I have trouble figuring it out. The program below attempts to determine a very good approximation of the address of the environment variable, in order to ...
0
votes
0answers
33 views
ESP after SEH Exception with same program on different computers
Below are a few articles that exploit different programs by using ESP after the SEH exception to POPAD back to a controllable part of the stack. The other article demonstrates stack pivoting finding ...
0
votes
1answer
68 views
reverse move in stack without jmp
Update: Since I'm able to get the correct address into a register that I want to jump/call to, I think the best option would be to figure out a way to have self modifying code result in a jmp/call ...
0
votes
1answer
59 views
Buffer Overflow payload via text file
I have a vulnerable C program that copies a text file from one folder to another.
If we increase the text to more than 2048 characters, we get a buffer overflow.
Now, I would like to insert my ...
0
votes
0answers
13 views
Buffer Overflow Calculate Space
What is the best way to calculate the payload space in a stack based buffer overflow? I mean once I am able to overwrite with a known pattern, how to exactly compute the space available?
-1
votes
1answer
29 views
how to perform bufferoverflow and success execution for C program [closed]
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
// Make some stack information
char a[100], b[100], c[100], d[100];
// Call the exploitable function
...
3
votes
1answer
140 views
Experimenting with buffer overflow
I recently took a security class in which we briefly touched on buffer overflow. I wasn't satisfied with what we covered, so I looked for a few examples to follow along with and try myself and found ...
0
votes
0answers
65 views
find POP POP RET in python
Is there a way to find POP POP RET instruction in a non safe-SEH process using python. I know to find it using immunity debugger and mona.py.
I want to know how to do the same without using immunity ...
0
votes
0answers
24 views
SEH dump using Peach Fuzzer
How useful is Peach Fuzzer for testing SEH overwrites? Is there any option to include SEH dump in Windbg logs with peach when a crash occurs?
1
vote
1answer
73 views
Buffer overflow using environment variables
I'm trying this code inspired by the "Hacking: The Art of Exploitation" book. It involves exploiting a buffer overflow using the environment variable. The exploitation code is:
#include <stdio.h&...
0
votes
2answers
48 views
C copies into two buffers though just one should be filled
I wrote some code in C which should strcpy some input data to a declared buffer. Here's the code:
#include <stdio.h>
#include <string.h>
void function(char *args) {
char buff_1[12];
...
-1
votes
4answers
59 views
Buffer over-run prevention for stack based buffers
I'm writing a C library that provides wrapper functions to strcpy, strcat, gets, etc to prevent buffer overflow attacks. Basically what I do is keeping track of the size of all buffers and prevent ...
2
votes
0answers
53 views
Manually implement c string function with security enhancements
I'm trying to write a replacement for the _tcstok_s function that doesn't skip initial delimiters. (_tcstok_s is a variant of the strtok function that uses TCHARs and includes security enhancements ...
Related Tags
c × 422
security × 101
c++ × 79
assembly × 78
exploit × 77
shellcode × 64
linux × 62
buffer × 55
stack × 50
gdb × 48
stack-overflow × 40
gcc × 34
x86 × 31
stack-smash × 22
android × 17
python × 16
string × 15
fortify-source × 15
buffer-overrun × 14
java × 13
memory × 12
printf × 12
sockets × 11
shell × 10
segmentation-fault × 10
more related tags
Hot Network Questions
- Zipped hard drive image very big
- How to indicate you are going straight?
- UI performance with large image data
- How to save terminal history to a file from a bash file?
- Potion of Longevity and a 9 year old character
- Plural of "State of the Union"
- How does Google know where I am?
- Why don't most major game engines use gifs for animated textures?
- Are there any Postbuses left in the UK?
- Why are some programming languages turing complete but lack some abilities of other languages?
- Esoteric Programming Language
- Religious supervisor wants to thank god in the acknowledgements
- Compute the Mertens function
- How to write down a note that is sustained while there are other simultaneous in the same bar?
- Why did companions have such high social standing?
- Dot message on a Star Wars frisbee team
- i love yOu i lOve you i love yOu!
- Morphism that is not a mapping
- Proving if it is possible to write 1 as the sum of the reciprocals of x odd integers
- Why do we not require websites to have several independent certificates?
- theory/application: how would someone begin translating a new language?
- An empire to last a hundred centuries
- When was this language released?
- Which file formats are used to make viruses in Ubuntu?
