Usually occurs when you attempt to copy data into a buffer without checking for sufficient space, causing data to be overwritten in neighboring cells.
1
vote
1answer
20 views
Why is initializing C union using “designated initializer” giving random values?
I had a "bug" which I spent quite a while chasing:
typedef union {
struct {
uint8_t mode: 1;
uint8_t texture: 4;
uint8_t blend_mode: 2;
};
uint8_t key;
} ...
0
votes
0answers
4 views
How to turn Function@@GLIBC address into a absolute address
I'm solving a buffer-overflow problem for practice, the problem provides an executable file and a libc file and there's no ASLR, Canary but DEP protection in the executable file.
At first I thought it'...
0
votes
0answers
4 views
Buffer overflow with using program name
I wrote
global main
section .text
main:
pop rax
pop rdx
pop rdx
mov rdx, [rdx]
mov rdx, [rdx]
call rdx
ret
this program
And I tried to buffer overflow with program name.
...
-3
votes
0answers
18 views
How could updateConfigParams() function be modified so that it was no longer susceptible to a buffer overflow attack
void updateConfigParams( void ) {
char buffer [512];
int i = 0;
while (( c = readFromWireless ()) != NULL)
{
buffer [ i ] = c;
i += 1;
}
writeConfigParams ( buffer );
}
In the ...
-1
votes
1answer
30 views
Buffer overflows: writing 7 in hexadecimal without 'null terminator' (0x00)
I'm trying to exploit a buffer overflow vulnerability to overwrite the return address of the stack.
However the code I'm trying to 'hack' makes use canary system. It initializes an integer always to ...
1
vote
0answers
29 views
Bypass StackGuard protection in order to have buffer overflow without altering the canaries and get root access
Hello eveyone I am new to cyber security student and i'm trying to solve an exploit problem. So, we are having the following C program which is compiled with StackGuard and we have to gain root access....
0
votes
0answers
11 views
SEH overwrite attack details
If there are canaries on stack, why does not the exception handler check the integrity of canaries? Why does it continue executing the manipulated exception handler?
Will corrupting a canary trigger ...
1
vote
1answer
17 views
Hexadecimal Memory Address to Assembly
I am following a buffer overflow tutorial. I have set up my NOP block, I also set up my shell code, now I need to append the return address to the end of my string. I know my return address is :
...
0
votes
1answer
17 views
$esp register not found
I am learning debugging with gdb and registers, but I am stuck in one point. As an instruction, I should print
print $esp
result: $1 = -9008
but I was expecting such result:
$2 = (void *) ...
0
votes
1answer
15 views
Return Oriented Programming Stripped Binaries
Good morning,
I have a stripped binary, and I have to bypass ASLR and NX. I am fighting since three days to find a solution but I cannot find one. I cannot find the libraries linked to the binary as ...
0
votes
1answer
56 views
how to write an buffer overflow?
I've been doing buffer overflow test, mostly I read from Aleph One's Smashing The Stack For Fun And Profit.
#include<string.h>
#include<stdio.h>
char shellcode[]="\x31\xc0\xb0\x46\x31\...
0
votes
0answers
13 views
Buffer overflow using “JMP ESP” instruction
I am trying to write a c code to find out the "JMP ESP" instructions in modules loaded with the executable in order to carry out a remote buffer overflow attack. Below is the code:
#include <...
-2
votes
0answers
103 views
Strcpy buffer overflow bypass stack guard
currently i working on a school exercise in buffer overflow. I have found out the position of the buf and successfully inject the shell code in the vulnerability program without stack guard. Then the ...
0
votes
2answers
52 views
C Mysterious Overflow
Why does this code output -32768 and not 32768? Looks like an overflow but I cannot figure out where.
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *buffer = (char*)malloc(...
0
votes
1answer
30 views
Overflow saved RIP register value with short address
I'm trying to do buffer overflow where I need to rewrite the saved RIP register value with an address.
The address is short (8 bytes), for example, 0x0000000012345678. The RIP register is 16 bytes, ...
0
votes
2answers
88 views
Replace deprecated gets()
I am using the SLM toolkit by CMU-Cambridge for some baseline language modeling on language data, but when I run one of the built executables, my system detects a buffer overflow when it tries to ...
0
votes
0answers
28 views
mosquitto lead to buffer over flow
I did a test about mosquitto.
First, publish 100 messages.
for(i = 0; i < 100; i++)
mosquitto_publish(mosq_p, NULL, "topic", strlen(buf), buf, 1, false);
Then stop the mosquitto ...
0
votes
1answer
16 views
Entering ascii into html text box
I'm doing a cybersecurity capture the flag challenge and attempting to do buffer overflow on a server. it has an html text box that I'm trying to overflow with particular values. How can I enter ascii ...
0
votes
1answer
35 views
pointer segfault vs undefined behavior
Why does this code produce a segfault when running regularly, but undefined behavior instead of a segfault if I either add a command line argument or comment out calling the cpy function?
#include &...
1
vote
1answer
71 views
How could a buffer overflow attack on the updateConfigParams() function be exploited to disable the program?
Considering the following function
void updateConfigParams( void ) {
char buffer [512];
int i = 0;
while (( c = readFromWireless ()) != NULL)
{
buffer [ i ] = c;
i +=...
0
votes
0answers
20 views
Buffer Overflow in Adobe Reader exploit CVE-2013-2729
I'm trying to figure out how the buffer overflow woerks in the RLE bug explained here.
In particular I would like to undertstand the final part where it says that the "xpos+len(payload) over flows ...
1
vote
1answer
58 views
Difference between scanf's width specification and scanf_s
scanf_s("%s", a, 10);
This code will protect our program from buffer overflow exploit.
But without scanf_s, we can write:
scanf("%9s", a);
I think this code will also block buffer overflow. Is ...
0
votes
0answers
23 views
Buffer overflow attack with stack and buffer growing down
Consider a stack frame of a called function that has this local variable:
char buf[12];
In this case the stack should look like:
Note that the stack here grows down but the variable buf grows up. ...
0
votes
1answer
22 views
mips assembly display string using buffer overflow
I am practicing buffer overflow and assembly coding. Right now I am able to find return address, and jump to anywhere inside the program itself. However, I want to do more than just jump to itself, I ...
0
votes
1answer
34 views
No epb/eip registers in gdb “info frame”
Context
When issuing the command info frame on my machine (with break point on main), the output is as follows:
(gdb) info frame
Stack level 0, frame at 0x7fffffffdbd0:
rip = 0x4005b1 in main; ...
0
votes
1answer
16 views
Why my exploit in perl work but it doesn't in python
I'm trying to exploit a buffer overflow.
I don't think it's useful to post my program in C.
This exploit work:
(perl -e 'print "a" x 280 . "\xf6\x06\x40\x00\x00\x00\x00\x00"' ; cat) | ./a.out
But ...
0
votes
2answers
103 views
Is Go vulnerable for buffer overflow
I know languages like c# aren't vulnerable to buffer overflows unless you marshal or use unsafe code. But is go vulnerable for buffer overflows?
go
0
votes
0answers
38 views
x64 Ubuntu buffer overflow hacking with return to libc method
I tried buffer overflow with return to libc along https://blog.techorganic.com/2015/04/21/64-bit-linux-stack-smashing-tutorial-part-2/ this site.
But I get error
__libc_system (line=0x7ffff7b9a58b "...
0
votes
0answers
111 views
Assembly: Buffer overflow attack, insert code
I have a buffer overflow lab for homework in cs (also known as attack lab). In this phase, I have to overflow a char array, insert my own code in order to alter a register, and redirect to a "hidden ...
-2
votes
1answer
32 views
how do you overwrite a return address to point back into the buffer in a buffer overflow attack?
If you want to pass in shellcode to a program how would you make it so that the return address is overwritten to point back into the buffer to execute the shellcode? Such as in this function:
funcA(...
1
vote
1answer
69 views
GDB: Find stack memory address where return address of a function is stored?
I'm working on producing a buffer overflow on my Raspberry Pi (ASLR disabled).
I have a program, which has a main function, a vulnerable function and a function which should not be called, the evil ...
2
votes
0answers
102 views
Buffer overflow execute exploit assembly — placed on the stack
I need getbuf() to call touch2() with the correct parameter through a buffer overflow exploit. I will replace the parameter through exploit code -- placing instructions on the stack that places the ...
1
vote
0answers
77 views
Buffer overflow — old rbp space and return space
I have a program (ctarget) that uses the gets() function into a buffer. I need to overflow the buffer and call another program. From the assembly code (I don't have the source code) I can see the size ...
0
votes
0answers
15 views
java.nio.BufferOverflowException while parsing XML message
public Message unmarshalMessage(SourceMessaageType src, MyMessageType dest) {
final byte[] payload = src.getText();
final ByteBufferRefManager bufferManager = byteBufferPool.getBuffer(payload ....
0
votes
0answers
36 views
Segmentation faults in buffer overflow with DEP/NX/ASLR/fno-stack-protector disabled in GDB
I was trying exploit a stack overflow vulnerability in a test program and I get it, but only in GDB, I can't reproduce it without GDB, so following this answer: Buffer overflow works in gdb but not ...
2
votes
3answers
62 views
Buffer overflow error and Double data type error
int i=4,a,sum;
double b,d=4.0,sum2;
char e[100],s[]="Hello";
scanf("%d",&a);
scanf("%lf",&b);
fgets(e,100,stdin);
sum=i+a;
sum2=d+b;
printf("%d\n",sum);
printf("%lf\n",sum2);
printf("%s",...
0
votes
0answers
22 views
Why bus error occurs during buffer overflow
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int check_authentication(char *password){
int auth_flag = 0;
char password_buffer[16];
strcpy(password_buffer, password);...
2
votes
0answers
82 views
Calling library function after exploiting buffer overflow crashes the program
I'm trying to perform a simple buffer overflow using the following program
void not_called() {
printf("Enjoy your shell\n");
char* name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[...
-1
votes
1answer
83 views
How to use standard Linux tools to fix a deadlocked script?
I have a script in Python3 and if I use subprocess.Popen.wait() I have problem — my script iterates some Linux command many times and it looks to me like my app is not responding. When I use ...
2
votes
2answers
85 views
Disabling stack protection in GCC not working
I'm trying to recreate a stack buffer overflow using the classic overflow with strcpy using this function:
#include <stdio.h>
#include <string.h>
void main(int argc, char **argv) {
...
5
votes
3answers
420 views
Why is my stack buffer overflow exploit not working?
So I have a really simple stackoverflow:
#include <stdio.h>
int main(int argc, char *argv[]) {
char buf[256];
memcpy(buf, argv[1],strlen(argv[1]));
printf(buf);
}
I'm trying to ...
1
vote
3answers
54 views
What parts of a process' virtual address space are overwriteable?
For instance, lets suppose that instead of buffers growing in the opposite direction of the stack, they grow in the same direction. If I have a character buffer containing the string "Hello world", ...
0
votes
0answers
26 views
Machine language changed temporary after buffer overflow
I'm trying buffer overflow about below code
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
int main(void)
{
char str[256];
printf("...
0
votes
0answers
16 views
Buffer overflow does not work well in ubuntu
When I practiced bof(buffer overflow) in ubuntu, I found weird things.
I used this code. (test.c compiled file is "test")
#include <stdio.h>
int main(int argc, char* argv[])
{
char buffer[256]...
0
votes
1answer
53 views
Buffer overflow success only when using gdb
If I modify return address directly with GDB, buffer overflow success and I can get shell. However when I don't use GDB, I can't get shell with same shell code. I can't find any difference between ...
0
votes
2answers
59 views
Is it possible to generate a Local Buffer Overflow in Android via a compiled binary to gain root access?
I want to know if it is possible rooting any Android OS via Local Buffer Overflow , which I would generate using a compiled program that will contain the most simplest Local Buffer Overflow:
char buf[...
0
votes
1answer
95 views
Ubuntu 16.04 Buffer Overflow
I am trying to recreate a buffer overflow attack in my machine using Ubuntu 16.04. But no matter what I try I always get the error 'Segmentation fault(core dumped)'
I already disabled memory ...
0
votes
0answers
43 views
Missing __stack_chk_fail Symbol Using GCC
Based on what I've seen with hardening audit tools the way to detect stack cookies/canaries is to dump symbols with readelf -s and look for the __stack_chk_fail symbol.
I build my code with -fstack-...
0
votes
2answers
111 views
Possible security vulnerability from using fgets() and recommended solution?
I'm using coverity's SA tool for errors. I'm getting a few errors due to the usage of fgets(). This is a snippet (SA errors shown as comments)-
FILE *fp;
char my_pubkey[1024];
fp = fopen("publickey....
2
votes
0answers
62 views
Buffer overflow attack with shell code
I used this shell code for buffer overflow attack
$(python -c 'print "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x0f\x05\xc3"+"a"*31+"\x90\xe4\xff\xff\...
Related Tags
c × 437
security × 101
assembly × 83
exploit × 81
c++ × 77
linux × 66
shellcode × 66
buffer × 58
gdb × 55
stack × 52
stack-overflow × 42
gcc × 34
x86 × 32
stack-smash × 24
android × 17
python × 17
string × 15
fortify-source × 15
java × 14
buffer-overrun × 14
hacking × 13
memory × 12
segmentation-fault × 12
printf × 12
sockets × 11
more related tags
Hot Network Questions
- Does discarding the California vote numbers make Donald Trump lead the national popular vote?
- Is this homework problem on counting triangles within a 4x4 grid too vague?
- Idiom/expression that means "to suddenly tell some news" to someone?
- Is there any mathematical patterns or logic in the Qur'an?
- Can somebody explain where the three different Luxembourgs are located?
- How to proceed when discovering a part of my own work in reviewing a paper (and one of the authors is my PhD supervisor)?
- How to change MD5 of a file
- US B-2 Visa - is it Voided if I get convicted of a minor offense?
- Who do I write music for?
- Should I defragment my SSD?
- Giving malicious crawlers and scripts a hard time
- The Detect Thoughts spell is trivializing social encounters. How to deal with it?
- See which Users have Logged onto Wifi?
- Can someone take my Wi-Fi signal DOWN?
- Bhagavad Geeta 5.4
- When do we use hidden induction?
- Why does my atmega32's malloc function returning me the pointer address in multiple of 4?
- A paper I received to review has (independently) duplicated work that we are writing up. How to proceed in light of peer-review confidentiality?
- Human variant: Can I Choose a +2 ability improvement instead of a feat?
- How to coordinate developers time between two different projects in Scrum?
- Prove that two matrices commute iff the square of the matrices commute
- Which humanoid parties use camps?
- When are genetic algorithms a good choice for optimization?
- How many elves does Santa need to enslave to make toys for the kids?
