A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
0
votes
0answers
25 views
How to manually determine if a crash is a due to a buffer overflow?
I can get Firefox to consistently crash (on Windows) with a bit of Javascript.
I suspect it is a buffer overflow but am not totally sure. How can I confirm this?
Do I a need a debugger?
0
votes
0answers
14 views
ROP - pop eax, ret gadget doesn't work
Good evening!
I am building a ROP chain for a security challenge. I have a problem in my ROP chain. I found some interesting gadgets with ropshell.com, and they seem to work pretty well except one. ...
0
votes
0answers
29 views
segmentation fault (exploiting buffer overflow)
I have this program in C :
//stack4.c
#include <stdlib.h>
#include <stdio.h>
int bof()
{
char buffer[8];
FILE *badfile;
badfile=fopen( "badfile", "r" );
fread( buffer, sizeof( char ), ...
1
vote
0answers
42 views
How to detect malformed MP4 files that crashes iOS devices
Recently I was made aware of an iOS bug that when a specifically malformed mp4 was played on an iOS device, it would crash. After searching around for the mp4 I found it and am trying to figure out ...
3
votes
1answer
42 views
Why code memory pages should be readable?
I understand that each instruction should be read into CPU for execution, which probably is the reason why code pages should be "r-x".
But my observation is that the behavior of reading code into ...
1
vote
0answers
17 views
SEH overwrite attack details
If there are canaries on stack, why does not the exception handler check the integrity of canaries? Why does it continue executing a manipulated exception handler?
Will corrupting a canary trigger an ...
3
votes
1answer
46 views
Corrupted Address When Performing 64 Bit ROP Chain
I'm trying to learn ROP chaining on a 64 bit Linux machine and I've run into some issues. I'm using the following code for the buffer overflow (taken from this tutorial):
#include <string.h>
#...
0
votes
1answer
48 views
Problem finding a vulnerability in memcpy
I have some troubles to find the buffer overflow vulnerability in this piece of code, it is with memcpy but I am confused on the result it gives :
#include <stdio.h>
#include <string.h>
#...
5
votes
1answer
90 views
How did the “Blaster” worm trigger buffer overflows?
In "The Security Development Lifecycle" book, Michael Howard wrote:
Take as an example the coding bug in Windows RPC/DCOM that the Blaster worm took advantage of (Microsoft 2003). The defective ...
-2
votes
1answer
81 views
How to exploit a wesbite using C++ for backend? [closed]
There are a lot of major sites like google and ebay that use C++. I know that Strncpy, strlen, and sprintf can lead to a buffer overflow and possibly RCE. But how would you take the vulnerability to ...
1
vote
0answers
44 views
C Buffer Overflow [closed]
I am having trouble figuring out the right address to use a buffer overflow script against to gain access to the admin menu. I have found what the address is but when using a perl script with the ...
1
vote
0answers
24 views
Protection against remote system compromise on binary code level
My (certainly incomplete) understanding of a remote system compromise on the binary code level is roughly:
A program vulnerability, such as missing input validation, is exploited to insert external ...
1
vote
1answer
45 views
Can you do an overflow to the heap space from a stack?
I was reading about buffer overflows and I know that I can have a stack overflow and heap overflow. But since the stack and the heap meet at some point, would it be possible to overflow into one from ...
0
votes
1answer
141 views
What's insecure about this code?
I'm trying to learn binary exploitation, and thought of using online samples to train myself. Here's one that I've found, and I can't see to figure out how to exploit it.
int main(int argc, char** ...
1
vote
1answer
129 views
HTTP header error message looks wired. Is this a buffer overflow attack?
My gerrit error log shows the following shell code like characters:
[HTTP-64] WARN org.eclipse.jetty.http.HttpParser : Illegal character
0x5 in state=START for buffer
HeapByteBuffer@af151b6[p=1,l=3,...
1
vote
1answer
71 views
Is it possible to run shell code from programming language A in a script that is programmed in language B? [closed]
I am sorry about the confusing title, but what I'm asking is this: Could you run shell code from C (or any other programming language) in a buffer overflow script that is programmed in Java (or any ...
-1
votes
2answers
56 views
Remote Bufferoverflow exploiting + writting exploit
My teacher give me some exercise about B.O to understand how buffer overflow works, and "how" write some exploit to prove it!
He give me some programs in C, i can't solve the last.
For the last, the ...
1
vote
0answers
61 views
Performing denial of service attack using Python [closed]
I am a student so please don't be rude for I miss something and this project is for research purpose only.
I am willing to perform a denial of service attack(on my own servers) I am not willing to do ...
1
vote
1answer
65 views
Why does it not cause a buffer overflow when a large string is validated for length?
I know that many buffer overflow attacks on servers are conducted by sending very large input strings through some HTML form etc.. The go-to mitigation technique for this, is to validate the length of ...
0
votes
0answers
68 views
Return into libc C doesn´t work
I am newbie on the exploit world. I have been trying to make an return into libc. I am using a olde version of linux because this version don´t have ASLR, Canary, NX bit, etc.
Because i am learning ...
1
vote
2answers
137 views
Buffer overflow - Print “hello world”
I'm wondering what the shellcode would be to simply print "hello world" to the console. When testing for vulnerabilities, I think it would be very useful to have shellcode to test if the exploit works....
1
vote
2answers
49 views
Is shadow-stack using for anti-BufferOverflows only?
I have some questions about shadow stack conception:
Is shadow-stack conception used for bufferoverflows preventions
only?
Is stack-canary adjacent with shadow-stack?
What will happen if return ...
1
vote
0answers
64 views
What does a code pointer look like?
I'm writing a fictional short story in which I would like to be factually accurate. The protagonist is trying to overflow a buffer.
Suppose he is allowed to input a null-terminated string in a ...
2
votes
1answer
57 views
Should I request a CVE for bugs in number-crunching software?
I found several memory bugs in a number-crunching software which I uses daily (for fun) using valgrind and address sanitizer. I have contacted the author and he is now working hard to track down and ...
1
vote
1answer
54 views
Interactive shell not opening
I'm performing a buffer overflow attack on a binary and I managed to get proper return address and execute my shell code. It successfully ran the shell code. But I'm not getting a shell.
When I type ...
0
votes
0answers
28 views
Where does the compiler store a copy of the canary value for checking purposes?
I'm reading on canary values. The idea is intuitive, but I'm not sure I understand how the program is able to tell if the canary value has been altered. The canary value is saved on the stack, and the ...
0
votes
0answers
66 views
Buffer overflow return address rewrite problem
I wrote a simple program in C that creates a buffer than it writes the command line parameter into the buffer. The problem is when I try to overwrite the return address the program crashes because the ...
15
votes
2answers
3k views
Viewing the stack
I recently started learning about buffer overflows and how they work. Someone shared a binary to practice on (in a vm, don't worry). I've been feeding strings to the socket that the binary opens, and ...
0
votes
1answer
33 views
Decoding MSSQL Payload
I am trying to reverse engineer this exploit on Exploit-DB
The strings are going to be mostly copy and paste except for the payload on line 194.
Payload:
/* reverse shell on 10.10.10.1:4445 */ ...
1
vote
1answer
49 views
Why local variable is not overwritten due to buffer overflow?
Here is the my C++ program in which buffer overflow happened, still the local variable is not corrupted:
#include <iostream>
#include <cstring>
using namespace std;
int main() {
// ...
0
votes
0answers
34 views
Why does -fstack-protector optimize if a function does not allocate an array of 8 or more bytes?
According to the gcc instrumentation options doc, the -fstack-protector only protects against "functions that call alloca, and functions with buffers larger than 8 bytes."
How are buffers larger than ...
0
votes
2answers
114 views
Why must a ret2libc attack follow the order "system(),exit(),command?
In a ret2libc attack, I understand that the return address can be overwritten with the address of the system command, which takes a command string as an argument. In this case, shouldn't the address ...
2
votes
3answers
113 views
If the stack grows downwards, how can a buffer overflow overwrite content above the variable?
I realize how a buffer overflow works but I have a problem understanding the direction in which the overflow is directed. So if the stack grows downwards, that means that the return address is above ...
1
vote
0answers
45 views
Has any exploit leveraged a Video Driver flaw in WebGL?
Microsoft delayed support for WebGL due to the fact Javascript could exploit driver weaknesses.
In the years that have past, in WebGL's adoption, are there any exploits of WebGL that supports their ...
17
votes
5answers
2k views
How can buffer overflows be harmful in Android?
How can buffer overflows be potentially dangerous in Android?
Specifically, if each app has its own user id and it being run in Dalvik VM copy that has the same id. I thought that even if the ...
1
vote
1answer
48 views
Discover framebuffer address on unknown architecture?
Recently I got running unsigned code through an exploit on an device. Now I would like to discover the framebuffer address so I could write to the screen and output data.
The only way I can imagine ...
1
vote
0answers
31 views
Mobile processors with hardware support for efficient bounds checking
Are there any mobile or embedded processors that provide hardware support for efficient bounds checking?
Intel's newest x86 processors provide MPX, which enables compilers to add automatic bounds ...
0
votes
0answers
66 views
Is it possible to bypass stack protector (SSP)?
is it possible to exploit a simple stack buffer overflow vulnerability with stack smashing protector enabled? For example, this line of code code is vulnerable to a stack buffer overflow, is it ...
-4
votes
1answer
68 views
After how many bytes stack overflow occurs [closed]
Let buffer size is 4 bytes. We give input of 4, 5, 6, 7 ,... bytes one by one. After how many bytes stack based overflow will occur. Buffer size is 4 bytes did input of 4 bytes will cause stack based ...
1
vote
3answers
115 views
How to perform buffer overflow on non-argument parameters?
I am new to buffer overflow attacks and I am trying to do the same on a sample c code which I have.
I have three variables a, b and buffer.
a and b have values assigned to them in the code itself. ...
1
vote
1answer
134 views
Why append an nop sled at the end of the shellcode?
I was trying to exploit an bufferoverflow by the following way:
NOP sled -> shellcode -> address of NOP sled (before it was save RIP)
But a guy on stackoverflow told me that I should do:
NOP ...
1
vote
0answers
47 views
Buffer overflow Rooting vs SU via recovery?
After researching on rooting processes low level details and techniques i found that it happens mostly through Buffer overflow to gain root access via running payload ( binaries ) at return call ...
0
votes
0answers
307 views
Buffer Overflow and Location of Return Address on Stack
I'm trying to exploit this code with a buffer overflow: http://pastebin.com/V8TS2hfi
I'm trying to overflow the return address to get the "Access Granted" message, which is simple enough. However, ...
0
votes
1answer
63 views
Offset in Stack
Offsets in buffer overflows I can't seem to get a grasp on. Here is a quote from the book I am reading about this topic.
The address of the variable "i" in main()'s stack frame is used as a point ...
0
votes
0answers
52 views
Bypassing SafeSEH in application without unprotected modules
I'm trying to write an exploit for a vulnerable Win32 application, which has DEP, SafeSEH and stack cookies enabled. I can write anything to the stack, as there is buffer overflow vulnerability in an ...
0
votes
1answer
142 views
EBP bypass problem
I am kinda new to exploit development using buffer overflows. I've come across a sample code in one book I refer to, and the sample code doesn't execute properly.
Here is my code...
#pragma ...
2
votes
3answers
355 views
Is this integer overflow vulnerability exploitable?
Is this integer overflow exploitable and if the answer is yes, how can i exploit it?
char buffer[20];
int len = atoi(argv[1]);
if(len < 20)
memcpy(buffer,argv[2],len);
If I set len to -1 the ...
0
votes
1answer
73 views
Does stack (UNIX x86, x86-64, ARM) grow up or down, buffer overflow tutorials wrong explained?
when I read something about buffer overflows on the stack, the most or some tutorials show me examples about overwriting local variables (pointers) and then overwriting pointers in the global offset ...
0
votes
0answers
52 views
Shellcode problem for a remote service (Encoding)
I have an excercise to exploit a remote service after a short dialog with it using stack buffer overflow. I've downloaded a binary on my local Ubuntu 14.04 and tested it with gdb.
What I do is ...
1
vote
1answer
47 views
How does the recent discovered PowerPoint exploit work?
One of the recent blogs in Project Zero described a bug in the Symantec virus scanner in relation with PowerPoint files.
But I do not understand how the rounding up to the length of the cache can ...
