Usually occurs when you attempt to copy data into a buffer without checking for sufficient space, causing data to be overwritten in neighboring cells.
-1
votes
0answers
48 views
Buffer overflow needs 16 bytes on x86 but 29 bytes on x64
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buff[15];
int auth = 0;
printf("\nEnter password: ");
gets(buff);
if (strcmp(buff, "password") != ...
-1
votes
0answers
35 views
C Buffer overflow buffer of 256 bytes segfault only after 273 chars [duplicate]
If I try to trigger a buffer overflow for this source it only occurs after 273 chars and not after 256 chars as I would expect. What could be the theory for this ?
int main(int argc,char **argv){
...
-1
votes
1answer
32 views
C Simple Buffer Overflow Shellcode location
I'm trying to understand the basic principles of buffer overflows.
During countless hours of reading one of the things i noted was :
Most of the time the exploit string structure looks like;
[NOPS-...
1
vote
0answers
58 views
What's the point of Position-independent executables (PIE) when we have execstack?
I'm reading Hacking: The art of exploitation, which is apparently full of outdated information (doesn't take into account canaries, non executable stack, ASLR). I am trying to understand whether (and ...
0
votes
1answer
92 views
C Simple Buffer Overflow
I'm trying to learn how buffer overflows work and how this can be used.
I'm solving a simple challenge (backdoorlabs echo challenge) by trying to exploit a supplied binary file.
(see: http://hack....
-1
votes
0answers
81 views
segmentation fault on buffer buffer overflow
i tried to learn how buffer overflow work and i do some exercise from exploit-exercises.com. i tried to solve Protostar Stack 5 problem. The code is writen in C, here is the code (https://exploit-...
0
votes
2answers
92 views
Does gets() ignore '\0'?
I am learning about buffer overrun with this source code:
#include <stdio.h>
int main()
{
char buf[16];
gets(buf);
printf("buf @ %8p\n", (void*)&buf);
return 0;
}
I try to ...
0
votes
2answers
35 views
How to check if user input fits in variable?
I'm trying to write a simple program to calculate a function with Fortran95/03 which needs as input a number(x) and gets as output a number(y).
The user input is a real :: input and the read call ...
0
votes
0answers
11 views
Gulp: Minification and Uglification Performance Issues
I am currently trying to minify and uglify the code for production and also trying to use sourcemaps to make the debugging more easier.
I am wondering about systems which are running on older ...
-1
votes
0answers
41 views
How to compute an address of a function assuming to know the address of an unrelated code point in the program
I need to write a function that gives a program a specific input, which will cause a buffer overflow and instead of running a "security check" the program will execute a "sensitive" code.
This is the ...
1
vote
3answers
53 views
Buffer overflow or something else
I am creating a program, about seat reservations. I was asked to use unsigned short and unsigned int for some of the variables, so that is why they are set like that.
I have a program that works ok. ...
0
votes
1answer
35 views
Behavior of char pointer [duplicate]
I am really confused about the following:
char *list = malloc(sizeof(char));
list[0] = 'a';
list[1] = 'b';
printf("%s\n", list);
My expectation was some kind of undefined behavior, because list has ...
1
vote
0answers
45 views
Debugging vulnerable binary using GDB
I'm trying to exploit this vulnerable code from Phrack Magazine. This is the code of the vulnerable binary:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
...
2
votes
1answer
84 views
Why code in stack or heap segment can be executed?
In the security field, there are heap exploitation and stack smashing attack.
But I found that /proc/*/maps file, the heap and stack segment,
only have rw-p-permission.
There is no execution ...
1
vote
2answers
64 views
Program crashes when malloc executed
My code keeps crashing when I execute *arr = malloc(i * sizeof(struct cluster_t*));. Cluster is a structure.
I am not sure what is the problem. The second input is an array of structures (clusters) It ...
0
votes
0answers
42 views
Buffer overflow using environment variable (Linux/GDB)
My ow my I spent almost two days finding a solution for the following ->
A binary is run with setuid privileges and the trick is to get a shell using shellcode placed in an environment variable.
I ...
0
votes
2answers
55 views
Cosolidating large excel files, cant go around buffer overflow
i am try to consolidate large multiple excel files into one single file using following code
Sub Macro1()
Application.DisplayAlerts = False
Dim Country As String
Dim i As Integer
Dim ...
0
votes
0answers
40 views
Function Call Segmentation Fault
I'm trying to reproduce a buffer overflow attack here and I'm stuck with the implementation of the shell code as I get a segmentation fault when I assemble and execute it.
Seeing what GDB says, it ...
-2
votes
5answers
62 views
How could the following code be adjusted to prevent a buffer overflow? [closed]
void updateConfigParams( void ) {
char buffer [512];
int i = 0;
while (( c = readFromWireless ()) != NULL)
{
buffer [ i ] = c;
i += 1;
}
writeConfigParams ( buffer );
}
I'm only ...
0
votes
2answers
68 views
What explains this behavior of C compiler w.r.t string initialization?
The following code doesn't generate a null terminator
/* Case 1 */
#include <stdio.h>
void main () {
char wbuf[16] = "0123456789abcdef";
printf("%s\n", wbuf);
}
See the relevant parts ...
1
vote
1answer
23 views
Why is initializing C union using “designated initializer” giving random values?
I had a "bug" which I spent quite a while chasing:
typedef union {
struct {
uint8_t mode: 1;
uint8_t texture: 4;
uint8_t blend_mode: 2;
};
uint8_t key;
} ...
0
votes
0answers
9 views
How to turn Function@@GLIBC address into a absolute address
I'm solving a buffer-overflow problem for practice, the problem provides an executable file and a libc file and there's no ASLR, Canary but DEP protection in the executable file.
At first I thought it'...
0
votes
0answers
7 views
Buffer overflow with using program name
I wrote
global main
section .text
main:
pop rax
pop rdx
pop rdx
mov rdx, [rdx]
mov rdx, [rdx]
call rdx
ret
this program
And I tried to buffer overflow with program name.
...
-1
votes
1answer
37 views
Buffer overflows: writing 7 in hexadecimal without 'null terminator' (0x00)
I'm trying to exploit a buffer overflow vulnerability to overwrite the return address of the stack.
However the code I'm trying to 'hack' makes use canary system. It initializes an integer always to ...
1
vote
0answers
37 views
Bypass StackGuard protection in order to have buffer overflow without altering the canaries and get root access
Hello eveyone I am new to cyber security student and i'm trying to solve an exploit problem. So, we are having the following C program which is compiled with StackGuard and we have to gain root access....
0
votes
0answers
17 views
SEH overwrite attack details
If there are canaries on stack, why does not the exception handler check the integrity of canaries? Why does it continue executing the manipulated exception handler?
Will corrupting a canary trigger ...
1
vote
1answer
21 views
Hexadecimal Memory Address to Assembly
I am following a buffer overflow tutorial. I have set up my NOP block, I also set up my shell code, now I need to append the return address to the end of my string. I know my return address is :
...
0
votes
1answer
20 views
$esp register not found
I am learning debugging with gdb and registers, but I am stuck in one point. As an instruction, I should print
print $esp
result: $1 = -9008
but I was expecting such result:
$2 = (void *) ...
0
votes
1answer
16 views
Return Oriented Programming Stripped Binaries
Good morning,
I have a stripped binary, and I have to bypass ASLR and NX. I am fighting since three days to find a solution but I cannot find one. I cannot find the libraries linked to the binary as ...
0
votes
1answer
63 views
how to write an buffer overflow?
I've been doing buffer overflow test, mostly I read from Aleph One's Smashing The Stack For Fun And Profit.
#include<string.h>
#include<stdio.h>
char shellcode[]="\x31\xc0\xb0\x46\x31\...
0
votes
0answers
23 views
Buffer overflow using “JMP ESP” instruction
I am trying to write a c code to find out the "JMP ESP" instructions in modules loaded with the executable in order to carry out a remote buffer overflow attack. Below is the code:
#include <...
0
votes
2answers
52 views
C Mysterious Overflow
Why does this code output -32768 and not 32768? Looks like an overflow but I cannot figure out where.
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *buffer = (char*)malloc(...
0
votes
1answer
36 views
Overflow saved RIP register value with short address
I'm trying to do buffer overflow where I need to rewrite the saved RIP register value with an address.
The address is short (8 bytes), for example, 0x0000000012345678. The RIP register is 16 bytes, ...
0
votes
2answers
95 views
Replace deprecated gets()
I am using the SLM toolkit by CMU-Cambridge for some baseline language modeling on language data, but when I run one of the built executables, my system detects a buffer overflow when it tries to ...
0
votes
0answers
30 views
mosquitto lead to buffer over flow
I did a test about mosquitto.
First, publish 100 messages.
for(i = 0; i < 100; i++)
mosquitto_publish(mosq_p, NULL, "topic", strlen(buf), buf, 1, false);
Then stop the mosquitto ...
0
votes
1answer
17 views
Entering ascii into html text box
I'm doing a cybersecurity capture the flag challenge and attempting to do buffer overflow on a server. it has an html text box that I'm trying to overflow with particular values. How can I enter ascii ...
0
votes
1answer
38 views
pointer segfault vs undefined behavior
Why does this code produce a segfault when running regularly, but undefined behavior instead of a segfault if I either add a command line argument or comment out calling the cpy function?
#include &...
1
vote
1answer
110 views
How could a buffer overflow attack on the updateConfigParams() function be exploited to disable the program?
Considering the following function
void updateConfigParams( void ) {
char buffer [512];
int i = 0;
while (( c = readFromWireless ()) != NULL)
{
buffer [ i ] = c;
i +=...
0
votes
0answers
24 views
Buffer Overflow in Adobe Reader exploit CVE-2013-2729
I'm trying to figure out how the buffer overflow woerks in the RLE bug explained here.
In particular I would like to undertstand the final part where it says that the "xpos+len(payload) over flows ...
1
vote
1answer
61 views
Difference between scanf's width specification and scanf_s
scanf_s("%s", a, 10);
This code will protect our program from buffer overflow exploit.
But without scanf_s, we can write:
scanf("%9s", a);
I think this code will also block buffer overflow. Is ...
0
votes
0answers
25 views
Buffer overflow attack with stack and buffer growing down
Consider a stack frame of a called function that has this local variable:
char buf[12];
In this case the stack should look like:
Note that the stack here grows down but the variable buf grows up. ...
0
votes
1answer
23 views
mips assembly display string using buffer overflow
I am practicing buffer overflow and assembly coding. Right now I am able to find return address, and jump to anywhere inside the program itself. However, I want to do more than just jump to itself, I ...
0
votes
1answer
41 views
No epb/eip registers in gdb “info frame”
Context
When issuing the command info frame on my machine (with break point on main), the output is as follows:
(gdb) info frame
Stack level 0, frame at 0x7fffffffdbd0:
rip = 0x4005b1 in main; ...
0
votes
1answer
16 views
Why my exploit in perl work but it doesn't in python
I'm trying to exploit a buffer overflow.
I don't think it's useful to post my program in C.
This exploit work:
(perl -e 'print "a" x 280 . "\xf6\x06\x40\x00\x00\x00\x00\x00"' ; cat) | ./a.out
But ...
0
votes
2answers
119 views
Is Go vulnerable for buffer overflow
I know languages like c# aren't vulnerable to buffer overflows unless you marshal or use unsafe code. But is go vulnerable for buffer overflows?
go
0
votes
0answers
43 views
x64 Ubuntu buffer overflow hacking with return to libc method
I tried buffer overflow with return to libc along https://blog.techorganic.com/2015/04/21/64-bit-linux-stack-smashing-tutorial-part-2/ this site.
But I get error
__libc_system (line=0x7ffff7b9a58b "...
0
votes
0answers
130 views
Assembly: Buffer overflow attack, insert code
I have a buffer overflow lab for homework in cs (also known as attack lab). In this phase, I have to overflow a char array, insert my own code in order to alter a register, and redirect to a "hidden ...
-2
votes
1answer
43 views
how do you overwrite a return address to point back into the buffer in a buffer overflow attack?
If you want to pass in shellcode to a program how would you make it so that the return address is overwritten to point back into the buffer to execute the shellcode? Such as in this function:
funcA(...
1
vote
1answer
109 views
GDB: Find stack memory address where return address of a function is stored?
I'm working on producing a buffer overflow on my Raspberry Pi (ASLR disabled).
I have a program, which has a main function, a vulnerable function and a function which should not be called, the evil ...
2
votes
0answers
111 views
Buffer overflow execute exploit assembly — placed on the stack
I need getbuf() to call touch2() with the correct parameter through a buffer overflow exploit. I will replace the parameter through exploit code -- placing instructions on the stack that places the ...
Related Tags
c × 449
security × 103
assembly × 85
exploit × 82
c++ × 77
linux × 67
shellcode × 66
buffer × 59
gdb × 57
stack × 52
stack-overflow × 43
gcc × 35
x86 × 33
stack-smash × 25
android × 17
python × 17
string × 16
hacking × 16
fortify-source × 15
java × 14
buffer-overrun × 14
segmentation-fault × 13
memory × 12
printf × 12
sockets × 11
more related tags
Hot Network Questions
- how to stop muting nearby strings or will my fingers reshape after some practice?
- Why throw pizza dough besides for show?
- Why are the windows of bridges of ships always inclined?
- Should one stick to the organization of a paper while teaching a subject?
- How can I stop Alexa from ordering things if it hears a voice on TV?
- Why isn't the religion of R'hllor, The Lord of Light, dominant?
- Safe way to get a few more inches under car on flat surface
- Does every data type just boil down to nodes with pointers?
- Are airlines obliged to notify ticket cancellations due to no-shows?
- No word for "time" until 1871?
- What's the male version of "hottie"?
- Is there any term for this when a movie doesn't end as its plot suggests?
- Solving proportions with 3 ratios, x:3:y = -2:3:-4
- How to remove blank page caused by long list tabular
- Is it possible to set a composite NOT NULL constraint in PostgreSQL
- How to explain extreme human dimorphism?
- Are people of Nordic Nations "happier, healthier" with "a higher standard of living overall than Americans"?
- Hacker used picture upload to get PHP code into my site
- A few rebus puzzles
- Difference between if else and && ||
- What in the world happened with my cauliflower?
- How are water vapors not visible?
- Why does the U-2 use a chase car when landing?
- Did Joseph Smith “translate the Book of Mormon”?
