A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
34
votes
3answers
8k views
How big is a canary word on Linux, typically?
A canary word is a sequence of bits placed at the boundary between a buffer (such as a stack) and control data in a program, as a way of detecting and reacting to buffer overflows.
How many bits long ...
0
votes
1answer
61 views
Exploiting a buffer overflow in ubuntu terminal [closed]
I'm trying to exploit some buffer overflow through linux terminal of a program I've written for self education. I'm inputting a string usnig scanf("%s") and my goal is to overrwrite the return address ...
0
votes
2answers
36 views
Preventing control-flow attacks by storing code in ROM
I was wondering why storing entire program in ROM doesn't prevent buffer-overflow, return-to-libc attacks ?
Is the code still loaded in RAM before executing which makes it vulnerable to control-flow ...
4
votes
0answers
78 views
Exploitation: EIP refuse to jump to the stack although it's executable
I wrote a program in C that is exploitable to BOF.
TL;DR - My payload (NOP-sled + shellcode + return address) overrides EIP but I can't set EIP to point to the
address of my payload, although I ...
1
vote
2answers
125 views
Buffer Overflow: Advice on exploiting
int play() {
int a;
int b;
char buffer[010];
a = 0x41414141;
b = 0x42424242;
if (write(STDOUT_FILENO, "For a moment, nothing happened. Then, after a second or so, nothing ...
0
votes
0answers
47 views
bss variables ordering
I want to control a function pointer in the bss segment, I have a buffer for that purpose but can't get to place it before the function pointer.
#include <stdio.h>
#include <stdlib.h>
#...
3
votes
3answers
163 views
32bits Linux - Simple stack overflow - EIP never overwritten
I'm trying to understand how simple stack overflow works (On Linux 32 bits) but I'm in front of a strange problem.
I'm using https://www.pwnerrank.com/tasks/stack-based-buffer-overflow-code-execution ...
0
votes
1answer
59 views
How to bypass DEP and ASLR at the same time?
I have read some articles about bypassing DEP and ASLR , but it seems that they bypass ASLR and DEP by using the instructions in the modules not applying ASLR.But how to bypass ASLR and DEP in the ...
0
votes
1answer
45 views
Are buffer overflow applicable only to arrays?
I've tried searching this question, maybe because it is obvious and I've had a look at Wikipedia and OWASP
Do buffer overflows only happen when you overflow the array size or can you buffer overflow ...
2
votes
0answers
70 views
Stack overflow return addr
I'm trying to exploit a standard buffer overflow vulnerability in a program that uses strcpy() to fill a 200 char buffer, without checking boundaries, and compiled with -z execstack and -fno-stack-...
1
vote
0answers
12 views
CPI vs. PointGuard
Has somebody compared CPI and PointGuard, which are two compiler-based tools for dealing with memory corruption?
Code Pointer Integrity (CPI): https://www.usenix.org/system/files/conference/osdi14/...
3
votes
1answer
93 views
Buffer Overflows - Memory Addresses
Alright, I've been looking into buffer overflows lately out of curiosity. What I don't understand is when you develop the exploit with a virtual machine or whatever, you find the memory address to ...
0
votes
2answers
70 views
Shellcode doesn't execute despite correct address on EIP
I need to produce a presentation on buffer overflows for a college class. I managed to create a simple buffer overflow where i inject the address of a specific function on the EIP and the function ...
0
votes
1answer
55 views
ROP - pop eax, ret gadget doesn't work
I am building a ROP chain for a security challenge. I have a problem in my ROP chain. I found some interesting gadgets with ropshell.com, and they seem to work pretty well except one. Indeed I follow ...
0
votes
0answers
106 views
segmentation fault (exploiting buffer overflow)
I have this program in C :
//stack4.c
#include <stdlib.h>
#include <stdio.h>
int bof()
{
char buffer[8];
FILE *badfile;
badfile=fopen( "badfile", "r" );
fread( buffer, sizeof( char ), ...
1
vote
0answers
67 views
How to detect malformed MP4 files that crashes iOS devices
Recently I was made aware of an iOS bug that when a specifically malformed mp4 was played on an iOS device, it would crash. After searching around for the mp4 I found it and am trying to figure out ...
3
votes
1answer
48 views
Why code memory pages should be readable?
I understand that each instruction should be read into CPU for execution, which probably is the reason why code pages should be "r-x".
But my observation is that the behavior of reading code into ...
1
vote
0answers
33 views
SEH overwrite attack details
If there are canaries on stack, why does not the exception handler check the integrity of canaries? Why does it continue executing a manipulated exception handler?
Will corrupting a canary trigger an ...
3
votes
1answer
70 views
Corrupted Address When Performing 64 Bit ROP Chain
I'm trying to learn ROP chaining on a 64 bit Linux machine and I've run into some issues. I'm using the following code for the buffer overflow (taken from this tutorial):
#include <string.h>
#...
0
votes
1answer
89 views
Problem finding a vulnerability in memcpy
I have some troubles to find the buffer overflow vulnerability in this piece of code, it is with memcpy but I am confused on the result it gives :
#include <stdio.h>
#include <string.h>
#...
5
votes
1answer
118 views
How did the “Blaster” worm trigger buffer overflows?
In "The Security Development Lifecycle" book, Michael Howard wrote:
Take as an example the coding bug in Windows RPC/DCOM that the Blaster worm took advantage of (Microsoft 2003). The defective ...
-2
votes
1answer
162 views
How to exploit a wesbite using C++ for backend? [closed]
There are a lot of major sites like google and ebay that use C++. I know that Strncpy, strlen, and sprintf can lead to a buffer overflow and possibly RCE. But how would you take the vulnerability to ...
1
vote
0answers
55 views
C Buffer Overflow [closed]
I am having trouble figuring out the right address to use a buffer overflow script against to gain access to the admin menu. I have found what the address is but when using a perl script with the ...
1
vote
0answers
26 views
Protection against remote system compromise on binary code level
My (certainly incomplete) understanding of a remote system compromise on the binary code level is roughly:
A program vulnerability, such as missing input validation, is exploited to insert external ...
1
vote
1answer
52 views
Can you do an overflow to the heap space from a stack?
I was reading about buffer overflows and I know that I can have a stack overflow and heap overflow. But since the stack and the heap meet at some point, would it be possible to overflow into one from ...
0
votes
1answer
151 views
What's insecure about this code?
I'm trying to learn binary exploitation, and thought of using online samples to train myself. Here's one that I've found, and I can't see to figure out how to exploit it.
int main(int argc, char** ...
1
vote
1answer
157 views
HTTP header error message looks wired. Is this a buffer overflow attack?
My gerrit error log shows the following shell code like characters:
[HTTP-64] WARN org.eclipse.jetty.http.HttpParser : Illegal character
0x5 in state=START for buffer
HeapByteBuffer@af151b6[p=1,l=3,...
1
vote
1answer
93 views
Is it possible to run shell code from programming language A in a script that is programmed in language B? [closed]
I am sorry about the confusing title, but what I'm asking is this: Could you run shell code from C (or any other programming language) in a buffer overflow script that is programmed in Java (or any ...
-1
votes
2answers
66 views
Remote Bufferoverflow exploiting + writting exploit
My teacher give me some exercise about B.O to understand how buffer overflow works, and "how" write some exploit to prove it!
He give me some programs in C, i can't solve the last.
For the last, the ...
1
vote
0answers
80 views
Performing denial of service attack using Python [closed]
I am a student so please don't be rude for I miss something and this project is for research purpose only.
I am willing to perform a denial of service attack(on my own servers) I am not willing to do ...
1
vote
1answer
74 views
Why does it not cause a buffer overflow when a large string is validated for length?
I know that many buffer overflow attacks on servers are conducted by sending very large input strings through some HTML form etc.. The go-to mitigation technique for this, is to validate the length of ...
0
votes
0answers
78 views
Return into libc C doesn´t work
I am newbie on the exploit world. I have been trying to make an return into libc. I am using a olde version of linux because this version don´t have ASLR, Canary, NX bit, etc.
Because i am learning ...
1
vote
2answers
157 views
Buffer overflow - Print “hello world”
I'm wondering what the shellcode would be to simply print "hello world" to the console. When testing for vulnerabilities, I think it would be very useful to have shellcode to test if the exploit works....
1
vote
2answers
74 views
Is shadow-stack using for anti-BufferOverflows only?
I have some questions about shadow stack conception:
Is shadow-stack conception used for bufferoverflows preventions
only?
Is stack-canary adjacent with shadow-stack?
What will happen if return ...
1
vote
0answers
66 views
What does a code pointer look like?
I'm writing a fictional short story in which I would like to be factually accurate. The protagonist is trying to overflow a buffer.
Suppose he is allowed to input a null-terminated string in a ...
2
votes
1answer
61 views
Should I request a CVE for bugs in number-crunching software?
I found several memory bugs in a number-crunching software which I uses daily (for fun) using valgrind and address sanitizer. I have contacted the author and he is now working hard to track down and ...
1
vote
1answer
71 views
Interactive shell not opening
I'm performing a buffer overflow attack on a binary and I managed to get proper return address and execute my shell code. It successfully ran the shell code. But I'm not getting a shell.
When I type ...
0
votes
0answers
39 views
Where does the compiler store a copy of the canary value for checking purposes?
I'm reading on canary values. The idea is intuitive, but I'm not sure I understand how the program is able to tell if the canary value has been altered. The canary value is saved on the stack, and the ...
0
votes
0answers
87 views
Buffer overflow return address rewrite problem
I wrote a simple program in C that creates a buffer than it writes the command line parameter into the buffer. The problem is when I try to overwrite the return address the program crashes because the ...
15
votes
2answers
3k views
Viewing the stack
I recently started learning about buffer overflows and how they work. Someone shared a binary to practice on (in a vm, don't worry). I've been feeding strings to the socket that the binary opens, and ...
0
votes
1answer
40 views
Decoding MSSQL Payload
I am trying to reverse engineer this exploit on Exploit-DB
The strings are going to be mostly copy and paste except for the payload on line 194.
Payload:
/* reverse shell on 10.10.10.1:4445 */ ...
1
vote
1answer
75 views
Why local variable is not overwritten due to buffer overflow?
Here is the my C++ program in which buffer overflow happened, still the local variable is not corrupted:
#include <iostream>
#include <cstring>
using namespace std;
int main() {
// ...
0
votes
0answers
36 views
Why does -fstack-protector optimize if a function does not allocate an array of 8 or more bytes?
According to the gcc instrumentation options doc, the -fstack-protector only protects against "functions that call alloca, and functions with buffers larger than 8 bytes."
How are buffers larger than ...
0
votes
2answers
217 views
Why must a ret2libc attack follow the order "system(),exit(),command?
In a ret2libc attack, I understand that the return address can be overwritten with the address of the system command, which takes a command string as an argument. In this case, shouldn't the address ...
2
votes
3answers
208 views
If the stack grows downwards, how can a buffer overflow overwrite content above the variable?
I realize how a buffer overflow works but I have a problem understanding the direction in which the overflow is directed. So if the stack grows downwards, that means that the return address is above ...
1
vote
0answers
64 views
Has any exploit leveraged a Video Driver flaw in WebGL?
Microsoft delayed support for WebGL due to the fact Javascript could exploit driver weaknesses.
In the years that have past, in WebGL's adoption, are there any exploits of WebGL that supports their ...
17
votes
5answers
3k views
How can buffer overflows be harmful in Android?
How can buffer overflows be potentially dangerous in Android?
Specifically, if each app has its own user id and it being run in Dalvik VM copy that has the same id. I thought that even if the ...
1
vote
1answer
64 views
Discover framebuffer address on unknown architecture?
Recently I got running unsigned code through an exploit on an device. Now I would like to discover the framebuffer address so I could write to the screen and output data.
The only way I can imagine ...
1
vote
0answers
31 views
Mobile processors with hardware support for efficient bounds checking
Are there any mobile or embedded processors that provide hardware support for efficient bounds checking?
Intel's newest x86 processors provide MPX, which enables compilers to add automatic bounds ...
0
votes
0answers
91 views
Is it possible to bypass stack protector (SSP)?
is it possible to exploit a simple stack buffer overflow vulnerability with stack smashing protector enabled? For example, this line of code code is vulnerable to a stack buffer overflow, is it ...
