Usually occurs when you attempt to copy data into a buffer without checking for sufficient space, causing data to be overwritten in neighboring cells.
0
votes
1answer
13 views
return to libc attack using a function pointer
How should I format my input for the return to libc attack in the following code:
void example_function(int x, const char *name)
{
void (*foo)(int, const char *) = http_serve_none;
char buf[...
-1
votes
2answers
60 views
Address of Operator for buffer in C
I am reading the book "Hacking:Art of Exploitation",I am struggling to understand the following code:
int main(int argc, char *argv[]) {
int value = 5;
char buffer_one[8],...
0
votes
0answers
33 views
Why am I getting the message “Single-stepping until exit from function shellcode which has no line number information” in GDB?
I tried to use buffer overflow to rewrite my function's return address,and it worked.but when i try to step through the function(stored in the char array),I get the message:
"Single stepping until ...
1
vote
1answer
76 views
Undefined Behavior quirk: reading outside a buffer causes a loop to never terminate?
I wrote a very trivial program to try to examine the undefined behavior attached to buffer overflows. Specifically, regarding what happens when you perform a read on data outside the allocated space.
...
-1
votes
2answers
84 views
Why does intentional buffer overflow not overwrite variable?
This may be a stupid question since I'm pretty sure this is impossible, but if it is please feel free to tell me what I'm doing wrong.
So I've been experimenting with buffer overflows and generally ...
1
vote
2answers
48 views
How to send arbitary bytes to STDIN of a program in gdb?
I am developing buffer overflow exercises for students. In this context you often have to provide arbitary bytes as input for programs (return addresses).
Assume this example:
#import <stdio.h>...
42
votes
6answers
43k views
How to turn off gcc compiler optimization to enable buffer overflow
I'm working on a homework problem that requires disabling compiler optimization protection for it to work. I'm using gcc 4.4.1 on ubuntu linux, but can't figure out which flags are are the right ones. ...
0
votes
1answer
37 views
Vertex Buffer Is not updated well
Hi guys i have a cube drawed using opengles.
Every time that i call redraw function i update the coordinates_buffer using this code
floatBuffer.position(0);
floatBuffer.put(coordinates);
floatBuffer....
-3
votes
3answers
148 views
C: IF statement not firing when expected
I have the following function. The executable runs fine. At the prompt, after the program is run, I enter \x0037337331, the value of B is set as B: 0x31333337
Any advice on how I'd trigger to open ...
1
vote
1answer
108 views
Buffer overflow needs 16 bytes on x86 but 29 bytes on x64
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buff[15];
int auth = 0;
printf("\nEnter password: ");
gets(buff);
if (strcmp(buff, "password") != ...
0
votes
1answer
58 views
buffer overflow during memory reallocation
I was making a C program to convert 12 hour clock into 24 hour clock with the format of input being HH:MM:SSAM or HH:MM:SSPM and 24hr clock output being HH:MM:SS
#include <stdio.h>
#include <...
2
votes
1answer
340 views
Stack-based buffer overflow - challenge in C using scanf with limited input
As part of a security CS course, my class has been given the task of exploiting a vulnerability to beat a password check using a stack/buffer overflow. The code with the vulnerability is as follows:
#...
0
votes
0answers
51 views
Why reverse_tcp Shellcode doesn't work?
I am using this shellcode:
\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\xc0\xa8\x0f\x81\x66\x68\x05\x39\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\...
-1
votes
1answer
35 views
C Simple Buffer Overflow Shellcode location
I'm trying to understand the basic principles of buffer overflows.
During countless hours of reading one of the things i noted was :
Most of the time the exploit string structure looks like;
[NOPS-...
1
vote
0answers
64 views
What's the point of Position-independent executables (PIE) when we have execstack?
I'm reading Hacking: The art of exploitation, which is apparently full of outdated information (doesn't take into account canaries, non executable stack, ASLR). I am trying to understand whether (and ...
0
votes
1answer
101 views
C Simple Buffer Overflow
I'm trying to learn how buffer overflows work and how this can be used.
I'm solving a simple challenge (backdoorlabs echo challenge) by trying to exploit a supplied binary file.
(see: http://hack....
7
votes
6answers
28k views
How to determine the size of an allocated C buffer?
I have a buffer and want to do a test to see if the buffer has sufficient capacity I.e. find number of elements I can add to the buffer.
char *buffer = (char *)malloc(sizeof(char) * 10);
Doing a
...
0
votes
0answers
88 views
segmentation fault on buffer buffer overflow
i tried to learn how buffer overflow work and i do some exercise from exploit-exercises.com. i tried to solve Protostar Stack 5 problem. The code is writen in C, here is the code (https://exploit-...
0
votes
1answer
161 views
Constructing a tainted string for arc injection
I'm new to security and currently referring to Robert Seacord's Secure Coding in C and C++. In chapter 2 of the same, the author talks about arc injection, wherein he passes the flow of control in the ...
0
votes
2answers
96 views
Does gets() ignore '\0'?
I am learning about buffer overrun with this source code:
#include <stdio.h>
int main()
{
char buf[16];
gets(buf);
printf("buf @ %8p\n", (void*)&buf);
return 0;
}
I try to ...
0
votes
2answers
36 views
How to check if user input fits in variable?
I'm trying to write a simple program to calculate a function with Fortran95/03 which needs as input a number(x) and gets as output a number(y).
The user input is a real :: input and the read call ...
0
votes
0answers
13 views
Gulp: Minification and Uglification Performance Issues
I am currently trying to minify and uglify the code for production and also trying to use sourcemaps to make the debugging more easier.
I am wondering about systems which are running on older ...
1
vote
2answers
68 views
Program crashes when malloc executed
My code keeps crashing when I execute *arr = malloc(i * sizeof(struct cluster_t*));. Cluster is a structure.
I am not sure what is the problem. The second input is an array of structures (clusters) It ...
1
vote
3answers
54 views
Buffer overflow or something else
I am creating a program, about seat reservations. I was asked to use unsigned short and unsigned int for some of the variables, so that is why they are set like that.
I have a program that works ok. ...
0
votes
1answer
37 views
Behavior of char pointer [duplicate]
I am really confused about the following:
char *list = malloc(sizeof(char));
list[0] = 'a';
list[1] = 'b';
printf("%s\n", list);
My expectation was some kind of undefined behavior, because list has ...
1
vote
0answers
46 views
Debugging vulnerable binary using GDB
I'm trying to exploit this vulnerable code from Phrack Magazine. This is the code of the vulnerable binary:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
...
0
votes
2answers
57 views
Cosolidating large excel files, cant go around buffer overflow
i am try to consolidate large multiple excel files into one single file using following code
Sub Macro1()
Application.DisplayAlerts = False
Dim Country As String
Dim i As Integer
Dim ...
2
votes
1answer
89 views
Why code in stack or heap segment can be executed?
In the security field, there are heap exploitation and stack smashing attack.
But I found that /proc/*/maps file, the heap and stack segment,
only have rw-p-permission.
There is no execution ...
0
votes
0answers
60 views
Buffer overflow using environment variable (Linux/GDB)
My ow my I spent almost two days finding a solution for the following ->
A binary is run with setuid privileges and the trick is to get a shell using shellcode placed in an environment variable.
I ...
1
vote
2answers
4k views
Set RTSP/UDP buffer size in FFmpeg/LibAV
Note: I'm aware ffmpeg and libav are different libraries. This is a problem common to both.
Disclaimer: Duplicate of SO question marked as answered but actually didn't give a proper solution.
...
5
votes
1answer
1k views
Android MediaRecorder Sampling Rate and Noise
I have an issue using Android's MediaRecorder to record sound from microphone to .m4a files (AAC-LC, MPEG-4 container). Starting from API level 18, the default sampling rate drops from 44.1 or 48 kHz ...
0
votes
0answers
41 views
Function Call Segmentation Fault
I'm trying to reproduce a buffer overflow attack here and I'm stuck with the implementation of the shell code as I get a segmentation fault when I assemble and execute it.
Seeing what GDB says, it ...
-2
votes
5answers
65 views
How could the following code be adjusted to prevent a buffer overflow? [closed]
void updateConfigParams( void ) {
char buffer [512];
int i = 0;
while (( c = readFromWireless ()) != NULL)
{
buffer [ i ] = c;
i += 1;
}
writeConfigParams ( buffer );
}
I'm only ...
0
votes
2answers
68 views
What explains this behavior of C compiler w.r.t string initialization?
The following code doesn't generate a null terminator
/* Case 1 */
#include <stdio.h>
void main () {
char wbuf[16] = "0123456789abcdef";
printf("%s\n", wbuf);
}
See the relevant parts ...
0
votes
0answers
13 views
How to turn Function@@GLIBC address into a absolute address
I'm solving a buffer-overflow problem for practice, the problem provides an executable file and a libc file and there's no ASLR, Canary but DEP protection in the executable file.
At first I thought it'...
1
vote
1answer
24 views
Why is initializing C union using “designated initializer” giving random values?
I had a "bug" which I spent quite a while chasing:
typedef union {
struct {
uint8_t mode: 1;
uint8_t texture: 4;
uint8_t blend_mode: 2;
};
uint8_t key;
} ...
0
votes
0answers
8 views
Buffer overflow with using program name
I wrote
global main
section .text
main:
pop rax
pop rdx
pop rdx
mov rdx, [rdx]
mov rdx, [rdx]
call rdx
ret
this program
And I tried to buffer overflow with program name.
...
5
votes
3answers
4k views
Is there any way to bypass SSP (StackSmashing Protection)/Propolice?
After some research i haven't found any paper describing method to do this (no even an unreliable one). It seems that SSP (StackSmashing Protection)/Propolice
-1
votes
1answer
38 views
Buffer overflows: writing 7 in hexadecimal without 'null terminator' (0x00)
I'm trying to exploit a buffer overflow vulnerability to overwrite the return address of the stack.
However the code I'm trying to 'hack' makes use canary system. It initializes an integer always to ...
1
vote
0answers
38 views
Bypass StackGuard protection in order to have buffer overflow without altering the canaries and get root access
Hello eveyone I am new to cyber security student and i'm trying to solve an exploit problem. So, we are having the following C program which is compiled with StackGuard and we have to gain root access....
0
votes
0answers
19 views
SEH overwrite attack details
If there are canaries on stack, why does not the exception handler check the integrity of canaries? Why does it continue executing the manipulated exception handler?
Will corrupting a canary trigger ...
1
vote
1answer
30 views
Hexadecimal Memory Address to Assembly
I am following a buffer overflow tutorial. I have set up my NOP block, I also set up my shell code, now I need to append the return address to the end of my string. I know my return address is :
...
0
votes
1answer
23 views
$esp register not found
I am learning debugging with gdb and registers, but I am stuck in one point. As an instruction, I should print
print $esp
result: $1 = -9008
but I was expecting such result:
$2 = (void *) ...
-3
votes
1answer
73 views
Buffer Overflow won't work get Seg Fault
I try to get a Buffer Overflow to work. I have the following simple vulnerable Program:
int main(int argc, char** argv) {
char buffer[80];
strcpy(buffer,argv[1]);
return 1;
}
With the ...
0
votes
1answer
18 views
Return Oriented Programming Stripped Binaries
Good morning,
I have a stripped binary, and I have to bypass ASLR and NX. I am fighting since three days to find a solution but I cannot find one. I cannot find the libraries linked to the binary as ...
0
votes
1answer
64 views
how to write an buffer overflow?
I've been doing buffer overflow test, mostly I read from Aleph One's Smashing The Stack For Fun And Profit.
#include<string.h>
#include<stdio.h>
char shellcode[]="\x31\xc0\xb0\x46\x31\...
1
vote
1answer
110 views
How could a buffer overflow attack on the updateConfigParams() function be exploited to disable the program?
Considering the following function
void updateConfigParams( void ) {
char buffer [512];
int i = 0;
while (( c = readFromWireless ()) != NULL)
{
buffer [ i ] = c;
i +=...
0
votes
0answers
40 views
Buffer overflow using “JMP ESP” instruction
I am trying to write a c code to find out the "JMP ESP" instructions in modules loaded with the executable in order to carry out a remote buffer overflow attack. Below is the code:
#include <...
0
votes
2answers
53 views
C Mysterious Overflow
Why does this code output -32768 and not 32768? Looks like an overflow but I cannot figure out where.
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *buffer = (char*)malloc(...
0
votes
1answer
37 views
Overflow saved RIP register value with short address
I'm trying to do buffer overflow where I need to rewrite the saved RIP register value with an address.
The address is short (8 bytes), for example, 0x0000000012345678. The RIP register is 16 bytes, ...
Related Tags
c × 452
security × 104
assembly × 85
exploit × 84
c++ × 78
shellcode × 68
linux × 67
gdb × 59
buffer × 59
stack × 52
stack-overflow × 44
gcc × 35
x86 × 33
stack-smash × 25
android × 18
python × 17
string × 16
hacking × 15
fortify-source × 15
java × 14
buffer-overrun × 14
segmentation-fault × 13
memory × 12
printf × 12
sockets × 11
more related tags
Hot Network Questions
- How do you as teacher deal with children who like to hug you?
- Should you change the strings on a brand new guitar?
- What bindings start with H-z?
- AUCTeX: how to compile a file, which does end in '.ins'
- Use sed to add character in n'th position of matching string
- How do modern game engines achieve real-time rendering vs Blender's "slow" rendering?
- approximation of sum of the first binomial coefficients for fixed N
- I'm a junior developer. How am I supposed to handle code reviews?
- Are bonds really a recession proof investment?
- How was early randomness generated?
- At Normal and Binomial models, Is always the posterior variance less than the prior variance?
- What should a Software Tester do to become more valuable and helpful for the Development Team?
- Berkeley Riots: Protest or Infringment of Rights
- How does scientists know if a virus is man-made or not?
- Why did Cameron show the baby doll so prominently in Titanic?
- Is there a monster that won't boil?
- Keyboard shortcut to show/hide keyboard visualizer?
- When to use unique composite keys?
- Is Agent Smith a bug in the Matrix or a virus?
- Is there a word that means badge/ hallmark but has a negative connotation?
- Is this chart showing the likelihood of a terrorist attack statistically useful?
- Choosing the word: learn or study
- A word for someone who everyone is scared of?
- Can staying late look like something bad?
