Questions tagged [buffer-overflow]
A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
514 questions
0
votes
1
answer
43
views
MsfVenom generated shellcode fails when using it in buffer overflow
I use msfvenom generated shellcode in buffer overflow.
Here's command that i used to create shellcode for linux x64:
msfvenom -p linux/x64/exec -f py -o shellcode.py -b '\x00' CMD=whoami
and here's ...
4
votes
0
answers
113
views
How much do ARM-like link registers make return-oriented programming harder?
ROP usually uses a buffer overflow to overwrite the x86 return address. However, ARM stores that in a register. What is the effect of this on return-oriented programming attacks on non-x86 ...
- 161
0
votes
0
answers
78
views
May read() syscall not set first bytes of a buffer?
I'm working on some pwn.college binary exploitation challenges.
ASLR is disable, stack is executable and there is no canary.
I'm not understanding one thing.
I have my shellcode which open the flag ...
- 111
9
votes
2
answers
3k
views
Can buffer overflow attacks become impossible?
I admit that I don't fully understand how buffer overflow attacks works, but as far I understand, the attacker send an input that is longer than the section of memory that is supposed to temporarily ...
- 191
2
votes
0
answers
211
views
How to do a bufferoverflow attack for a simple C program?
Consider the following simple C program that asks the user for to input their user name and password in order to get access to some website. (The correct username is supposed to be "admin" ...
- 121
24
votes
5
answers
6k
views
Given extensive protections in modern operating systems that make buffer overflow exploits unfeasible, should I even bother studying these?
I’ve been diving into the world of buffer overflow vulnerabilities and their exploitation, which has been both challenging and fascinating. However, I’ve recently hit a mental roadblock and would love ...
- 350
-1
votes
1
answer
224
views
Recieve buffer overflow on WiFi/Ethernet card
Is it possible that if an attacker sends an abnormally large packet to a WiFi / Ethernet card of a computer, it will write past the buffer of the onboard memory and into other areas? Like maybe the ...
- 49
0
votes
2
answers
522
views
How should be set an unprotect environment on modern linux to test an old buffer overflow example?
Reading a technical paper on the issue I wanted to test it on my computer.
The idea is to provoke privilege escalation (change on the whoami output from peter to root) through a buffer overflow.
The ...
- 101
0
votes
0
answers
205
views
bin/sh in return-to-libc attacks
Return-to-libc is an attack where the attacker, in most cases, returns to the system function, which it uses to execute shell commands. However, I am confused about two things:
The command that the ...
- 1
1
vote
1
answer
204
views
Segmentation fault without rip even getting overwritten Buffer Overflow
I was trying to overflow the return pointer of a simple program. I have asrl disabled and I compiled like this gcc returnexp.c -o returnexp -fno-stack-protector.
(I would disable noexecstack later on ...
1
vote
0
answers
115
views
Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?
Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget?
My understanding of JOP:
In jump-...
- 21
2
votes
0
answers
159
views
When gets reads a string, it does not read \x00, which is the NULL character. So how to separate two different addresses to complete ROP?
First I used ROPgadget to find two assembly instructions:
xor rax; ret and pop rcx; ret,
They are at 0x401270 and 0x40133b.
Then I tried to put them at the top of the stack, but because the gets ...
- 21
1
vote
2
answers
466
views
Problem overiding the return address when performing a buffer overflow, what am I missing?
Playing around with probably the most basic buffer overflow attack there is on my raspberry pi, looks like this
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
...
- 61
1
vote
0
answers
61
views
Can't print hexadecimal formatted address in buffer overflow
I'm trying to overwrite the return address caused by a buffer overflow. I've already calculated the distance between the buffer and the return address. The address that I want to jump to is ...
- 81
0
votes
1
answer
1k
views
Simple Buffer Overflow (Function Call) Problem
I'm trying to develop a simple buffer overflow CTF challenge inspired by the "Csaw 2016 Quals Warmup" challenge, here. I've managed to replicate the source code:
#include <stdio.h>
#...
0
votes
0
answers
225
views
push /bin/sh to get a shell
I usually use a different method to push /bin/sh in rdi to get a shell, but I wanted to try this one :
Put in case that I can control the RIP and there are no limitations or filters. So I can execute ...
- 1
0
votes
1
answer
349
views
How to return to main after performing stack buffer overflow
#include <stdio.h>
#include <stdlib.h>
void reading();
void reading_hexa(char*);
void secret();
int main()
{
reading();
printf("Input done\n");
exit(0);
}
void ...
1
vote
0
answers
205
views
How to properly pack address into bytes to overwrite EIP register
I'm learning how to exploit a tiny web server based on a well written post here: https://blog.coffinsec.com/2017/11/10/tiny-web-server-buffer-overflow-discovery-and-poc.html
I am very close to ...
- 111
1
vote
0
answers
573
views
Buffer Overflow Attack when size of Buffer is small on 64bit CPU architecture
I was trying to solve the Buffer Overflow SetUID lab but stuck in Task 6: L4, to perform the attack when the Buffer Size is small 10.
I understood that since len(shellcode) would be larger the ...
- 11
0
votes
2
answers
873
views
Unable to execute shellcode on x86_64 architecture
I currently got interested in binary exploitation (even though I do not know if today is still useful).
I started studying shellcode and buffer overflow (stack-buffer overflow, specifically). I know ...
0
votes
1
answer
437
views
Buffer Overflow not working. Don't know why?
Here's the output:
pwndbg> p give_shell
$5 = {void ()} 0x8049217 <give_shell>
So if I write this payload python2 -c "print 'A'*104 + '\x1B\x92\x04\x08' + '\x17\x92\x04\x08'" > ...
- 129
1
vote
1
answer
173
views
bufferoverflow chars gets replaced on stack [closed]
So I try to understand stack based buffer-overflow but now I am stuck. This is the vulnerable function (32 bit ELF).
int test(char* input)
{
char buf[100];
printf("Buffer is at %p\n",...
user294443
0
votes
0
answers
819
views
Program segfaults when ran with GDB
this is my first time posting a question here, so forgive me if I don't give enough details. I will provide any extra details that are requested.
Basically, I'm practicing a buffer overflow, and I'm ...
1
vote
1
answer
543
views
Buffer overflow stops executing shellcode in the middle of it
I am trying to execute a simple shellcode by using a buffer overflow. The shell code starts executing but stops in the middle (even though it is fully copied to memory).
This is the vulnerable C code:...
- 121
1
vote
0
answers
101
views
Is there any combination of memory mitigations COOP doesn't bypass?
I recently seen a paper where COOP exploit dev was used to bypass DEP+ASLR+CET+CFG+SEHOP. JIT attack surfaces like v8 seem to have even less hardening. Is there a form of exploitable memory corruption ...
- 21
0
votes
1
answer
524
views
64-bit ROP-based Buffer Overflow Attack
I am facing a CTF challenge in which I have to conduct an attack using a ROP chain on this program below:
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <sys/...
1
vote
1
answer
573
views
Is obtaining a shell from this buffer overflow possible?
I'm learning about buffer overflows and that there are various different types of them, including ones you can do when you can't directly hijack the return address.
In these cases, you can hijack a ...
- 240
1
vote
0
answers
314
views
Buffer overflow on a program that only accepts arguments as input
I've got a pretty tricky flag that I have been beating my head against for a while now and would love an explanation for how something like this would be possible. I have a program that when run, ...
- 11
1
vote
2
answers
1k
views
Finding offset using Buffer overflow pattern generator
I am trying to find the offset for a buffer overflow attack for a simple C program using a Buffer overflow pattern generator
#include <stdio.h>
#include <string.h>
int main (int argc, ...
- 11
0
votes
0
answers
226
views
Buffer Overflow with ROP Chain Output Problem
I have the following problem: I have this C program and I have done buffer overflow using ROP gadgets. I have a problem with the output.
I want to stop the printf() call in the vuln function to get ...
0
votes
1
answer
2k
views
Why do I get a broken pipe when using pwntool with this C code
I am learning about Buffer Overflows (BOF) and came up with this piece of C code:
#include <stdio.h>
#include <stdlib.h>
void win()
{
system("/bin/bash");
}
int main()
{...
20
votes
6
answers
11k
views
Do high level languages allow for buffer / heap overflow?
I'm learning about basic x86 overflows in C but normally I code with Python. Is there anyway that programs written in higher level languages can suffer from buffer/heap overflow?
- 235
4
votes
1
answer
1k
views
Why does my RIP value change after overwriting via an overflow?
I've been working on a buffer overflow on a 64 bit Linux machine for the past few days. The code I'm attacking takes in a file. This original homework ran on a 32-bit system, so a lot is differing. I ...
-2
votes
1
answer
750
views
What is the relationship between fuzzing and buffer overflow? Does fuzzing leads to buffer overflow? [duplicate]
What is the relationship between fuzzing and buffer overflow and does fuzzing leads to buffer overflow? Is buffer overflow a subset of fuzzing?
- 1,073
2
votes
1
answer
306
views
Avoid stack addresses containing zeros
I'm learning some hacking with Erickson's "The Art of Explotation". To try out the exploits myself, I'm using C on a virtual maching with 32-bit Debian on my windows laptop (in VirtualBox).
...
- 131
2
votes
2
answers
256
views
Buffer overflow not working from different environment
I wrote my first buffer overflow exploit and it worked well with
./vulnerable $(cat payload)
but when I tried to launch it from a Python shell it didn't work
import os
os.system("./vulnerable $(...
0
votes
1
answer
964
views
Why I can't perform buffer overflow directly from bash
Maybe is a silly question but I can't understand exactly why this type of buffer overflow does not work...
Let's me explain with an example.
Suppose we have a program written in c.
This program has 2 ...
- 25
0
votes
0
answers
373
views
64 Bit ELF Buffer Overflow Not working possibly due to if statement
I wrote the following:
#include <stdio.h>
int win(){
printf("Won!\n");
return 0;
}
int vulnerable(){
char buffer[20];
memset(buffer, 0, 10);
printf("Input: &...
0
votes
0
answers
130
views
Addresses of two consecutive buffers
I have two buffers declared one after the another, like this:
char A[256];
char B[32];
At first, I thought I could write whatever I wanted in B with a buffer overflow from A. However, some tests ...
0
votes
0
answers
719
views
Jumping a function inside the code with buffer over flow
My goal is the jump a local function without calling it. Here is my code
#include <stdio.h>
void bufferoverflow()
{
printf("bufferoverlow!\n");
}
void doSomething()
{
int ...
- 1
0
votes
2
answers
950
views
What is the maximum payload injection size
I have been conducting some minor research into the various forms of exploitation, such as buffer overflows and similar.
Most tutorials seem to focus on executing shellcode, that is code which ...
- 231
1
vote
1
answer
249
views
Buffer overflow confusion, how do pre-return address payloads work despite stack clearence
I am trying to get deeper into buffer overflow and lower-level stuff in general and am confused regarding one particular topic. I have seen examples of buffer overflows in which the shellcode is ...
- 13
1
vote
0
answers
1k
views
How to find addresses and view stack in buffer overflow?
I am learning buffer overflow and I'm stuck. For the basic examples with very few variables we could spam the stack and kinda overwrite the return address etc.
I am having difficulties examining the ...
- 11
0
votes
1
answer
3k
views
Instead of JMP ESP can we use it's opcodes?
In a buffer overflow exploit, when we use a JMP ESP instruction to jump to the ESP, instead of using the address of the JMP ESP, can't we use the opcodes of it?. I generated the opcodes of the JMP ESP ...
- 101
2
votes
2
answers
2k
views
ROP executes system("/bin/sh") but does not attach to it
Here is the code:
import struct
buf = ""
buf += "A" * 552
buf += struct.pack('<Q', 0x401493) # pop rdi; ret
buf += struct.pack('<Q', 0x7ffff7f79152) # /bin/sh
buf += ...
- 121
0
votes
1
answer
561
views
Buffer overread
I am trying to understand buffer overread in my course in school. This code is an example from one of the lectures where buffer overread can be a problem. However, I do not understand how buffer ...
0
votes
2
answers
360
views
Stack Smashing Short Problem
I want to exploit this code vulnerability and get it to launch me into a shell with privilege access. I'm guessing I need to "push" bob from its current address to address 0x41414142 using ...
0
votes
1
answer
460
views
Exploting a Stack Buffer Overflow vulnerability to get privilege access to system
I am trying to complete a buffer overflow challenge. The code I am trying to exploit is below. I can only use the command line in a Linux environment.
I understand that writing more than 100 ...
0
votes
1
answer
828
views
Segfault after reaching system
I'm doing a pretty bog-standard return-to-libc attack and I'm in a bit of a pickle.
I first got the entire attack working with my local version of libc, then I used the version of libc provided by the ...
- 111
1
vote
1
answer
283
views
How to fine tune timing for CVE-2021-3156 (sudo privilege escalation)?
I am trying to execute the sudo buffer overflow (CVE-2021-3156) on one of my systems, but haven't got it working yet. The system is definitely vulnerable (taking into account sudo version and sudoedit ...
- 166