Questions tagged [buffer-overflow]
A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
513 questions
4
votes
0
answers
113
views
How much do ARM-like link registers make return-oriented programming harder?
ROP usually uses a buffer overflow to overwrite the x86 return address. However, ARM stores that in a register. What is the effect of this on return-oriented programming attacks on non-x86 ...
- 161
9
votes
2
answers
3k
views
Can buffer overflow attacks become impossible?
I admit that I don't fully understand how buffer overflow attacks works, but as far I understand, the attacker send an input that is longer than the section of memory that is supposed to temporarily ...
- 191
24
votes
5
answers
6k
views
Given extensive protections in modern operating systems that make buffer overflow exploits unfeasible, should I even bother studying these?
I’ve been diving into the world of buffer overflow vulnerabilities and their exploitation, which has been both challenging and fascinating. However, I’ve recently hit a mental roadblock and would love ...
- 350
0
votes
2
answers
520
views
How should be set an unprotect environment on modern linux to test an old buffer overflow example?
Reading a technical paper on the issue I wanted to test it on my computer.
The idea is to provoke privilege escalation (change on the whoami output from peter to root) through a buffer overflow.
The ...
- 101
1
vote
1
answer
202
views
Segmentation fault without rip even getting overwritten Buffer Overflow
I was trying to overflow the return pointer of a simple program. I have asrl disabled and I compiled like this gcc returnexp.c -o returnexp -fno-stack-protector.
(I would disable noexecstack later on ...
2
votes
0
answers
159
views
When gets reads a string, it does not read \x00, which is the NULL character. So how to separate two different addresses to complete ROP?
First I used ROPgadget to find two assembly instructions:
xor rax; ret and pop rcx; ret,
They are at 0x401270 and 0x40133b.
Then I tried to put them at the top of the stack, but because the gets ...
- 21
1
vote
0
answers
61
views
Can't print hexadecimal formatted address in buffer overflow
I'm trying to overwrite the return address caused by a buffer overflow. I've already calculated the distance between the buffer and the return address. The address that I want to jump to is ...
- 81
0
votes
0
answers
224
views
push /bin/sh to get a shell
I usually use a different method to push /bin/sh in rdi to get a shell, but I wanted to try this one :
Put in case that I can control the RIP and there are no limitations or filters. So I can execute ...
- 1
1
vote
0
answers
205
views
How to properly pack address into bytes to overwrite EIP register
I'm learning how to exploit a tiny web server based on a well written post here: https://blog.coffinsec.com/2017/11/10/tiny-web-server-buffer-overflow-discovery-and-poc.html
I am very close to ...
- 111
0
votes
2
answers
864
views
Unable to execute shellcode on x86_64 architecture
I currently got interested in binary exploitation (even though I do not know if today is still useful).
I started studying shellcode and buffer overflow (stack-buffer overflow, specifically). I know ...
1
vote
1
answer
172
views
bufferoverflow chars gets replaced on stack [closed]
So I try to understand stack based buffer-overflow but now I am stuck. This is the vulnerable function (32 bit ELF).
int test(char* input)
{
char buf[100];
printf("Buffer is at %p\n",...
user294443
1
vote
1
answer
541
views
Buffer overflow stops executing shellcode in the middle of it
I am trying to execute a simple shellcode by using a buffer overflow. The shell code starts executing but stops in the middle (even though it is fully copied to memory).
This is the vulnerable C code:...
- 121
0
votes
1
answer
514
views
64-bit ROP-based Buffer Overflow Attack
I am facing a CTF challenge in which I have to conduct an attack using a ROP chain on this program below:
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <sys/...
1
vote
0
answers
314
views
Buffer overflow on a program that only accepts arguments as input
I've got a pretty tricky flag that I have been beating my head against for a while now and would love an explanation for how something like this would be possible. I have a program that when run, ...
- 11
0
votes
0
answers
226
views
Buffer Overflow with ROP Chain Output Problem
I have the following problem: I have this C program and I have done buffer overflow using ROP gadgets. I have a problem with the output.
I want to stop the printf() call in the vuln function to get ...
20
votes
6
answers
11k
views
Do high level languages allow for buffer / heap overflow?
I'm learning about basic x86 overflows in C but normally I code with Python. Is there anyway that programs written in higher level languages can suffer from buffer/heap overflow?
- 235
-2
votes
1
answer
750
views
What is the relationship between fuzzing and buffer overflow? Does fuzzing leads to buffer overflow? [duplicate]
What is the relationship between fuzzing and buffer overflow and does fuzzing leads to buffer overflow? Is buffer overflow a subset of fuzzing?
- 1,073
2
votes
2
answers
256
views
Buffer overflow not working from different environment
I wrote my first buffer overflow exploit and it worked well with
./vulnerable $(cat payload)
but when I tried to launch it from a Python shell it didn't work
import os
os.system("./vulnerable $(...
0
votes
0
answers
373
views
64 Bit ELF Buffer Overflow Not working possibly due to if statement
I wrote the following:
#include <stdio.h>
int win(){
printf("Won!\n");
return 0;
}
int vulnerable(){
char buffer[20];
memset(buffer, 0, 10);
printf("Input: &...
0
votes
0
answers
718
views
Jumping a function inside the code with buffer over flow
My goal is the jump a local function without calling it. Here is my code
#include <stdio.h>
void bufferoverflow()
{
printf("bufferoverlow!\n");
}
void doSomething()
{
int ...
- 1
1
vote
1
answer
249
views
Buffer overflow confusion, how do pre-return address payloads work despite stack clearence
I am trying to get deeper into buffer overflow and lower-level stuff in general and am confused regarding one particular topic. I have seen examples of buffer overflows in which the shellcode is ...
- 13
0
votes
1
answer
3k
views
Instead of JMP ESP can we use it's opcodes?
In a buffer overflow exploit, when we use a JMP ESP instruction to jump to the ESP, instead of using the address of the JMP ESP, can't we use the opcodes of it?. I generated the opcodes of the JMP ESP ...
- 101
0
votes
1
answer
561
views
Buffer overread
I am trying to understand buffer overread in my course in school. This code is an example from one of the lectures where buffer overread can be a problem. However, I do not understand how buffer ...
0
votes
1
answer
460
views
Exploting a Stack Buffer Overflow vulnerability to get privilege access to system
I am trying to complete a buffer overflow challenge. The code I am trying to exploit is below. I can only use the command line in a Linux environment.
I understand that writing more than 100 ...
1
vote
1
answer
283
views
How to fine tune timing for CVE-2021-3156 (sudo privilege escalation)?
I am trying to execute the sudo buffer overflow (CVE-2021-3156) on one of my systems, but haven't got it working yet. The system is definitely vulnerable (taking into account sudo version and sudoedit ...
- 166