Questions tagged [buffer-overflow]
A classical programming bug that may lead to a possible security flaw in software. Exploitation of this bug is usually taking place either in the stack or in the heap.
103 questions
1
vote
1
answer
228
views
ARM64 Stack Layout - Why 100x'A' Doesn't Crash?
I'm trying to exploit a buffer overflow vulnerability in an ARM64 program from this blog.
When I give as input 100*'A', and I compile the program for ARM 32 bit (without canaries), the program crashes ...
- 113
1
vote
3
answers
213
views
Why does this piece of code modify itself?
I'm reading the famous "Smash the stack and profit" paper, and to reiterate, the whole point of the idea is to put some binary code in a buffer, overflows it to rewrite the return address (...
4
votes
1
answer
175
views
💻 This code does not crash on ARM (qemu). Why?
I found a couple of interesting integer underflows leading to memcpy() wild copies in a TLV parser process of some random IoT firmware. It is 32-bit ARMv7.
I'm able to emulate the userspace process ...
- 61
2
votes
0
answers
245
views
Overwriting the Global Offset Table + format string vulnerability
I am trying to understand how to overwrite the Global Offset Table. On the book "Hacking: The Art of Exploitation". Following the example I get:
objdump -R ./fmt ...
- 31
2
votes
0
answers
86
views
Buffer overflow gets() weird parsing
I'm attempting to do a buffer overflow with gets(). I've figured out how to write over the return address and I'm able to do so, however, I cannot write in the address I need because the 0x7F at the ...
- 21
3
votes
0
answers
62
views
Data placement in memory
I am playing with buffer overflow attacks in C. I have the following code:
int foo(void*, void*); // Calculates the distance (in bytes) between two addresses in memory
int main(int argc, char**...
- 31
3
votes
0
answers
172
views
How to leak buffer address on the stack?
I am new to buffer overflows and I was trying to overwrite the saved RIP to point to a buffer containing a shellcode. The buffer is located onto the stack so its address is randomized. How can I leak ...
- 51
2
votes
0
answers
107
views
Invalid address when overwriting saved rip with buffer's address
I have an executable vulnerable to buffer overflows. The program takes a buffer of 104 chars and prints it (unfortunately, there is no format string vulnerability) until we feed it with a 0 or a \n, ...
- 51
3
votes
0
answers
55
views
Find location to override PC by stack frame with stackoverflow
I have stackoverflow in MIPS arch (without ASLR/canary)
In Ida I see that the buffer that has the overflow located in SP+200
In the beginning if function I can see the stack size because I see the ...
- 291
1
vote
1
answer
143
views
Help starting with UEFI/SMM exploits
I have a 845 g7 with a bios 1.06, which has a load of CVEs which allow SMM and DXE exploits:
https://support.hp.com/ca-en/drivers/selfservice/hp-elitebook-845-g7-notebook-pc/37506818 (under the UEFI ...
- 13
1
vote
1
answer
2k
views
Why is JMP ESP required in buffer overflow?
I was reading this article by Hackers Grimoire on Windows buffer overflow attacks.
The article made sense, except for the part where the author searched for a DLL (.dll) file which contained a JMP ESP ...
- 195
1
vote
0
answers
250
views
How do I align a memory dump hex file so that a pointer address matches its location in the memory dump file?
I'm learning C and trying to understand how things like buffer overflows and other memory issues work. I am doing this on Windows for convenience reasons but would have no problem doing it on WSL or a ...
- 111
0
votes
0
answers
783
views
Basic buffer-overflow on a remote program with Python/pwntools
I work on a online program in which I should do a buffer Overflow.
When I run the program, I have to complete a sum of two numbers generated randomly) :
>>> 451389913 + 1587598959 =
If I put ...
- 101
1
vote
0
answers
784
views
How do I convert an adress to little endian such that I can feed it to my exploit?
I'm doing a small exploit exercise.
For this purpose, I have the following file:
#include <stdio.h>
void secretFunction() {
printf("Congratulations!\n");
printf("...
- 111
0
votes
1
answer
5k
views
How to exploit __isoc99_scanf with a segmentation fault
I'm an absolute newbie when it comes to all this side of reverse engineering. Each time I try and understand it, I get lost almost immediately.
I am trying a lab. I open it up in Binary Ninja. I get ...
- 221
1
vote
1
answer
548
views
Understanding buffer overflow in Arm
Let's say I have a function (vuln) that has a local buffer with size of 0x20 bytes. In the beginning of this function, there is push r4-r7,lr.
Is that correct, that the stack looks like:
Buffer: (0x20)...
- 11
0
votes
1
answer
447
views
ret2libc: problem getting exploit work without pwntools
I am trying to exploit this program test with ret2libc. Only NX is enabled.
#include <stdio.h>
void vuln() {
char buffer[256];
gets(buffer);
}
int main() {
vuln();
return 0;
}
...
- 33
2
votes
2
answers
8k
views
Using a buffer overflow to call a function
I'm new to reverse engineering C binaries but have been working on an old ctf and thought to ask for explanation of specific assembly commands and how a buffer overflow might force a function to be ...
- 123
1
vote
0
answers
200
views
Trying to call the Exit Shellcode in a c program
#include<stdio.h>
#include<stdint.h>
char shellcode[] = "\xb8\x3c\x00\x00\x00"
"\xbf\x14\x00\x00\x00"
"\x0f\x05";
int ...
- 11
2
votes
0
answers
201
views
How do I calculate where to put the canary value in a program
I am trying to exploit a program with a buffer overflow for a class. The program has a canary enabled and when you smash the stack it exits. When running the program in gdb you can set a breakpoint ...
- 21
0
votes
1
answer
98
views
Program goes to suspend when buffer overflow occurs
Full disclosure: I am seeking help to complete a college assignment. I am seeking help on steps where I am stuck and unable to move forward, not a ready made answer.
I need to exploit it to get a ...
1
vote
2
answers
505
views
Run ltrace to avoid detection (on a different PID?)
I am trying to run ltrace on this file:
./launcher: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]...
0
votes
1
answer
1k
views
Difference between \n, \0, \x00 and data from /dev/zero when performing a buffer overflow?
I am working with a binary that involves a buffer overflow on two contiguous memory blocks allocated with malloc. The binary filles up the first buffer with whatever the user inputs and hardcodes the ...
0
votes
0
answers
741
views
Using GDB to find the address of a buffer in a stripped C binary
I am working with a crackmes binary called Simple Overflow. It has two buffers with sizes 0x10 and 0x8, and it uses malloc to allocate two contiguous memory blocks (see <+25> and <+39> on ...
2
votes
2
answers
515
views
How can i recognize the length of this array based on the assembly instruction?
In the sourcecode i can clearly see that the Array called "buf" is 32 byte long since 1 char = 1 byte
I assume that the array starts at the address [rbp-0x30] and the argv[ ] is stored in ...
2
votes
3
answers
1k
views
Bypassing ASLR without leak address
I have found a stack buffer overflow.
Currently, this is the situation:
NX/DEP disabled
ASLR enabled
Not a PIE
I am able to override the return address and jump to PLT sections.
My problem is that I ...
- 21
1
vote
1
answer
218
views
Analyze stack with IDAPython
In Ida pseudo-code when I press at stack's variable I can see the place of this variable in stack.
char buffer[XXX]; // [sp+YYh]
How can I get that information (buffer size and place of this buffer ...
- 43
1
vote
1
answer
5k
views
Buffer overflow: pwntools does not give me a shell, despite exploit working without pwntools
Recently, I've been trying to learn how to use the pwntools library. I am trying to exploit the following program using pwntools:
#include <stdio.h>
#include <stdlib.h>
int main(void) {
...
0
votes
1
answer
237
views
Buffer space in C
I was wondering if there is some way to get information about buffer size via reversing the binary, created in C language. can we also know how many buffers we have created while writing that script.
...
- 143
0
votes
1
answer
593
views
2 byte format string attacks
Protostar
I was doing the protostar format string (3rd challenge). where we have to change the value of a variable target with format string buffer overflow. so, I came up to this medium article: ...
- 143
1
vote
1
answer
910
views
How can I get my shellcode to work outside of GDB?
I'm working inside a Warzone VM with no ALSR or NX bit. The program I'm trying to exploit is really simple:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/*
* compiled ...
- 113
1
vote
1
answer
2k
views
x64dbg throwing exception
I have been working on finding an overflow in WordPad and I was able to run an exception with an undefined behavior (my point of view).
I am using x64dbg (I am not a pro x64dbg) and it shows ...
- 125
1
vote
0
answers
186
views
RopGadget buffer overflow
I have a question,
I have a device that i can perform on it buffer overflow.
The problem is that is that there is an ASLR(on all addresses in /proc/binary/maps, but not on the binary itself, but all ...
- 71
0
votes
0
answers
352
views
exploiting a binary using ret2libc
I ran into this binary at a CTF :
https://github.com/auehc/AUCTF-2020/tree/master/Pwn/House%20of%20Madness
I first tried to exploit it and get a shell using ret2libc technique, however I didn't ...
- 1
0
votes
0
answers
60
views
Performing Buffer overflow in Linux
I have buffer overflow in a program i check(it is an array of pointers, and i can overflow the data in the first pointer), but the data i can write is not on the stack, it is on a space the system ...
6
votes
1
answer
428
views
The buffer is too short to insert addresses when exploiting buffer overflow
Newbie here. Sorry for what you about to read .
I'm currently working on exploiting a binary on Ubuntu 18.04. Here is some information about the binary:
Its checksec information using pwntools:
...
- 63
1
vote
2
answers
751
views
Detecting and solutions of stack smash protection
This video https://youtube.com/watch?v=4HxUmbOcN6Y presents how modern compilers protect stack overflows with stack cookies and function __stack_chk_fail.
How can one identify if a binary has stack ...
1
vote
2
answers
193
views
BufferOverflow - Cannot push a specific return address on the stack
I'm currently playing with buffer overflow and ROP-chains, and I'm facing a weird behavior that I don't know how to deal with.
I don't know why, but i cannot correctly push the address of my first ...
- 719
0
votes
1
answer
93
views
How to make a program to read Unicode control characters
I'm learning on how to cause a buffer overflow. My victim program has to read input from a file encoded with UTF-16, 2-bytes by 2-bytes, and I want to overrun the EBP with an address like 0x0012F468.
...
- 63
0
votes
1
answer
145
views
Getting illegal access fault with error :The address 0xffdeb9f0 could not be accessed."
Getting illegal access fault with error The address 0xffdeb9f0 could not be accessed.
I am trying to execute a shellcode in buffer overflow vulnerability. I am able to put the shell code at the ...
- 121
1
vote
2
answers
2k
views
The hex codes in being replaced while finding bad characters for Buffer overflow
I am facing problem in finding bad characters because the hex codes are being replaced with \x3F & some other codes.
Here I have all the 256 hex chars from \x01 to \xFF and as you can see many of ...
- 121
3
votes
1
answer
343
views
Why EIP is being overwritten before local buffer ends?
I am doing a simple buffer overflow exercise, here is the source:
//vuln.c
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[]) {
char buf[256];
strcpy(buf,argv[...
- 33
0
votes
0
answers
132
views
Bufferoverflow Stack
I want to do a buffer overflow exploit in the stack. For this i read in data via the "gets"-function.
void ExploitMe()
{
char buffer[256];
gets(buffer);
}
I compile this file with
gcc test.c -...
- 49
4
votes
0
answers
1k
views
Using Angr in Vulnerability Research
I would like to use angr for vulnerability research.
I was thinking that if I did the following:
p = angr.Project('a.out', auto_load_libs=False)
sm = p.factory.simulation_manager()
while len(sm....
- 41
3
votes
1
answer
5k
views
Illegal instruction error in simple buffer overflow
I using following C code for testing stack based simple buffer overflow
#include<stdio.h>
#include<string.h>
void copier(char *arg){
char buffer[100];
strcpy(buffer,arg);
}
int ...
- 35
0
votes
0
answers
183
views
Cannot rewrite the rip even after disabling all the security features
I was trying to exploit a simple buffer overflow on a self created binary.
i have disabled all the security features by compiling with the flags -
--fno-stack-protector -z execstack -no-pie.
my ...
- 1
1
vote
0
answers
849
views
Illegal instruction fault in stack based buffer overflow
I wrote this short C program to practice buffer overflow exploits:
#include <stdio.h>
#include <string.h>
#include <stddef.h>
#include <inttypes.h>
char *decode(char *s){
...
- 143
2
votes
1
answer
4k
views
x86-64 CALL opcode + disassembly
Working a basic buffer overflow on a 64bit system and putting together some basic shellcode. The main program does a call to puts@plt. When I disassemble main in gdb, the opcodes show as:
e8 6b fe ff ...
- 225
1
vote
0
answers
252
views
Need help understanding basic buffer overflow
So I have this sample problem that I need to buffer overflow. Its an elf file that require to be run on a separate terminal then using "nc localhost 'port' " on a separate terminal we can see the ...
- 11
0
votes
1
answer
420
views
why does the following non stack shellcode load /bin/sh string without pushing it onto the Stack?
the c code:
void overflow (char* inbuf)
{
char buf[64];
strcpy(buf, inbuf);
}
int main (int argc, char** argv)
{
overflow(argv[1]);
return 0;
}
