Questions tagged [stack-overflow]
The stack-overflow tag has no summary.
58 questions
1
vote
0
answers
134
views
Is Tricore architecture of Infineon vulnerable to stack overflow attack?
In this topic, 'be vulnerable to stack overflow attack' actually refer to an attacker manipulating the return address of a function to perform a control flow hijacking. Smashing the stack by ...
- 11
24
votes
5
answers
6k
views
Given extensive protections in modern operating systems that make buffer overflow exploits unfeasible, should I even bother studying these?
I’ve been diving into the world of buffer overflow vulnerabilities and their exploitation, which has been both challenging and fascinating. However, I’ve recently hit a mental roadblock and would love ...
- 350
1
vote
0
answers
61
views
Can't print hexadecimal formatted address in buffer overflow
I'm trying to overwrite the return address caused by a buffer overflow. I've already calculated the distance between the buffer and the return address. The address that I want to jump to is ...
- 81
0
votes
1
answer
345
views
How to return to main after performing stack buffer overflow
#include <stdio.h>
#include <stdlib.h>
void reading();
void reading_hexa(char*);
void secret();
int main()
{
reading();
printf("Input done\n");
exit(0);
}
void ...
1
vote
1
answer
172
views
bufferoverflow chars gets replaced on stack [closed]
So I try to understand stack based buffer-overflow but now I am stuck. This is the vulnerable function (32 bit ELF).
int test(char* input)
{
char buf[100];
printf("Buffer is at %p\n",...
user294443
1
vote
2
answers
360
views
Is Stack Exchange immune to DDoS and DoS attacks?
I have heard that DDoS and DoS attacks work most of the time and that they are used when SQL insertion and other methods fail. I know Stack Exchange has a lot of programmers, and that they have this ...
- 13
1
vote
1
answer
1k
views
Why are stack canaries not enabled by default on GCC?
I'm trying to understand why stack canaries are not enabled by default. It makes sense to me that they should be, given the interest in security? https://stackoverflow.com/questions/49693870/stack-...
- 537
0
votes
0
answers
226
views
Buffer Overflow with ROP Chain Output Problem
I have the following problem: I have this C program and I have done buffer overflow using ROP gadgets. I have a problem with the output.
I want to stop the printf() call in the vuln function to get ...
0
votes
1
answer
289
views
Stack vs Heap exploit, which have more CVE documented?
I tried to google this topic but most of them are conflicting each other. On the other side, I found a case where I can use either stack (local variable) or heap for a dynamic string. It's C by the ...
- 133
1
vote
1
answer
1k
views
Heap overflow - strcpy() on x86_64 (64bit)
I'm stuck on the Heap1 challenge from Exploit Education.
After compiling the source code in a 64bit system, without any security mechanism, I try to overflow the heap in order to overwrite the main ...
- 21
1
vote
0
answers
412
views
What can you do against fortify-source (stack overflow)?
I was practicing stack buffer exploitation on a well known application
I was able to bypass canaries, ASLR and nx bit with techniques easily found on the internet
However it has fortify-source enabled ...
- 153
2
votes
1
answer
230
views
Is this paper on stack canaries outdated?
According to this paper on defeating stackguard, it seems canaries are placed lower in the stack (higher address) than EBP, allowing the attacker to overwrite EBP without being noticed. But when I ...
- 21
0
votes
2
answers
946
views
What is the maximum payload injection size
I have been conducting some minor research into the various forms of exploitation, such as buffer overflows and similar.
Most tutorials seem to focus on executing shellcode, that is code which ...
- 231
1
vote
0
answers
172
views
Question on stack overflow
I am preparing for an exam in Computer Security and doing a past-exam without soluions, so I wanted to check if my reasoning holds on a question about stack overflow. Below is the C code in question. ...
- 23
1
vote
1
answer
2k
views
Can you perform a buffer overflow and a format string attack at the same time?
So I hope I'm phrasing this right. I'm trying to exploit a piece of c code which you can see below.
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h&...
- 31
1
vote
1
answer
1k
views
Why does my compiler warn me about gets but not about scanf?
If I compile a code with gets, the compiler outputs a warning saying that the function shouldn't be used:
<source>:5:13: warning: 'char* gets(char*)' is deprecated [-Wdeprecated-declarations]
...
- 134
2
votes
1
answer
381
views
Having trouble with learning Buffer Overflows
So I have this program in C that I'm trying to exploit which has a vulnerability in a function, namely it's using gets. I'm trying to overflow and change the return address so the program returns one ...
- 31
0
votes
1
answer
435
views
Is it possible to use ROP to call legitimate functions even if the stack is not executable?
I read about the hardware protection that blocks the CPU from jumping to stack address. But hacker may still edit the return address to an address in code memory that shouldn't run at that moment.
For ...
- 13
0
votes
0
answers
255
views
Where does the SP (Stack Pointer) point to when the buffer is overflown?
Let's consider a stack that grows downwards and a function that has a local variable for a buffer that takes 100 bytes of memory.
So, reading from top to bottom, it would be a 4-byte long return ...
- 101
0
votes
0
answers
446
views
Problem with return 2 libc in 64 bit arch
I want to perform return to libc in 64 bit architecture using execve. I found a gadget with /bin/sh in it (the /bin/sh offset is 18a143):
cbcd8: 00 00
cbcda: 4c 89 ea ...
0
votes
1
answer
663
views
BufferOverFlow - How come ESP points to the end of the payload
I just don't understand how ESP points to the shellcode
let's say we've sent this string
string = 100 * 'A' + 'BBBB' + 'CCCC'
I have filled the stack with 'AAAA..' and overwritten the EIP value and ...
0
votes
1
answer
328
views
Automatically insertion of 00 in EIP in Stack Overflow 64bit
I am trying to overflow a stack in C sample code to execute uncalled function in code.
The problem is when i overflow stack by entering a(24 times), $EIP is 0x555555550061. I want it to be ...
- 101
1
vote
1
answer
550
views
Return address incorrect (buffer overflow)
I'm trying to exploit the following code with a buffer overflow to get a shell:
int main()
{
char str[64]
gets(str);
return(0);
}
The platform is Ubuntu 64 bit, arch i686.
The program is ...
1
vote
1
answer
1k
views
Buffer overflow Mona modules all show Rebase SafeSEH ASLR True
Almost every beginners (noob friendly) tutorial written for Stack based buffer overflow explains when using mona module to locate a safe reliable memory address for our EIP to JMP to our shellcode ...
- 11
2
votes
1
answer
796
views
Exploit education stack-five: trouble opening shell
Im trying the phoenix vm, challenge stack-five on exploit.education (http://exploit.education/phoenix/stack-five/).
I run onto a problem while exploiting a stack overflow. The challenge is run execve('...
- 23
1
vote
1
answer
2k
views
Cannot execute shellcode using buffer overflow
As a home exercise I'm trying to achieve buffer overflow attack by running a simple char array program that stores the input argument in the program stack and then overflowing that stack with long ...
- 113
0
votes
1
answer
901
views
EIP pointing to shellcode but shellcode is not executing?
I have successfully overwritten the EIP register (pointing to my shellcode) but the shellcode is not executing. I compiled with the command
gcc -g -fno-stack-protector -z execstack -no-pie vuln.c -o ...
- 3
-1
votes
3
answers
2k
views
ret2libc - why need 4 bytes of garbage
So I started to learn reverse engineering, and I came across the ret2libc exploit.
I tried to understand how it works and I got a bit confused.
They say that when you return to the address of system ...
- 3
47
votes
3
answers
10k
views
Does a buffer overflow vulnerability always mean a code execution vulnerability?
Since buffer overflows always let an evil hacker write outside the buffer and overwrite the return pointer to a shellcode the evil hacker can place, does it mean that successful exploitation of a ...
- 1,447
1
vote
3
answers
298
views
Why Does Only 1 Of These 2 Almost-identical Payloads Give Me A Shell?
I wrote a vulnerable test program to practice buffer overflows; however, I was having trouble getting it to work. Finally, after slightly modifying the return address, I was able to gain a shell, but ...
- 113
0
votes
1
answer
746
views
ret2libc calling function arguments order
While I was studying ret2libc, I saw that tutorials use:
call_to_function + ret addr + arguments
For example I understand that if I want to execute system function from libc I can use the following ...
- 13
4
votes
1
answer
379
views
How are stack canaries padded by unmapped pages?
I was reading the wikipedia article on this subject and it states that when a program starts, the canary is calculated at random, stored in a local variable(which I presume was introduced by the ...
- 113
0
votes
2
answers
624
views
In Return-Oriented Programming how can the machine execute unaligned instructions?
I am reading "The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)".
The author claims that x86 code is like English written without punctuation or spaces, ...
- 120
3
votes
1
answer
3k
views
Cannot exploit stack-based buffer overflow with ASLR-disabled, since RSP differs heavily between executions?
I have made a little toy program, compiled with ALSR disabled, that I want to exploit using stack-based buffer overflow:
// gcc stackexec0x1.c -Wl,-z,execstack -no-pie -fno-stack-protector -o ...
- 1,317
1
vote
1
answer
780
views
What is Return-Oriented Programming? [closed]
With return-oriented programming, when we fill a buffer with the stack contents (arguments and return addresses) for the function calls we plan on "injecting," how do we actually change the stack ...
- 285
1
vote
0
answers
177
views
Need help in exploiting an overflow on Linux [closed]
There is a 32-bit linux application. It's possible to overwrite EIP easily. I will call this process: "send a string".
It's also possible to send about 10000 custom bytes to heap (it's possible to ...
- 11
2
votes
2
answers
4k
views
Overflowing the buffer yet not jumping to address
I am a beginner at buffer overflows been studying this subject from a few days and i found this exercise (code from: here)
I think understand the basic concept i write more than 64 bytes characters ...
- 471
3
votes
1
answer
363
views
Smashing stack in x86_64
Exploiting functions like strcpy() relies on the fact that the payload string must not contain zero bytes that would terminate the copy function. If the payload contains x86_64 addresses (e.g. in ...
- 273
5
votes
2
answers
5k
views
How does gcc compiler guard stack for stack overflow?
When we compile c program with gcc, we have to inlude "-z execstack" option to enable stack overflow attack.
The question I want to ask is how does gcc implement this .
Without this option, how does ...
- 71
4
votes
2
answers
4k
views
Why do we need to remove null bytes from shell code?
I'm studying the basics of making shell codes. I have a question about it.
In my textbook, the author stores his shell code in an environment variable, and injects the address of it using strcpy() ...
- 41
1
vote
2
answers
1k
views
Buffer Overflow Stack Attack Exercise Help
So I am trying to complete a buffer overflow exercise. The code I am trying to exploit is below. What I want to be able to do is to insert my own print statement through the overflow attack. What I ...
- 13
2
votes
1
answer
1k
views
How do I bypass a return address overwrite not doing anything?
This is main:
(gdb) disass main
Dump of assembler code for function main:
0x000000000040057c <+0>: push rbp
0x000000000040057d <+1>: mov rbp,rsp
0x0000000000400580 <+4&...
2
votes
2
answers
2k
views
C - Simple Buffer Overflow Exploitation, how is the EIP overwritten in different type calling functions?
General Background:
I have written an echo server trying to implement an example of BoF in C that utilizes a strcpy() function call like such:
// .... including the corresponding libraries depending ...
- 375
2
votes
1
answer
203
views
Understanding a crash
Say you're fuzzing a Windows x32 application for a file format bug and, say, you found a pattern that causes the application to crash.
My normal steps are:
load application into a debugger
generate ...
- 171
1
vote
1
answer
2k
views
Why do registers get overwritten upon overflow?
I know that upon a overflow, the stack gets partially overwritten, but I do not understand why registers such as EIP or RIP get changed in this process.
How come some registers are modified by such ...
- 229
2
votes
1
answer
3k
views
Stackpivoting techniques
I'm practicing exploit development and one of the scenario I am haing most difficulties with is stack pivoting besides the "ADD ESP, XXX" or something like that.
The question is, during the writing ...
- 171
1
vote
1
answer
2k
views
Bufferoverflow - jmp esp. Do I need nops sled? Does call esp also work?
I'm learning about stack buffer overflow and I'd appreciate help.
I'm exploiting simple web server containing this log function. Argument s1 is the input that I supply via HTTP. Server is running on ...
1
vote
2
answers
301
views
Software overflow exploitation lab
Working through a binary exploitation course posted by RPI a few years ago. Currently on the ASLR lab and having some trouble with it (although not with the parts related to ASLR). I can't figure out ...
- 91
0
votes
3
answers
5k
views
Some vulnerable projects in C or C++ for a lecture? [closed]
I'm looking for some real projects which have stack overflow vulnerabilities. The important thing is, I am going to teach finding the vulnerabilities and the way of fixing them by these examples. So, ...
- 5
3
votes
2
answers
1k
views
Hard-wired vs relative addresses in shellcode
This question is primarily in the context of arbitrary command execution in a buffer (e.g. stack) overflow.
I read somewhere recently that hard-wired (absolute) addresses are not good for shellcode e....
- 53