Questions tagged [buffer-overflow]
A classical programming bug that may lead to a possible security flaw in software. Exploitation of this bug is usually taking place either in the stack or in the heap.
103 questions
1
vote
1
answer
204
views
ARM64 Stack Layout - Why 100x'A' Doesn't Crash?
I'm trying to exploit a buffer overflow vulnerability in an ARM64 program from this blog.
When I give as input 100*'A', and I compile the program for ARM 32 bit (without canaries), the program crashes ...
- 113
1
vote
3
answers
183
views
Why does this piece of code modify itself?
I'm reading the famous "Smash the stack and profit" paper, and to reiterate, the whole point of the idea is to put some binary code in a buffer, overflows it to rewrite the return address (...
4
votes
1
answer
145
views
💻 This code does not crash on ARM (qemu). Why?
I found a couple of interesting integer underflows leading to memcpy() wild copies in a TLV parser process of some random IoT firmware. It is 32-bit ARMv7.
I'm able to emulate the userspace process ...
- 61
2
votes
0
answers
220
views
Overwriting the Global Offset Table + format string vulnerability
I am trying to understand how to overwrite the Global Offset Table. On the book "Hacking: The Art of Exploitation". Following the example I get:
objdump -R ./fmt ...
- 31
2
votes
0
answers
71
views
Buffer overflow gets() weird parsing
I'm attempting to do a buffer overflow with gets(). I've figured out how to write over the return address and I'm able to do so, however, I cannot write in the address I need because the 0x7F at the ...
- 21
3
votes
0
answers
47
views
Data placement in memory
I am playing with buffer overflow attacks in C. I have the following code:
int foo(void*, void*); // Calculates the distance (in bytes) between two addresses in memory
int main(int argc, char**...
- 31
3
votes
0
answers
160
views
How to leak buffer address on the stack?
I am new to buffer overflows and I was trying to overwrite the saved RIP to point to a buffer containing a shellcode. The buffer is located onto the stack so its address is randomized. How can I leak ...
- 51
2
votes
0
answers
92
views
Invalid address when overwriting saved rip with buffer's address
I have an executable vulnerable to buffer overflows. The program takes a buffer of 104 chars and prints it (unfortunately, there is no format string vulnerability) until we feed it with a 0 or a \n, ...
- 51
3
votes
0
answers
41
views
Find location to override PC by stack frame with stackoverflow
I have stackoverflow in MIPS arch (without ASLR/canary)
In Ida I see that the buffer that has the overflow located in SP+200
In the beginning if function I can see the stack size because I see the ...
- 281
1
vote
1
answer
128
views
Help starting with UEFI/SMM exploits
I have a 845 g7 with a bios 1.06, which has a load of CVEs which allow SMM and DXE exploits:
https://support.hp.com/ca-en/drivers/selfservice/hp-elitebook-845-g7-notebook-pc/37506818 (under the UEFI ...
- 13
1
vote
1
answer
1k
views
Why is JMP ESP required in buffer overflow?
I was reading this article by Hackers Grimoire on Windows buffer overflow attacks.
The article made sense, except for the part where the author searched for a DLL (.dll) file which contained a JMP ESP ...
- 195
1
vote
0
answers
232
views
How do I align a memory dump hex file so that a pointer address matches its location in the memory dump file?
I'm learning C and trying to understand how things like buffer overflows and other memory issues work. I am doing this on Windows for convenience reasons but would have no problem doing it on WSL or a ...
- 111
0
votes
0
answers
757
views
Basic buffer-overflow on a remote program with Python/pwntools
I work on a online program in which I should do a buffer Overflow.
When I run the program, I have to complete a sum of two numbers generated randomly) :
>>> 451389913 + 1587598959 =
If I put ...
- 101
1
vote
0
answers
767
views
How do I convert an adress to little endian such that I can feed it to my exploit?
I'm doing a small exploit exercise.
For this purpose, I have the following file:
#include <stdio.h>
void secretFunction() {
printf("Congratulations!\n");
printf("...
- 111
0
votes
1
answer
5k
views
How to exploit __isoc99_scanf with a segmentation fault
I'm an absolute newbie when it comes to all this side of reverse engineering. Each time I try and understand it, I get lost almost immediately.
I am trying a lab. I open it up in Binary Ninja. I get ...
- 221