A classical programming bug that may lead to a possible security flaw in software. Exploitation of this bug is usually taking place either in the stack or in the heap.
Questions tagged [buffer-overflow]
104 questions
6
votes
1 answer
Program won't crash on heap overflow
I'm trying to learn about heap overflows for this exploitation challenge I have to solve.
In short, the program allocates 3 consecutive buffers on the heap, and I have access to write whatever I want to all of them. Even though I write over the…
user2835
- 61
- 1
2
votes
0 answers
How do I calculate where to put the canary value in a program
I am trying to exploit a program with a buffer overflow for a class. The program has a canary enabled and when you smash the stack it exits. When running the program in gdb you can set a breakpoint right before the call for user input and grab the…
DCOanlyst
- 21
- 2
2
votes
1 answer
Why SUID Shellcode not working but Basic Shellcode working?
I'm playing with Basic Buffer Overflow Protostar - Stack 5
#include
#include
#include
#include
//gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -m32 -g bof2.c -o bof2
//sudo bash -c…
Dark Cyber
- 131
- 5
1
vote
2 answers
The hex codes in being replaced while finding bad characters for Buffer overflow
I am facing problem in finding bad characters because the hex codes are being replaced with \x3F & some other codes.
Here I have all the 256 hex chars from \x01 to \xFF and as you can see many of the hex char is being replaced with \x3F and other…
Mukesh
- 121
- 2
- 9
1
vote
0 answers
Possible to execute cgi application locally and preserve the permissions?
This was part of a challenge which is now ended.
On that server, when the cgi application was called remotely, apache executed it with the permissions of the owner of that binary. So the goal was to abuse those rights with buffer overflow.
The…
Antonis Paragas
- 11
- 2
0
votes
1 answer
Null Byte not breaking shellcode
While exploiting a strcpy() buffer overflow in Win XP, I used the address of ESP after the crash to overwrite EIP. The address contained a null byte so it did not work, so I found a jmp esp instruction and used that instead. Then I ran the program…
Mark Hoglund
- 9
- 6
0
votes
1 answer
Address is 3 bytes - need 4 bytes to overwrite RET
I have an issue. The address for a function that I need to overwrite the RET to (buffer overflow) is only 3 bytes. However, I need 4 bytes to overwrite the RET exactly. What do I do?
user3893623
- 103
- 1
0
votes
1 answer
Getting illegal access fault with error :The address 0xffdeb9f0 could not be accessed."
Getting illegal access fault with error The address 0xffdeb9f0 could not be accessed.
I am trying to execute a shellcode in buffer overflow vulnerability. I am able to put the shell code at the right place in the memory but it's not getting…
Mukesh
- 121
- 2
- 9
0
votes
1 answer
why does the following non stack shellcode load /bin/sh string without pushing it onto the Stack?
the c code:
void overflow (char* inbuf)
{
char buf[64];
strcpy(buf, inbuf);
}
int main (int argc, char** argv)
{
overflow(argv[1]);
return 0;
}
Varun Ravindra
- 1
- 2