buffer overflow – WindowsTechs.com

Given extensive protections in modern operating systems that make buffer overflow exploits unfeasible, should I even bother studying these?

Posted on November 20, 2024 by Andrea Signori

I’ve been diving into the world of buffer overflow vulnerabilities and their exploitation, which has been both challenging and fascinating. However, I’ve recently hit a mental roadblock and would love to get your insights.
With modern oper… Continue reading Given extensive protections in modern operating systems that make buffer overflow exploits unfeasible, should I even bother studying these?→

Recieve buffer overflow on WiFi/Ethernet card

Posted on October 27, 2024 by HardwareNewb

Is it possible that if an attacker sends an abnormally large packet to a WiFi / Ethernet card of a computer, it will write past the buffer of the onboard memory and into other areas? Like maybe the DMA descriptors for DMA requests or even … Continue reading Recieve buffer overflow on WiFi/Ethernet card→

How do I successfully test this trivial buffer overflow written in C? [migrated]

Posted on October 16, 2024 by nostromo

I am trying to test this example from StackOverflow (how-can-i-invoke-buffer-overflow), but I am not having success.
I also asked for clarification two weeks ago, directly on the post (through a comment) but there was still no answer (per… Continue reading How do I successfully test this trivial buffer overflow written in C? [migrated]→

How should be set an unprotect environment on modern linux to test an old buffer overflow example?

Posted on August 14, 2024 by nostromo

Reading a technical paper on the issue I wanted to test it on my computer.
The idea is to provoke privilege escalation (change on the whoami output from peter to root) through a buffer overflow.
The example is quite old, so I guess actual … Continue reading How should be set an unprotect environment on modern linux to test an old buffer overflow example?→

Format string attack with printf

Posted on August 7, 2024 by Ricardi

We can do a format string attack in the following way:
$ ./program.out $(echo -en ‘\xa8\xd1\xff\xff’)%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%n

Address of name: ffffd1ac, secret: ffffd1a8

ffffd849.ffffd1a8.565561b7.3.0.0.ffffd684.f7d6e70c.f7feec36… Continue reading Format string attack with printf→

bin/sh in return-to-libc attacks

Posted on August 7, 2024 by Ronald

Return-to-libc is an attack where the attacker, in most cases, returns to the system function, which it uses to execute shell commands. However, I am confused about two things:

The command that the attacker executes is often bin/sh, but i… Continue reading bin/sh in return-to-libc attacks→

Segmentation fault without rip even getting overwritten Buffer Overflow

Posted on July 22, 2024 by TrickTickTack

I was trying to overflow the return pointer of a simple program. I have asrl disabled and I compiled like this gcc returnexp.c -o returnexp -fno-stack-protector.
(I would disable noexecstack later on when I could overwrite the pointer)
Bu… Continue reading Segmentation fault without rip even getting overwritten Buffer Overflow→

Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?

Posted on June 11, 2024 by user25100341

Jump-oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another functional gadget?
My understanding of JOP:
In jump-oriented programming (as described in e.g. … Continue reading Jump-Oriented Programming: Why is it better/easier to jump to the dispatcher gadget than to jump from one functional gadget directly to another?→

Jump-Oriented Programming: Harder than ROP because the registers need to be prepared individually? + Turing complete, but large overhead/slow?

Posted on June 11, 2024 by user25100341

Full title: Jump-Oriented Programming: Is it harder than traditional return-oriented programming because you need to manually prepare all the addresses and registers or is there a different reason?
And does that mean that a large percentag… Continue reading Jump-Oriented Programming: Harder than ROP because the registers need to be prepared individually? + Turing complete, but large overhead/slow?→

When gets reads a string, it does not read \x00, which is the NULL character. So how to separate two different addresses to complete ROP?

Posted on June 8, 2024 by Maple

First I used ROPgadget to find two assembly instructions:
xor rax; ret and pop rcx; ret,
They are at 0x401270 and 0x40133b.
Then I tried to put them at the top of the stack, but because the gets instruction does not read the \x00 character… Continue reading When gets reads a string, it does not read \x00, which is the NULL character. So how to separate two different addresses to complete ROP?→