Collaborate Disseminate
I am working on exploiting an application on MIPS to further my knowledge of ROP chaining. The library I am trying to build a ROP chain is libuClibc-0.9.30.3.so. I found a gadget that I want to use using Ropper. The offset is marked to be,… Continue reading ROP on MIPS Doesn’t Land Where Calculated
I am making a rop chain to call fgets with stdin as input to be able to make a basic stackoverflow.
But my issue is that when I call fgets with 0 as third argument (for stdin) fgets crash at
<fgets+49> mov ecx, DWORD PTR [e… Continue reading Why does fgets fail when I use 0 as FILE* to read from stdin in rop chain?
I read about the hardware protection that blocks the CPU from jumping to stack address. But hacker may still edit the return address to an address in code memory that shouldn’t run at that moment.
For example;
#include<stdio.h>
I am learning libc shellcode attacks and trying to execute /bin/sh from system
I can execute other commands from system like whoami and ls -a but can not run /bin/sh
the following works
string = b"ls -a\0"
# system, _exit, system… Continue reading system doesn’t invoke /bin/sh
A vulnerable C program to stack buffer overflow, requires 112 byte stuffing to get to return address of the calling function. Here the Strcpy() is the vulnerable function.
void f(char *name){
char buf[100];
strcpy(buf, name);
}
void m… Continue reading ROP execute a shell with execl() – /bin/sh: 0: Can’t open
Having a program vulnerable to stack based buffer overflow with setuid bit set, and want to fill the buffer with ROP gadgets.
If setuid(0) is needed to spawn a shell with root privilege, then ‘0’ would be written in the stack, so setuid() … Continue reading ROP gadget for setuid(zero) – writing argument zero into the stack
More bad news for cybercrooks… we hope. Continue reading Intel announces “exploit busting” features in its next processor chips
Intel’s Tiger Lake CPUs will come with Control-flow Enforcement Technology (CET), aimed at battling common control-flow hijacking attacks. Continue reading Intel Adds Anti-Malware Protection in Tiger Lake CPUs
I have a binary file vulnerable to a format strings attack with the following protections:
(Full relro, NX and PIE)
I have managed to find the libc version and hence the address of system and bin/sh in order to launch a shell. My payloa… Continue reading Cannot overwrite eip in order to carry out ret2libc attack
I have this code that I need to use to perform a ret2libc
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char buf[256];
printf(“buff is at:%p\n”,buf);
printf(“%s”,argv[1]);
strcpy(buf, … Continue reading segmentation fault at strcpy while perforforming a buffer overflow