Collaborate Disseminate
So I have this program in C that I’m trying to exploit which has a vulnerability in a function, namely it’s using gets. I’m trying to overflow and change the return address so the program returns one or both of the two functions that are n… Continue reading Having trouble with learning Buffer Overflows
I am making a rop chain to call fgets with stdin as input to be able to make a basic stackoverflow.
But my issue is that when I call fgets with 0 as third argument (for stdin) fgets crash at
<fgets+49> mov ecx, DWORD PTR [e… Continue reading Why does fgets fail when I use 0 as FILE* to read from stdin in rop chain?
I read about the hardware protection that blocks the CPU from jumping to stack address. But hacker may still edit the return address to an address in code memory that shouldn’t run at that moment.
For example;
#include<stdio.h>
I want to perform return to libc in 64 bit architecture using execve. I found a gadget with /bin/sh in it (the /bin/sh offset is 18a143):
cbcd8: 00 00
cbcda: 4c 89 ea mov rdx,r13
cbcdd: 4c 89 e… Continue reading Problem with return 2 libc in 64 bit arch
I just don’t understand how ESP points to the shellcode
let’s say we’ve sent this string
string = 100 * ‘A’ + ‘BBBB’ + ‘CCCC’
I have filled the stack with ‘AAAA..’ and overwritten the EIP value and set it to ‘BBBB’ and I got the segmentat… Continue reading BufferOverFlow – How come ESP points to the end of the payload
I am trying to overflow a stack in C sample code to execute uncalled function in code.
The problem is when i overflow stack by entering a(24 times), $EIP is 0x555555550061. I want it to be 0x555555555561. Why these two zeros are inserted a… Continue reading Automatically insertion of 00 in EIP in Stack Overflow 64bit
I’m trying to exploit the following code with a buffer overflow to get a shell:
int main()
{
char str[64]
gets(str);
return(0);
}
The platform is Ubuntu 64 bit, arch i686.
The program is segfaulting on the 76th byte. Next fou… Continue reading Return address incorrect (buffer overflow)
Almost every beginners (noob friendly) tutorial written for Stack based buffer overflow explains when using mona module to locate a safe reliable memory address for our EIP to JMP to our shellcode should have Rebase, Safe SEH, ASLR disable… Continue reading Buffer overflow Mona modules all show Rebase SafeSEH ASLR True
Im trying the phoenix vm, challenge stack-five on exploit.education (http://exploit.education/phoenix/stack-five/).
I run onto a problem while exploiting a stack overflow. The challenge is run execve(‘/bin/sh’) through shellcode. I grabbed… Continue reading Exploit education stack-five: trouble opening shell
As a home exercise I’m trying to achieve buffer overflow attack by running a simple char array program that stores the input argument in the program stack and then overflowing that stack with long enough input so that EIP gets overwritten … Continue reading Cannot execute shellcode using buffer overflow