buffer-overflow

I'm writing a return to libc attack for my systems security class. First, the vulnerable code: //vuln.c #include <stdio.h> #include <stdlib.h> int loadconfig(void){ char buf[1024]; sprintf(buf, "%s/.config", getenv("HOME")); return 0; } int main(int argc, char **argv){ loadconfig(); return 0; } I want to use a return to libc attack. Compiling and debugging the program: $ gcc -g -fno-stack-protector -o vuln vuln.c $ gdb vuln (gdb) break loadconfig (gdb) run Reached breakpoint blah blah blah. (gdb) p $ebp $1 = (void *) 0xbfffefb0 (gdb) p system $2 = {<text variable, no debug info>} 0x0016db20

I just wrote a C Code which is below : #include<stdio.h> #include<string.h> void func(char *str) { char buffer[24]; int *ret; strcpy(buffer,str); } int main(int argc,char **argv) { int x; x=0; func(argv[1]); x=1; printf("\nx is 1\n"); printf("\nx is 0\n\n"); } Can please suggest me as to how to skip the line printf("\nx is 1\n"); . Earlier the clue which I got was to modify ret variable which is the return address of the function func . Can you suggest me as to how to change the return address in the above program so that printf("\nx is 1\n"); is skipped. I have posted this question because I

Visual Studio 2013 C++ projects have a /GS switch to enable buffer security check validation at runtime. We are encountering many more STATUS_STACK_BUFFER_OVERRUN errors since upgrading to VS 2013, and suspect it has something to do with improved checking of buffer overrun in the new compiler. I've been trying to verify this and better understand how buffer overrun is detected. I'm befuddled by the fact that buffer overrun is reported even when the memory updated by a statement only changes the contents of another local variable on the stack in the same scope! So it must be checking not only

This one seems like a duplicate of my previous post but it is not..... Here Valgrind giving the following error: udit@udit-Dabba ~/mec $ valgrind --leak-check=full sendip -v -p ipv6 -f file.txt -6s ::1 -p esp -es 0x20 -eq 0x40 -ei z30 -eI z100 -p tcp -ts 21 -td 21 ::2 ==4331== Memcheck, a memory error detector ==4331== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. ==4331== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info ==4331== Command: sendip -v -p ipv6 -f file.txt -6s ::1 -p esp -es 0x20 -eq 0x40 -ei z30 -eI z100 -p tcp -ts 21 -td 21 ::2 ==4331== esp

From man gets : Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead. Almost everywhere I see scanf being used in a way that should have the same problem ( buffer overflow/buffer overrun ): scanf("%s",string) . This problem exists in this case? Why there are no references about it in the scanf man page? Why gcc does not warn when compiling this

Note : I'm aware ffmpeg and libav are different libraries . This is a problem common to both. Disclaimer : Duplicate of SO question marked as answered but actually didn't give a proper solution. Insufficient UDP buffer size causes broken streams for several high resolution video streams. In LibAV/FFMPEG it's possible to set the udp buffer size for udp urls (udp://...) by appending some options (buffer_size) to it. However, for RTSP urls this is not supported . These are the only solutions I've found: Rebuilding ffmpeg/libav changing the UDP_MAX_PKT_SIZE in the udp.c source file. Using a nasty

I have a small C program to be exploited. And I also understood the logic behind the attack to be performed. However, as much as I try, it is just not working for me. #include <stdio.h> #include <stdlib.h> #define SECRET1 0x44 #define SECRET2 0x55 int main(int argc, char *argv[]) { char user_input[100]; int *secret; int int_input; int a, b, c, d; /* other variables, not used here.*/ /* The secret value is stored on the heap */ secret = (int *) malloc(2*sizeof(int)); /* getting the secret */ secret[0] = SECRET1; secret[1] = SECRET2; printf("Please enter a decimal integer\n"); scanf("%d", &int