buffer-overflow

问题 I'm attempting to write a simple buffer overflow using C on Mac OS X 10.6 64-bit. Here's the concept: void function() { char buffer[64]; buffer[offset] += 7; // i'm not sure how large offset needs to be, or if // 7 is correct. } int main() { int x = 0; function(); x += 1; printf("%d\n", x); // the idea is to modify the return address so that // the x += 1 expression is not executed and 0 gets // printed return 0; } Here's part of main's assembler dump: ... 0x0000000100000ebe <main+30>: callq

问题 I am trying to do some experiments with buffer overflows for fun. I was reading on this forum on the topic, and tried to write my own little code. So what I did is a small "C" program, which takes character argument and runs until segmentation fault. So I supply arguments until I get a message that I overwrote the return address with "A" which is 41. My buffer character length, in which I copy my input strings is [5]. Here is what I did in gdb. run $(perl -e 'print "A"x32 ; ') Program

问题 How heap overflow attacks are done? In case of stackoverflow attacks, the attacker replaces the function return address with his address. How this is done in heap overflow attacks? Also, is it possible to run code from heap? 回答1: Note this varies by platform, and my example is overly simplified. It basically comes down to heap managers having linked lists that could be overrun, and you can use the linked list pointers to overwrite random parts of the process's memory. Imagine I have a naive

问题 I'm writing a return to libc attack for my systems security class. First, the vulnerable code: //vuln.c #include <stdio.h> #include <stdlib.h> int loadconfig(void){ char buf[1024]; sprintf(buf, "%s/.config", getenv("HOME")); return 0; } int main(int argc, char **argv){ loadconfig(); return 0; } I want to use a return to libc attack. Compiling and debugging the program: $ gcc -g -fno-stack-protector -o vuln vuln.c $ gdb vuln (gdb) break loadconfig (gdb) run Reached breakpoint blah blah blah.

问题 I'm writing a return to libc attack for my systems security class. First, the vulnerable code: //vuln.c #include <stdio.h> #include <stdlib.h> int loadconfig(void){ char buf[1024]; sprintf(buf, "%s/.config", getenv("HOME")); return 0; } int main(int argc, char **argv){ loadconfig(); return 0; } I want to use a return to libc attack. Compiling and debugging the program: $ gcc -g -fno-stack-protector -o vuln vuln.c $ gdb vuln (gdb) break loadconfig (gdb) run Reached breakpoint blah blah blah.

问题 Visual Studio 2013 C++ projects have a /GS switch to enable buffer security check validation at runtime. We are encountering many more STATUS_STACK_BUFFER_OVERRUN errors since upgrading to VS 2013, and suspect it has something to do with improved checking of buffer overrun in the new compiler. I've been trying to verify this and better understand how buffer overrun is detected. I'm befuddled by the fact that buffer overrun is reported even when the memory updated by a statement only changes

问题 Visual Studio 2013 C++ projects have a /GS switch to enable buffer security check validation at runtime. We are encountering many more STATUS_STACK_BUFFER_OVERRUN errors since upgrading to VS 2013, and suspect it has something to do with improved checking of buffer overrun in the new compiler. I've been trying to verify this and better understand how buffer overrun is detected. I'm befuddled by the fact that buffer overrun is reported even when the memory updated by a statement only changes

问题 I am trying to learn to exploit simple bufferover flow technique on Backtrack Linux. Here is my C program #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[500]; if(argc==2) { strcpy(buffer, argv[1]); //vulnerable function } return 0; } This is the shellcode I am using, which corresponds to simple /bin/ls \x31\xc0\x83\xec\x01\x88\x04\x24\x68\x6e\x2f\x6c\x73\x66\x68\x62\x69\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80

问题 From man gets : Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead. Almost everywhere I see scanf being used in a way that should have the same problem (buffer overflow/buffer overrun): scanf("%s",string) . This problem exists in this case?

问题 I have the two following functions for sending and receiving packets. void send(std::string protocol) { char *request=new char[protocol.size()+1]; request[protocol.size()] = 0; memcpy(request,protocol.c_str(),protocol.size()); request_length = std::strlen(request); boost::asio::write(s, boost::asio::buffer(request, request_length)); } void receive() { char reply[max_length]; size_t reply_length = boost::asio::read(s, boost::asio::buffer(reply, request_length)); std::cout << "Reply is: "; std: