buffer-overflow

问题 I have a lab assignment that I am stuck on. Basically, I have to take advantage of a buffer overflow to generate a shell that has root privileges. I have to use 2 separate .c files. Here is the first one: stack.c #include <stdlib.h> #include <stdio.h> #include <string.h> int bof(char *str) { char buffer[12]; //BO Vulnerability strcpy(buffer,str); return 1; } int main(int argc, char* argv[]) { char str[517]; FILE *badfile; badfile = fopen("badfile","r"); fread(str, sizeof(char),517, badfile);

问题 I am trying to write shellcode in assembly. I need to perform a /usr/bin/killall command AND a /usr/bin/wget command. I have both commands running perfectly in shellcode with the execve() syscall. But now I want to combine these 2, but this is not possible because the program exits when the first execve() call is executed. (from the man pages of execve() : execve() does not return on success). How can I perform 2 execve() calls? Or is there another way to call both /usr/bin/killall and /usr

问题 When writing buffer overflow exploit, I understand that I'll need to input an array of length (address_of_return_address - address_of_buffer). And the array needs to be filled with the address of the shellcode. So that when my input array overflows, it overwrites the saved return address with the address of the shellcode. I think since the shellcode will be stored above the saved return address on the stack, its address should be address_of_return_address + the distance to the beginning of

问题 I am at the very beginning of learning C. I am trying to write a function to open a file, read a BUFFER_SIZE , store the content in an array, then track the character '\n' (because I want to get each line of the input). when I set the BUFFER_SIZE very large, I can get the first line. when I set the BUFFER_SIZE reasonably small (say, 42) which is not yet the end of the first line , it prints out some weird symbol at the end, but I guess it is some bug in my own code. however, when I set the

问题 After some research i haven't found any paper describing method to do this (no even an unreliable one). It seems that SSP (StackSmashing Protection)/Propolice 回答1: Canary's are a very good security measure for protecting against some buffer overflows. Over the years various Canary implementations have been broken and then made more secure. What is important is that even despite advanced memory protection buffer overflows are still being exploited on Vista, Windows 7 and Fedora 11... One very

问题 I am currently writing a small dummy program to try and get the hang of properly using the read in c. I made a small function called readdata to read from the file descriptor and store in a buffer then return the number of bytes read. My problem is I am trying to correctly error handle and trap things so that there is no buffer overflow but I keep doing something from. Here is the tester: #include <stdio.h> #include <string.h> #include <unistd.h> #define BUFSIZE 10 int readdata(int fd, char

问题 This question already has answers here : Closed 7 years ago . Possible Duplicate: Array overflow (why does this work?) I found some C++ code that does something like this: struct Test { int a[128]; char b[768]; }; int main() { Test test; for( int i = 0; i < 200; ++i) test.a[i] = 1; return 0; } I realize it's wrong. But, I want to know what the effect will be? On GCC 4.3.4, the Test::b array is untouched. Is that guaranteed? What is happening here? Is it the same effect for reading? e.g. int

问题 I'm trying to test the backward compatibility between QNX 6.6.0 and 6.5.0 (in concequence of an earlier question I've got). I compiled a relatively simple program using SDP6.6.0 and executed it on Neutrino 6.5.0. When I execute the program the follow runtime error pops up: unknown symbol: __stack_chk_guard ldd:FATAL: Could not resolve all symbols What is causing this?.. (I've found the solution but it wasn't working rightaway. When I started writing this question I realized the error I made.

问题 I am told that the instruction "jmp short 0x0" which translates to the object code '\xeb\xfe' causes a process to loop forever. How exactly does this work? 回答1: This question seems disingenuous, but giving the benefit of the doubt, the reason is that the instruction will elicit a jump back to itself. \xeb\xfe translates literally to "Jump ahead -2 bytes from the start of the next instruction." Since this instruction is itself 2 bytes long, the jump destination will be the jump instruction

问题 I wrote a very trivial program to try to examine the undefined behavior attached to buffer overflows. Specifically, regarding what happens when you perform a read on data outside the allocated space. #include <iostream> #include<iomanip> int main() { int values[10]; for (int i = 0; i < 10; i++) { values[i] = i; } std::cout << values << " "; std::cout << std::endl; for (int i = 0; i < 11; i++) { //UB occurs here when values[i] is executed with i == 10 std::cout << std::setw(2) << i << "(" <<