buffer-overflow

C Buffer Overflow - Why is there a constant number of bytes that trips a segfault? (Mac OS 10.8 64-bit, clang)

混江龙づ霸主 提交于 2019-12-08 02:56:27
问题 I was experimenting with buffer overflow in C, and found an interesting quirk: For any given array size, there seems to be a set number of overflow bytes that can be written to memory before a SIGABRT crash. For example, in the code below the 10 byte array can be overflowed to 26 bytes before crashing at 27. Similarly, an array of 20 char s can be overflowed to 40 char s before it aborts on the 41st. Can anyone explain why this is? Also, is the SIGABRT the same as (or caused by) a

How to disable possible stack smashing protection (EIP is not being overwritten, EBP is)

跟風遠走 提交于 2019-12-07 23:58:12
问题 I'm trying to figure out how stash smashing is carried out step by step. I have already used Google to no avail, I still don't know why my EIP is not being overwritten. I have this example program: 1 #include <stdio.h> 2 #include <string.h> 3 4 int main(int argc, char *argv[]) 5 { 6 char buf[10]; 7 8 strcpy(buf, argv[1]); 9 printf("Done.\n"); 10 return 0; 11 12 } It's compiled with gcc -g -o prog main.c When I put a lot of AAAAAA's I get SEGV and the register EBP (and also argc and argv

Execution of function pointer to Shellcode

此生再无相见时 提交于 2019-12-07 23:27:32
问题 I'm trying to execute this simple opcode for exit(0) call by overwriting the return address of main. The problem is I'm getting segmentation fault. #include <stdio.h> char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00" "/0xb8/0x01/0x00/0x00/0x00" "/0xcd/0x80"; void main() { int *ret; ret = (int *)&ret + 2; // +2 to get to the return address on the stack (*ret) = (int)shellcode; } Execution result in Segmentation error. [user1@fedo BOF]$ gcc -o ExitShellCode ExitShellCode.c [user1@fedo BOF]$ .

Ncurses/C/C++: Using getstr() and preventing overflow (There must be a better way to do this)

断了今生、忘了曾经 提交于 2019-12-07 12:08:18
问题 I am currently jumping into my first full C++ project and I've run into a hitch with Ncurses. getstr() requires a char array as input, but with this, there is no way to prevent buffer overflow. Lets pretend I'm using this input to get a name. My code would then be the following: int main(){ char* nameTemp = new char[160]; initscr(); getstr(nameTemp); endwin(); delete nameTemp; return 0; } But what happens if the user decides to use more than 160 characters for his name? I get an error and the

Heap / buffer overflow exception

你。 提交于 2019-12-07 09:53:14
问题 Just curious, Is there or has anyone ever come across a heap / buffer overflow exception in C#? 回答1: You can cause a buffer overflow in C# in unsafe code. For example: public unsafe struct testo { public int before; public fixed int items[16]; public int after; } testo x = new testo(); x.after = 1; for (int i = 0; i <= 16; ++i) { unsafe { x.items[i] = 99; } } Console.WriteLine(x.after); The above will print "99" because it overflowed the buffer. Absent unsafe code, I do not know of any way to

memory allocation in C

瘦欲@ 提交于 2019-12-07 03:05:48
问题 I have a question regarding memory allocation order. In the following code I allocate in a loop 4 strings. But when I print the addresses they don't seem to be allocated one after the other... Am I doing something wrong or is it some sort of defense mechanism implemented by the OS to prevent possible buffer overflows? (I use Windows Vista). Thank you. char **stringArr; int size=4, i; stringArr=(char**)malloc(size*sizeof(char*)); for (i=0; i<size; i++) stringArr[i]=(char*)malloc(10*sizeof(char

GCC generate Canary or not?

早过忘川 提交于 2019-12-06 21:18:51
问题 my gcc version is 4.8.2 and operating system is ubuntu 14.04 (64 bit). I found that sometimes gcc auto generate the canary to do buffer overflow protection sometimes not, why? case to generate canary: when SIZE is multiple of four #include<stdio.h> #define SIZE 4 int main() { char s[SIZE]; scanf("%s", s); return 0; } asm after gcc -c -g -Wa,-a,-ad ... 4:a.c **** int main() 5:a.c **** { 13 .loc 1 5 0 14 .cfi_startproc 15 0000 55 pushq %rbp 16 .cfi_def_cfa_offset 16 17 .cfi_offset 6, -16 18

Exploit development in Python 3

試著忘記壹切 提交于 2019-12-06 16:21:17
问题 This question was migrated from Information Security Stack Exchange because it can be answered on Stack Overflow. Migrated 2 years ago . I realised that exploit development with python 3 is not as straight forward as it is using python 2. As I understand, this is mainly due to the socket library and the added byte datatype. For example, I could not figure out how to translate the following code into Python 3 code: --- SNIP --- shellcode = "" shellcode += "\x89\xe2\xd9\xcf\xd9\x72\xf4\x5a\x4a

Executing shellcode stored in environment variable using buffer overflow

我与影子孤独终老i 提交于 2019-12-06 13:47:08
问题 I'm using the code below to try to execute some shellcode stored in an environment variable by overflowing the searchstring variable so that the return address of main contains the address of the anvironment variable. However, I get a segmentation fault before the printf command. #include <stdio.h> #include <string.h> void main(int argc, char *argv[]){ char searchstring[100]; if(argc > 1) strcpy(searchstring, argv[1]); else // otherwise searchstring[0] = 0; printf("Here"); } I compile the

Is there a buffer overflow helloworld for c++?

最后都变了- 提交于 2019-12-06 13:18:38
I tried the code provided by this question ,but it doesn't work. How to contrive an overflow to wrap my head around? Update: .file "hw.cpp" .section .rdata,"dr" LC0: .ascii "Oh shit really bad~!\15\12\0" .text .align 2 .globl __Z3badv .def __Z3badv; .scl 2; .type 32; .endef __Z3badv: pushl %ebp movl %esp, %ebp subl $8, %esp movl $LC0, (%esp) call _printf leave ret .section .rdata,"dr" LC1: .ascii "WOW\0" .text .align 2 .globl __Z3foov .def __Z3foov; .scl 2; .type 32; .endef __Z3foov: pushl %ebp movl %esp, %ebp subl $4, %esp movl LC1, %eax movl %eax, -4(%ebp) movl $__Z3badv, 4(%ebp) leave ret
订阅 buffer-overflow