exploit

Segfault when writing to string allocated by db [assembly]

。_饼干妹妹 提交于 2021-02-15 05:28:51
问题 I'm following a basic shell-spawning exploit example. Below is exactly what my book tells me to write, yet I still get a segfault. When running this in gdb, I get a segfault at "mov byte [esi + 7], al". This line is necessary so that I can put a null byte at the end of my string "/bin/sh". When I flipped it around to "mov byte al, [esi + 7]", this did not cause a segfault. I'm assuming that I do not have write permissions to the place in memory where my string is stored. It seems I only have

Segfault when writing to string allocated by db [assembly]

戏子无情 提交于 2021-02-15 05:28:35
问题 I'm following a basic shell-spawning exploit example. Below is exactly what my book tells me to write, yet I still get a segfault. When running this in gdb, I get a segfault at "mov byte [esi + 7], al". This line is necessary so that I can put a null byte at the end of my string "/bin/sh". When I flipped it around to "mov byte al, [esi + 7]", this did not cause a segfault. I'm assuming that I do not have write permissions to the place in memory where my string is stored. It seems I only have

Isnt Segmentation fault the same as the smashing the stack?

孤者浪人 提交于 2021-02-08 08:42:34
问题 As a consequence of an programming error we get segmentation faults . But as a necessary tool we try the same thing but the kernel detects it as smashing the stack . How exactly does the kernel see the difference ? 回答1: Briefly, no. Segmentation faults are when the kernel is able to detect an invalid memory access and then kills the process. Some invalid memory accesses cannot be detected by the kernel, and stack overflows are built on these. However, stack overflows can be detected by the

Is it safe to expose java remote debugger port to the internet?

穿精又带淫゛_ 提交于 2021-02-07 07:13:33
问题 I was going to expose a port for remote debugging of Java-based web service over the internet, but thinking twice I realised that it has no any authentification. Theoretically, it seems to be possible to write a tool, that attaches to remote debugger port, and executes arbitrary system commands via Java API. Or modifies/dumps database, and so on. At least this exploit seems to be the case http://securityaffairs.co/wordpress/36394/hacking/paypal-remote-code-execution.html I don't remember

Is it safe to expose java remote debugger port to the internet?

本小妞迷上赌 提交于 2021-02-07 07:10:43
问题 I was going to expose a port for remote debugging of Java-based web service over the internet, but thinking twice I realised that it has no any authentification. Theoretically, it seems to be possible to write a tool, that attaches to remote debugger port, and executes arbitrary system commands via Java API. Or modifies/dumps database, and so on. At least this exploit seems to be the case http://securityaffairs.co/wordpress/36394/hacking/paypal-remote-code-execution.html I don't remember

Exploit Development - GETS and Shellcode

给你一囗甜甜゛ 提交于 2020-12-05 11:49:06
问题 Trying to learn more about exploit dev and building shellcodes, but ran into an issue I don't understand the reason behind. Why am I not able to run a shellcode such as execve("/bin/sh") and spawn a shell I can interact with? While on the other hand, I'm able to create a reverse / bind_tcp shell and connect to it with netcat. Sample program: // gcc vuln.c -o vuln -m32 -fno-stack-protector -z execstack #include <stdio.h> #include <string.h> void test() { char pass[50]; printf("Password: ");

MongoDB $regex query and potential exploits

ぐ巨炮叔叔 提交于 2020-12-05 07:04:05
问题 We have a REST API for querying records in a MongoDB. Very simple, something along the following: GET /api/items?q=foo During development, it was convenient to allow regular expressions as the query q . We would simply pass the query parameter to a MongoDB $regex operator and not do any escaping: db.getCollection('items').find({ name: { $regex: req.query.q, $options: 'i' } }); Thus we have a very flexible and convenient way of querying our data. Now, that things are getting “serious” i.e.

Decoding a Roblox backdoor

不羁岁月 提交于 2020-05-16 02:32:26
问题 I am working on a Roblox lua script that I found when searching for backdoors into a game I moderate. The backdoor loaded an external script that I got the source code for and I am working on decoding and reverse engineering it. The line that I am having trouble with is local varname = #{6133} This is really confusing me because I have never encountered it before. I do very little Lua programming but I am experience in Java and C++, but even after research I don't know what the #{number} does

exp、Exploit、Exploit Pack、exp-gui、Payload、MetaSplo

冷暖自知 提交于 2020-04-10 00:45:04
对于走在安全路上的小菜来说,这几个exp、Exploit、Exploit Pack、exp-gui、Payload、MetaSploit名词着实把人转的不轻,下面给大家解释下: Exp,就是Exploit,漏洞利用的意思,注意,有漏洞不一定就有 Exploit (利用)。有 Exploit 就肯定有漏洞。我们可以引申为利用的方式,通常是以各种代码出现的。可以参见: Debug Struts2 S2-021的一点心得体会 payload,则是基于exp的一些特定的利用方式,通常是对漏洞测试平台而言的,可以参见 MSF漏洞攻击练习系统 exp-gui,这个就是我们俗称的工具了,他基于exp,由流行的语言例如C,C++等等,写成的带有图形化界面的漏洞利用工具。出现这个的标志已经算是漏洞的青壮年期了。也预示的漏洞的爆发! Exploit Pack , 这里的pack可以是各种利用工具,漏洞也都是被成熟利用或者被用于商用的漏洞,以客户端的漏洞为主,如本地的IE,PDF阅读器,Flash等,它和MetaSploit属于一个层面上的分类,只不过MetaSploit侧重远程执行的漏洞,而且MetaSploit比较被人熟知。 MetaSploit , Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击