exploit

问题 In linux , there are many ways to bypass security mechanisms( like NX, ASLR) except canary. Actually, I find the stack canary is generated by the Linux kernel in /arch/arm/include/asm/stackprotector.h/boot_init_stack_canary() function.The random number is generated by extract_entropy function at last, and it's related to the environment noises such as the keyboad, the time interval of interruption. Are there any ways to bypass canary security mechanism when exploit a stack-overflow

问题 I've recently learned that it's possible to inject arrays into PHP GET variables to perform code execution? .php?a[]=asd&a[]=asdasd&b[]=$a That was the example I was given. I have no idea how it works and was wondering if this is even possible? 回答1: PHP will parse the query string, and inject those values in the $_GET super-global array (same for $_POST if this was done in a form using POST, btw) . In your case, the $_GET array will contain this : array 'a' => array 0 => string 'asd' (length

问题 I've recently learned that it's possible to inject arrays into PHP GET variables to perform code execution? .php?a[]=asd&a[]=asdasd&b[]=$a That was the example I was given. I have no idea how it works and was wondering if this is even possible? 回答1: PHP will parse the query string, and inject those values in the $_GET super-global array (same for $_POST if this was done in a form using POST, btw) . In your case, the $_GET array will contain this : array 'a' => array 0 => string 'asd' (length

问题 Does anybody know if there was a time or event where somebody used rand()'s weakness in order to predict exploit it? Something like generating tokens or cheating in video games? Since prior to PHP 7, rand() was very easy to crack. In fact here is some C code, credit to Peter Selinger, that predicts the values given a seed: #include <stdio.h> #define MAX 1000 #define seed 1 main() { int r[MAX]; int i; r[0] = seed; for (i=1; i<31; i++) { r[i] = (16807LL * r[i-1]) % 2147483647; if (r[i] < 0) { r

问题 I just wrote a C Code which is below : #include<stdio.h> #include<string.h> void func(char *str) { char buffer[24]; int *ret; strcpy(buffer,str); } int main(int argc,char **argv) { int x; x=0; func(argv[1]); x=1; printf("\nx is 1\n"); printf("\nx is 0\n\n"); } Can please suggest me as to how to skip the line printf("\nx is 1\n"); . Earlier the clue which I got was to modify ret variable which is the return address of the function func . Can you suggest me as to how to change the return

问题 I just wrote a C Code which is below : #include<stdio.h> #include<string.h> void func(char *str) { char buffer[24]; int *ret; strcpy(buffer,str); } int main(int argc,char **argv) { int x; x=0; func(argv[1]); x=1; printf("\nx is 1\n"); printf("\nx is 0\n\n"); } Can please suggest me as to how to skip the line printf("\nx is 1\n"); . Earlier the clue which I got was to modify ret variable which is the return address of the function func . Can you suggest me as to how to change the return

问题 I'm trying to teach myself about buffer overflows and exploitation in C++. I'm an intermediate C++ guy, at best, so bear with me. I've followed a few tutorials, but here's some example code to illustrate my question: #include <string> #include <iostream> using namespace std; int main() { begin: int authentication = 0; char cUsername[10], cPassword[10]; char cUser[10], cPass[10]; cout << "Username: "; cin >> cUser; cout << "Pass: "; cin >> cPass; strcpy(cUsername, cUser); strcpy(cPassword,

问题 Can someone explain me why freeing a twice in a row causes a crash, but freeing a first, then b, and then a again does not crash? I know that a free will insert the heap chunk in a double linked free list. Freeing twice would insert the same chunk twice in the free list. But why is the crash happening? int *a = malloc(8); int *b = malloc(8); free(a); // free(a); //Would crash! free(b); free(a); //No crash 回答1: Because in C lingo, undefined behavior is just that: undefined. Anything might

问题 I want to use my own shellcode for a buffer overflow exploit so for that I have written a script in C language[shellcode script]. I have used the following commands.: gcc -c file.c -o file.o objdump -sS -D file.o root@kali:~/shellcode# cat file.c #include<stdio.h> int main() { printf("Hi"); } The above code is of 'file.c'. I expect the output of the 'objdump -sS -D file.o' to be free from null-bytes, but actually this is my output after typing that command: file.o: file format elf64-x86-64

问题 I've been trying to learn the basics of a heap overflow attack. I'm mostly interested in using a corruption or modification of the chunk metadata for the basis of the attack, but I'm also open to other suggestions. I know that my goal of the exploit should be do overwrite the printf() function pointer with that of the challenge() function pointer, but I can't seem to figure out how to achieve that write. I have the following piece of code which I want to exploit, which is using malloc from