exploit

I'm having problems with return-to-libc exploit. The problem is that nothing happens, but no segmentation fault (and yes I'm actually overflowing the stack). This is my program: int main(int argc, char **argv) { char array[512]; gets(array); } I'm using gets instead of strcopy, because my addresses start with 0x00 and strcpy thinks it's the end of a string, so I can't use it. Here are the addresses that I need: $ gdb main core (gdb) p system $1 = {<text variable, no debug info>} 0x179680 <system> (gdb) p exit $2 = {<text variable, no debug info>} 0x16f6e0 <exit> (gdb) x/s 0xbffffe3f 0xbffffe3f

I am trying to reproduce the stackoverflow results that I read from Aleph One's article "smashing the stack for fun and profit"(can be found here: http://insecure.org/stf/smashstack.html ). Trying to overwrite the return address doesn't seem to work for me. C code: void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; //Trying to overwrite return address ret = buffer1 + 12; (*ret) = 0x4005da; } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } disassembled main: (gdb) disassemble main Dump of assembler code for function main: 0x00000000004005b0

I am trying to understand if/how return-into-libc and return-oriented programming exploits are possible if a canary is being used. A canary would be placed on the stack in between the return value and the buffer to be overflown, and would need to be overwritten in order to change the return value to the location of a library function or computation. Canaries have been around since 1997 (StackGuard) and ROP is a technique first introduced in 2007 (Shacham). Does a canary make these types of attacks impossible? Does a canary make these types of attacks impossible? No, it doesn't. It makes it

The "heap spraying" wikipedia article suggests that many javascript exploits involve positioning a shellcode somewhere in the script's executable code or data space memory and then having interpreter jump there and execute it. What I don't understand is, why can't the interpreter's entire heap be marked as "data" so that interpreter would be prevented from executing the shellcode by DEP? Meanwhile the execution of javascript derived bytecode would be done by virtual machine that would not allow it to modify memory belonging to the interpreter (this wouldn't work on V8 that seems to execute

I've been trying to learn the basics of a heap overflow attack. I'm mostly interested in using a corruption or modification of the chunk metadata for the basis of the attack, but I'm also open to other suggestions. I know that my goal of the exploit should be do overwrite the printf() function pointer with that of the challenge() function pointer, but I can't seem to figure out how to achieve that write. I have the following piece of code which I want to exploit, which is using malloc from glibc 2.11.2 : void challenge() { puts("you win\n"); } int main(int argc, char **argv) { char *inputA,

Today online security is a very important factor. Many businesses are completely based online, and there is tons of sensitive data available to check out only by using your web browser. Seeking knowledge to secure my own applications I've found that I'm often testing others applications for exploits and security holes, maybe just for curiosity. As my knowledge on this field has expanded by testing on own applications, reading zero day exploits and by reading the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws , I've come to realize that a majority of

The code that I am struggling with is shown below: section .text global _start _start: xor eax, eax push eax push 0x68732f2f ;This is equivalent to push '//sh' push 0x6e68622f ;This is equivalent to push '/bin' mov ebx, esp push eax push ebx mov ecx, esp xor edx, edx mov al, 0x0b int 0x80 mov eax, 0x01 xor ebx, ebx int 0x80 Basically, what this code supposedly does is that it slips some null-terminated string "/bin/sh" into the memory (specifically, the top of the stack), along with a char *[2], which holds the address of the aforementioned string and a null character, then it invokes system

#include <stdio.h> int main() { char s[200] int a=123; int b=&a; scanf("%50s",s); printf(s); if (a==31337) func(); } The aim is to execute a format string attack - to execute func() by inputting a string. I tried to use %n to overwrite the variable but I came to conclusion is that it is impossible without displaying b variable first and I have no idea how. Any hint would be appreciated. Sorry for my bad english. Let's try with and without printing: $ cat > f.c << \EOF #include <stdio.h> void func() { fprintf(stderr, "func\n"); } int main() { char s[200]; int a=123; int b=&a; #ifdef FIXER