Skip to main content
Information Security

All Questions

Ask Question
Tagged with
12 questions
NewestActiveBountiedUnanswered
3votes
1answer
3kviews

Why ret2libc is not working in the below code on x86_64?

I am trying to bypass DEP in x86_64 (64 bit - ASLR OFF). I have my own vulnerable code and I have also written an exploit code with a basic ROP to jump into system() with parameter "/bin/sh",...
bsdboy's user avatar
bsdboy
  • 51
0votes
2answers
1kviews

Is arbitrary code execution possible using GOT overwrite with W^X enabled?

Is it possible to reliably execute arbitrary code from a single overwrite of the Global Offset Table when W^X is enabled? By "reliably" I mean assuming I control only the location pointed to by the ...
camercu's user avatar
camercu
  • 103
13votes
2answers
22kviews

How is the stack protection enforced in a binary?

On a linux box with an Intel CPU, lets say I compiled by binary with -fstack-protect-all. How is this encoded into the binary? (Can I see this info using readelf? ). Is it encoded into every page/...
SFlow's user avatar
SFlow
  • 283
0votes
1answer
4kviews

How to bypass DEP and ASLR at the same time? [duplicate]

I have read some articles about bypassing DEP and ASLR , but it seems that they bypass ASLR and DEP by using the instructions in the modules not applying ASLR.But how to bypass ASLR and DEP in the ...
freedom2's user avatar
freedom2
  • 11
1vote
1answer
900views

ROP - pop eax, ret gadget doesn't work

I am building a ROP chain for a security challenge. I have a problem in my ROP chain. I found some interesting gadgets with ropshell.com, and they seem to work pretty well except one. Indeed I follow ...
cc315's user avatar
cc315
  • 53
2votes
1answer
931views

SEH overwrite attack details

If there are canaries on stack, why does not the exception handler check the integrity of canaries? Why does it continue executing a manipulated exception handler? Will corrupting a canary trigger an ...
Infinite's user avatar
Infinite
  • 330
15votes
3answers
4kviews

Compiling a buffer overflow example in modern Linux?

I'm trying to compile a simple buffer overflow example on a Debian i386 VM. The executable builds ok, but EIP does not get overwritten correctly despite being supplied a sufficiently large input to ...
B-MO's user avatar
B-MO
  • 313
1vote
0answers
340views

Buffer overflow and register contents?

I am doing an exam practice question, suppose I have a function like; void func(char* arg) { char buf[32]; strcpy(buf, arg); } command break func: -buf begins at 0xbffebfb0 -(gdb) x/2wx $...
user124627's user avatar
user124627
  • 145
1vote
1answer
441views

Getting a DEP exception when trying to call SetProcessDEPException(false)

I'm demonstrating an exploit for an old app. On Windows XP SP3 32bit (EN), the address of SetProcessDEPPolicy() is usually 0x7C8622A4. I have that version of Windows (in English as well) and I've ...
Juicy's user avatar
Juicy
  • 1,457
3votes
1answer
2kviews

Bypass Full ASLR+DEP exploit mitigation

Let's assume that a vulnerabled process is set up with an ASLR and DEP against all the imported modules used in this process and there is no way to find a module that is aslr free.. More over, the ...
JDeff's user avatar
JDeff
  • 31
2votes
1answer
359views

Are stack buffer overflows even possible in this instance?

Let's say there is a C program that simply takes a string argv[1] and uses sprintf to copy it in a finite buffer. Classic stack buffer overflow. Let's even say the program is more complicated, ...
Jonny's user avatar
Jonny
  • 21
4votes
2answers
3kviews

How does SEH based exploit bypass DEP and ASLR?

I am new to structured exception handling based exploits. Why don't we put our return address directly in SE handler to jump to our shellcode? (with no safe SEH) Can anybody explain the reason of ...
Sani's user avatar
Sani
  • 41

close