All Questions
18 questions
1vote
0answers
175views
How to properly pack address into bytes to overwrite EIP register
I'm learning how to exploit a tiny web server based on a well written post here: https://blog.coffinsec.com/2017/11/10/tiny-web-server-buffer-overflow-discovery-and-poc.html I am very close to ...
- 111
0votes
1answer
757views
Unable to execute shellcode on x86_64 architecture
I currently got interested in binary exploitation (even though I do not know if today is still useful). I started studying shellcode and buffer overflow (stack-buffer overflow, specifically). I know ...
4votes
2answers
314views
Instruction Overwrites with Garbage?
I am practicing a function return address overwriting exploit. However, the program instruction pointer instead gets overwritten by gibberish. I have tried compiling with -fno-builtin and -fno-...
- 2,032
2votes
1answer
2kviews
BufferOverflow ESP too small for shellcode
I want to write an exploit for a test application that provides only 12 bytes of space at the ESP. I'm not able to place shellcode in such a small space. I have no clue what I can do to solve this. I ...
2votes
1answer
745views
Exploit education stack-five: trouble opening shell
Im trying the phoenix vm, challenge stack-five on exploit.education (http://exploit.education/phoenix/stack-five/). I run onto a problem while exploiting a stack overflow. The challenge is run execve('...
- 23
1vote
3answers
267views
Why Does Only 1 Of These 2 Almost-identical Payloads Give Me A Shell?
I wrote a vulnerable test program to practice buffer overflows; however, I was having trouble getting it to work. Finally, after slightly modifying the return address, I was able to gain a shell, but ...
- 113
7votes
1answer
2kviews
Why would legitimate programs have a `jmp esp` instruction?
It appears that a common exploit trick is to use stack overflow to overwrite the instruction pointer such that it points to a jmp esp instruction somewhere in the code segment which then executes the ...
- 251
2votes
1answer
3kviews
Buffer Overflow memory address calculation on 64bit
I have a assignment where i must exploit a buffer overflow vulnerability on a remote machine. I have only execute permission on the program, so i cant use gdb. I managed to take control of the rip and ...
- 151
2votes
1answer
2kviews
Why is fnstenv giving me a NULL address in my shellcode on Windows XP?
I am going through an introductory tutorial on writing exploits, which can be found here. The tutorial goes over a simple stack based buffer overflow vulnerability in the Easy RM to MP3 Conversion ...
- 235
3votes
1answer
1kviews
Buffer overflow to server
I have a server, for reference: pastebin/ghJX69uH, that I can netcat to and it will ask to input a msg. I know it is vulnerable to buffer overflow, but I can't seem to get the shellcode to run. I ...
- 773
3votes
2answers
5kviews
Buffer overflow - Print "hello world"
I'm wondering what the shellcode would be to simply print "hello world" to the console. When testing for vulnerabilities, I think it would be very useful to have shellcode to test if the exploit works....
- 278
4votes
3answers
5kviews
Install a vulnerable service for Windows 7
I have some kind of a project or demonstration, where I have to exploit Windows 7 to get a remote shell. I did a vulnerability scan with nessus on my Windows 7 machine, but I didn't find any kind of ...
- 699
2votes
1answer
771views
Execute form environmental variable while stack is not executable
Strange thing happened. I created EGG=NOPs + shellcode. Then i get the address of EGG; I made buffer overflow and jumped to it and get the shell(address of shell is the second parametr). How is this ...
11votes
2answers
17kviews
NX bit: does it protect the stack?
I once heard the NX bit was a panacea, then that it was not. One detail I've wondered about though: Does the NX (no execute) bit protect against code inserted into the stack and executed there? It ...
- 153
3votes
1answer
11kviews
Stack buffer overflow confusion
I am trying to dig deeper into the nuts and bolts a stack buffer overflow using the classical NOP-sled technique. Reading some articles and watching videos brought me to a confusion which can be ...
- 1,560
