All Questions
Tagged with buffer-overflowpenetration-test
14 questions
1vote
0answers
101views
Bash - SUID Program's Child Process did not inherit Parent Process UID as EUID [duplicate]
Background In practicing pentesting a VM on Vulnhub I encountered an issue that is quite interesting with Brainpan. After initial access with a limited shell generated from a BoF exploit on a service ...
- 375
0votes
2answers
1kviews
Find Buffer Overflows at a target you want to gain access
I want to pass my OSCP exam and I am learning with the material I got. I watched the videos and read the pdf but I have a question about buffer overflows. In the example in the videos, the guy has ...
- 121
1vote
1answer
2kviews
Simple buffer overflow trying to leak address of system()
Code: #include <string.h> void vuln(char *arg) { char buffer[10]; strcpy(buffer, arg); } int main( int argc, char** argv ) { vuln(argv[1]); return 0; } I've determined I ...
1vote
1answer
7kviews
How to exploit this buffer overflow. Where is the return address?
I'm practicing doing buffer overflows and, weirdly, I can do some but not others and it is not clear to me why. Here is the example code: Code that I need help with:: #include <stdio.h> int ...
2votes
1answer
394views
How do you test buffer overflows in the lab?
I'm doing a lot of learning about buffer overflows, and BROP. My problem is how can I test against real software in the lab? I can find a lot of CVE's that contain sever bugs that are open to a buffer ...
- 297
1vote
0answers
362views
Server improperly handling unicode characters?
So I'm pen-testing a web application. Upon submitting certain data it sends it in a POST request which contains the data in a JSON object. So while fuzzing it I was testing for improper encoding ...
1vote
1answer
379views
Fuzzing: Quickly find the exact number of bytes
I'm currently practicing buffer overflow. And I have a question for you regarding fuzzing. I am able to develop a python script that will try several buffer sizes to crash an application. It works ...
- 11
2votes
1answer
2kviews
Metasploit MsfVenom - Payload binds shell, but unable to spawn it with netcat
Running a SEH BoF exploit script that contains a payload that is generated from msfvenom as such: msfvenom --payload windows/shell/bind_tcp --format py --arch x86 --platform windows --bad-chars "\...
- 375
3votes
1answer
998views
Buffer overflow: How is it actually implemented in a pen testing environment?
Background: So when exploiting a Buffer Overflow vulnerability, the attacker needs to not only generate the payload (Let's say to create a binding shell), but also set up the corrupted buffer with ...
- 375
4votes
1answer
867views
Return-to-libc Attack mystery
I'm studying the Return-to-libc Attack and I understand the concept. But one thing still does not make sense. In order to make the attack I need the memory address of system() and "/bin/sh", which is ...
- 243
1vote
0answers
1kviews
Trick needed to make use of a local buffer overflow vulnerability to obtain root
I am working on a certain CTF trying to gain root privileges in it, I found a vulnerable program to buffer overflow vulnerability with Non executable stack security level (NX), I developed an exploit ...
1vote
0answers
2kviews
Performing denial of service attack using Python [closed]
I am a student so please don't be rude for I miss something and this project is for research purpose only. I am willing to perform a denial of service attack(on my own servers) I am not willing to do ...
2votes
1answer
481views
Is my understanding of buffer overflows correct?
I am new to pentesting and wondering if my current understanding of buffer overflow exploits is correct. Assuming an operating address space of 3 addresses, an instruction space of 2 addresses, and an ...
5votes
1answer
409views
How do attackers gather remote feedback for identifying and exploiting buffer overflows?
Local buffer overflows are relatively easy to understand: throw some input at an interface and see if the process fails with a core dump or similar. However, in my mind, this kind of exploit works ...
- 6,394
