All Questions
Tagged with exploit-developmentlinux
26 questions
0votes
0answers
353views
64 Bit ELF Buffer Overflow Not working possibly due to if statement
I wrote the following: #include <stdio.h> int win(){ printf("Won!\n"); return 0; } int vulnerable(){ char buffer[20]; memset(buffer, 0, 10); printf("Input: &...
1vote
2answers
686views
How do attackers determine ROP gadgets remotely?
Being gadgets change per each system and architecture (do they?), how would an attacker be able to determine the offsets of various Return Oriented Programming gadgets, would an attacker first need to ...
- 11
2votes
1answer
592views
Is it necessary to understand Linux kernel internals to do binary exploitation? [closed]
I am second-year CS student, I know C, OOP concepts, x86 architecture, reverse engineering basics, TCP/IP stack and OS concepts, also I love Linux OS. I have just one question: Is it a mandatory to ...
- 59
2votes
0answers
212views
String Format Exploit x64 compiled with -Wformat-security -D_FORTIFY_SOURCE=2 on
I found a daemon running as uid 0 that has a string format vulnerability. It is compiled with -Wformat-security and -D_FORTIFY_SOURCE=2 on. I'm trying to write an exploit for it, but what I get is: ...
2votes
1answer
3kviews
Exploit Development - Find system address in a given libc
If I have a libc file which is used on another server where the vulnerable binary is running, then how can I find the address of system in it? I have both the vulnerable binary and the libc file with ...
- 919
3votes
0answers
405views
EIP Overwrite Exploit not working
I am writing an exploit for an x86 binary on Linux and I'm learning exploitation. The binary has no protections and the stack is also executable. It has a buffer overflow when it uses memcpy() ...
- 919
2votes
1answer
512views
Does an Egghunter attack still make sense in a 64 bit system?
Background An Egghunter is basically a low size stub that acts as a first stage in a 2 stage exploitation attempt (whereas second stage is usually the malicious payload shellcode). In the first stage,...
- 375
0votes
1answer
294views
SegmentSmack exploit
I am studying about SegmentSmack vulnerability. As far as I understood, the vulnerability is due to the fact the reordering the packets in the out-of-order buffer is a very CPU intensive operation. So ...
7votes
1answer
8kviews
Why does my x86 shellcode test program segfault?
I am trying to learn how to create shellcode, my goal is to call execve(). I wrote the code in assembly and it works perfectly, there are no null-bytes or absolute addressing methods. The code works ...
- 79
3votes
0answers
311views
Is the difference between a loaded elf and libc a constant value?
While doing binary exploitation and studying the case when ASLR is enabled, I noticed I could make a reliable exploit by leaking an address of a function in the binary and finding the address of ...
0votes
0answers
582views
Huge Dirty COW - Privileged access to files like with Dirty COW possible?
Has anybody read the Huge Dirty COW writeup? Can we also shmem files using THP and achieve the same result as Dirty COW, privileged access to files?
- 1,007
1vote
0answers
350views
Kernel 4.3.5 Exploitation x86 32 bit - Stack Structure [closed]
What is the Kernel 4.3.5 Linux x86 32 bit stack structure? Trying to overwrite it, but it shows it is corrupted. I am overwriting with, setting frame like this: /* * Setup the fake frame *...
- 1,007
1vote
1answer
899views
Kernel x86 32 bit Stack Overflow - overwriting EIP segfaults in __kernel_vsyscall+9 [closed]
Why it segfaults in __kernel_vsyscall+9? Did a inspection of EIP, broke just after fwrite(), line 93 in exp.c (gdb) x/10x 0xb7fd9ce5 0xb7fd9ce5 <__kernel_vsyscall+9>: 0xc3595a5d 0x90909090 ...
- 1,007
7votes
1answer
2kviews
Exploit only works in gdb
tl;dr: Why my exploit only works inside gdb. I'm very new to the buffer overflow and exploit development fields. To improve my skills based on a serie of papers and videos I wrote this simple C ...
- 101
3votes
1answer
5kviews
How to exploit binary with no syscall gadget or information leak in full ASLR and NX?
So I have a Linux x86-64 binary linked with libc dynamically running on patched Ubuntu 16.04 remotely. The executable makes one call to libc read and exits, allowing simple stack overflow into ROP. ...
- 181
