Skip to main content
Information Security

All Questions

Ask Question
Tagged with
8 questions
NewestActiveBountiedUnanswered
1vote
0answers
38views

Can't print hexadecimal formatted address in buffer overflow

I'm trying to overwrite the return address caused by a buffer overflow. I've already calculated the distance between the buffer and the return address. The address that I want to jump to is ...
CJG's user avatar
CJG
  • 81
2votes
1answer
745views

Exploit education stack-five: trouble opening shell

Im trying the phoenix vm, challenge stack-five on exploit.education (http://exploit.education/phoenix/stack-five/). I run onto a problem while exploiting a stack overflow. The challenge is run execve('...
Burst's user avatar
Burst
  • 23
0votes
1answer
416views

Is it possible to use ROP to call legitimate functions even if the stack is not executable?

I read about the hardware protection that blocks the CPU from jumping to stack address. But hacker may still edit the return address to an address in code memory that shouldn't run at that moment. For ...
for the's user avatar
for the
  • 13
10votes
2answers
8kviews

Why must a ret2libc attack follow the order "system(),exit(),command?

In a ret2libc attack, I understand that the return address can be overwritten with the address of the system command, which takes a command string as an argument. In this case, shouldn't the address ...
Lew Wei Hao's user avatar
Lew Wei Hao
  • 439
5votes
1answer
5kviews

Exploit does not work outside GDB

I already tried various solutions provided to other "exploit doesn't work outside gdb" questions (r.sh, invoke.sh, removing environment variables) and at this point I legit have no idea why the ...
shxdow's user avatar
shxdow
  • 123
2votes
1answer
2kviews

Stackpivoting techniques

I'm practicing exploit development and one of the scenario I am haing most difficulties with is stack pivoting besides the "ADD ESP, XXX" or something like that. The question is, during the writing ...
Kartone's user avatar
Kartone
  • 171
3votes
1answer
345views

Smashing stack in x86_64

Exploiting functions like strcpy() relies on the fact that the payload string must not contain zero bytes that would terminate the copy function. If the payload contains x86_64 addresses (e.g. in ...
Andy's user avatar
Andy
  • 273
2votes
1answer
187views

Understanding a crash

Say you're fuzzing a Windows x32 application for a file format bug and, say, you found a pattern that causes the application to crash. My normal steps are: load application into a debugger generate ...
Kartone's user avatar
Kartone
  • 171

close