Highest Voted 'aslr' Questions - IT Security Stack Exchange

1

vote

0 answers

NX + ASLR bypass - troubles with return address of .bss

I have one problem, while doing NX + ASLR bypass. I'm going through this tutorial step-by-step. Everything is going well, I have prepared my exploit, just with another address and some small modifications: #!/usr/bin/python from struct import…

aslr

asked Sep 01 '15 at 18:49

core2dump

11
2

1

vote

0 answers

Buffer overflow and register contents?

I am doing an exam practice question, suppose I have a function like; void func(char* arg) { char buf[32]; strcpy(buf, arg); } command break func: -buf begins at 0xbffebfb0 -(gdb) x/2wx $ebp 0xbfebfd8: 0xbffec068 0x08048fe1 machine is…

attacks buffer-overflow shellcode aslr dep

asked May 13 '15 at 07:53

user124627

45
1
7

1

vote

1 answer

How to exploit with Control over return address and knowing the address of printf

I have this program that uses ASLR and it leaks information when i overflow a buffer, namely the address of printf. Furthermore i can overwrite the return address. How can i use this to spawn a shell? My approach would have been to calculate the…

exploit aslr

asked Jun 14 '21 at 10:19

Fluctuation10111

11
1

1

vote

1 answer

Is a single infoleak enough to break ASLR if you don't have access to the binary?

With a single infoleak and access to the binary you can calculate the other addresses. Is this still possible when you don't have access to the binary?

exploit-development aslr

asked Feb 08 '21 at 21:13

aslr

11
1

1

vote

2 answers

How does ASLR work if in the assembly code the addresses are the same

Let's say I have this piece of code that changes the 10 address to the value 20 and the following one to 30 mov ebx,10 mov [ebx],20 add ebx,1 mov ebx,30 How can the address change each time it is executed? is it require change that the compiler do…

aslr assembly

asked Oct 27 '20 at 10:09

for the

13
4

1

vote

1 answer

ASLR doesn't work?

I have following code: #include #include int main() { int *ptr1 = malloc(16); int val1 = 0x12345678; printf("stack: %p\nheap: %p\n", &val1, ptr1); return 0; } Compilation: gcc -fpie -pie…

linux c centos aslr

asked May 10 '20 at 21:52

qwertyuiqwertyui

11
2

1

vote

1 answer

Security in memory and between local windows processes over localhost

I have a windows application that runs in 2 processes and communicates over localhost network port. This application can hold secrets, such as a web cookie. I'm trying to think through the security vulnerabilities. My impressions: With modern…

windows memory aslr dep

asked Nov 14 '19 at 16:53

Basil

113
2

1

vote

1 answer

Backdooring PE binary compiled with ASLR

I'm practicing backdooring PE binary compiled with ASLR in a WOW64 environment. The approach is pretty straightforward and basically is something like this: Find code cave and a hijacking point. In this case, I choose not to patch the entry point…

backdoor patching aslr

asked Jul 27 '19 at 11:46

Kartone

171
8

1

vote

1 answer

Does every modern buffer overflow require multiple exploits in end user devices to be utilized?

On modern user oriented devices, such as Android phones, iPhones, PCs(Windows, MacOS, Linux), if there is a remote buffer overflow 0 day, are they only exploitable with the aid of multiple vulnerabilities? An example of this is the need to bypass…

buffer-overflow zero-day aslr

asked Jul 24 '19 at 17:57

john doe

648
4
15

1

vote

1 answer

Why is Address Space Layout Randomization not effective against the Open SSL Heartbleed Vulnerability?

My understanding is that ASLR randomly arranges the key data areas of a process, and so reading contiguously above a buffer as is done in heartbleed would not be enough to achieve the exploit.

openssl buffer-overflow heartbleed aslr

asked Jun 18 '19 at 01:49

Anthony O

130
3

1

vote

1 answer

Simple buffer overflow trying to leak address of system()

Code: #include void vuln(char *arg) { char buffer[10]; strcpy(buffer, arg); } int main( int argc, char** argv ) { vuln(argv[1]); return 0; } I've determined I can input a buffer of 26 total characters to overwrite…

linux penetration-test buffer-overflow aslr

asked Jun 17 '19 at 04:36

Bobby Bushay

31
4

1

vote

2 answers

How to defeat ASLR in linux kernel?

Possible Duplicate: Stack Overflows - Defeating Canaries, ASLR, DEP, NX is there anyway to disable ASLR in Linux kernel 2.6.32-71.el6.x86_64, with Apache privileges?? I tried this commands: sudo bash -c "echo 0 >…

linux aslr

asked Sep 23 '12 at 07:36

user1028

437
4
8
14

1

vote

2 answers

How is executable shellcode inserted?

How is shellcode (the payload) added to an executable file? Assume it is close source. How does the hacker then get the address of where it is? They need this for when they overwrite the return address... After the above is clarified, an example of…

buffer-overflow c shellcode c++ aslr

asked Jan 12 '19 at 21:49

user5623335

381
1
4
12

1

vote

1 answer

Why would modern OS allocate static addresses or why is ASLR still needed?

I have a question about ASLR which allocates randomized addresses for things. Based on my understanding (which might be wrong), a modern OS has pretty complicated memory management mechanisms and it seems REALLY challenging to allocate the same…

aslr

asked Dec 14 '18 at 02:08

ios learner

45
3

1

vote

1 answer

BOF - How to determine adress of system() using a leak memory?

I am training myself for BOF and ASLR in 32Bits. I wrote a program that seems like this : int main(int argc, char **argv) { char buffer[32]; printf(argv[1]); gets(buffer); return 0; } With a format string I can get main's return…

buffer-overflow aslr

asked May 30 '18 at 07:57

wammder

11
3

Questions tagged [aslr]