IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [exploit-development]

For questions about development of software which takes advantage of exploits (vulnerabilities in security systems).

195 questions
21
votes
5 answers

Hackable linux distributions

A few years ago we had that awesome Linux distribution called Damn Vulnerable Linux. But unfortunately it looks like the project is dead. So my question is are there other Linux distributions which are meant to be hacked (explicit in the view of…
Dirk
  • 510
  • 1
  • 4
  • 16
12
votes
2 answers

Heap Buffer Overflow - AddressSanitizer output - what is needed to exploit this condition?

This is the AddressSanitizer output, for different input I get READ and WRITE errors. From Heap Buffer Overflow perspective which are more interesting? I want to execute my shellcode. Can somebody interpret this AndressSanitizer output in more…
dev
  • 937
  • 1
  • 8
  • 23
10
votes
2 answers

Are memcpy() based race conditions exploitable for causing remote code execution?

Let’s say I have the following pseudocode in the trusted part of a sandbox which prevent untrusted code calling mprotect() and mmap() and ptrace() directly (mutext isn’t accessible from sandboxed memory)… //src and dest are user controlled but must…
user2284570
  • 1,402
  • 1
  • 14
  • 33
10
votes
2 answers

Why must a ret2libc attack follow the order "system(),exit(),command?

In a ret2libc attack, I understand that the return address can be overwritten with the address of the system command, which takes a command string as an argument. In this case, shouldn't the address of the command string come directly after the…
Lew Wei Hao
  • 429
  • 5
  • 13
8
votes
2 answers

When is memory allocation/layout deterministic?

I'm trying to learn about buffer overflow attacks, both on the stack and on the heap. However, I'm confused about when it's possible to determine the address of the buffer. The classic "Smashing the Stack for Fun and Profit" mentions the need to…
Lily Chung
  • 968
  • 1
  • 9
  • 13
8
votes
1 answer

Can I do a String Format Exploit for x64 systems?

I was trying to replicate the experiment in Gray Hat Hacking - Third Edition, Chapter 12, about Format String Exploits, but their architecture is IA32, while mine is AMD 64bits. Therefore when I check for values in stack with commands like: $…
Fernando Pérez
  • 133
  • 2
  • 7
7
votes
1 answer

Why does my x86 shellcode test program segfault?

I am trying to learn how to create shellcode, my goal is to call execve(). I wrote the code in assembly and it works perfectly, there are no null-bytes or absolute addressing methods. The code works fine, but when I copy the opcodes into a c program…
tropz
  • 79
  • 1
  • 3
7
votes
1 answer

Blueborne - Attack Scenario Clarification

Based on the Technical White Paper http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf?t=1505319664351 After reading it, I understand it as follows (Page 13, bottom) So to exploit (Linux kernel RCE vulnerability -…
dev
  • 937
  • 1
  • 8
  • 23
7
votes
1 answer

Exploit only works in gdb

tl;dr: Why my exploit only works inside gdb. I'm very new to the buffer overflow and exploit development fields. To improve my skills based on a serie of papers and videos I wrote this simple C software: Note: I disabled ASLR I believe that my…
Joao Daniel
  • 101
  • 3
7
votes
2 answers

Are all vulnerabilities exploitable?

I understand the difference between a vulnerability and an exploit, but as I surf the exploit databases, I see more vulnerabilities and less exploits. Shouldn't there be at least one exploit for every vulnerability which is uncovered? Aren't all…
GypsyCosmonaut
  • 882
  • 1
  • 7
  • 16
7
votes
1 answer

ROP Programming/Exploitation on ARM - Gadget chain

Unfortunately, I cannot find this gadget in my libc.so. How can we reprogram this using different instructions: pop {r0, r1, r2, r3, pc} Which instructions will achieve the same? What gadgets I have to look for? It relates to this exploit # pivot…
dev
  • 937
  • 1
  • 8
  • 23
6
votes
2 answers

Cost of finding vulnerabilities vs developing exploits

From the perspective of someone who wants to develop a zero-day exploit against some software application or target, there are broadly speaking two tasks that the attacker must do: (1) find a new exploitable vulnerability in the software; (2)…
D.W.
  • 98,420
  • 30
  • 267
  • 572
6
votes
2 answers

Buffer overflow exploit works with gdb but not without

I am learning about buffer overflows and I’m developing my very first exploit. There is a server process that listens to a socket and forks a new process for each client. The child process has a buffer overflow vulnerability which I’m…
Andrei Socaciu
  • 255
  • 1
  • 5
5
votes
1 answer

How to bypass ASLR with ROP

I was reading this article by the InfoSec institute: http://resources.infosecinstitute.com/an-introduction-to-returned-oriented-programming-linux/#gref And was able to follow along until he did the ROP Chain. He finds the offset of printf and execve…
alloy
  • 51
  • 1
  • 3
5
votes
1 answer

Using (cat $file; cat) to run a simple BOF exploit

Im getting acquainted with Buffer Overflows (BOF) and was replicating a simple attack described by Techorganic. They create a simple C program called "classic", which contains an obvious BOF vulnerability (when it reads up to 400bytes into an 80byte…
Fernando Pérez
  • 133
  • 2
  • 7
1
2 3
12 13