For questions about development of software which takes advantage of exploits (vulnerabilities in security systems).
Questions tagged [exploit-development]
195 questions
21
votes
5 answers
Hackable linux distributions
A few years ago we had that awesome Linux distribution called Damn Vulnerable Linux.
But unfortunately it looks like the project is dead. So my question is are there other
Linux distributions which are meant to be hacked (explicit in the view of…
Dirk
- 510
- 1
- 4
- 16
12
votes
2 answers
Heap Buffer Overflow - AddressSanitizer output - what is needed to exploit this condition?
This is the AddressSanitizer output, for different input I get READ and WRITE errors. From Heap Buffer Overflow perspective which are more interesting? I want to execute my shellcode. Can somebody interpret this AndressSanitizer output in more…
dev
- 937
- 1
- 8
- 23
10
votes
2 answers
Are memcpy() based race conditions exploitable for causing remote code execution?
Let’s say I have the following pseudocode in the trusted part of a sandbox which prevent untrusted code calling mprotect() and mmap() and ptrace() directly (mutext isn’t accessible from sandboxed memory)…
//src and dest are user controlled but must…
user2284570
- 1,402
- 1
- 14
- 33
10
votes
2 answers
Why must a ret2libc attack follow the order "system(),exit(),command?
In a ret2libc attack, I understand that the return address can be overwritten with the address of the system command, which takes a command string as an argument. In this case, shouldn't the address of the command string come directly after the…
Lew Wei Hao
- 429
- 5
- 13
8
votes
2 answers
When is memory allocation/layout deterministic?
I'm trying to learn about buffer overflow attacks, both on the stack and on the heap. However, I'm confused about when it's possible to determine the address of the buffer.
The classic "Smashing the Stack for Fun and Profit" mentions the need to…
Lily Chung
- 968
- 1
- 9
- 13
8
votes
1 answer
Can I do a String Format Exploit for x64 systems?
I was trying to replicate the experiment in Gray Hat Hacking - Third Edition, Chapter 12, about Format String Exploits, but their architecture is IA32, while mine is AMD 64bits. Therefore when I check for values in stack with commands like:
$…
Fernando Pérez
- 133
- 2
- 7
7
votes
1 answer
Why does my x86 shellcode test program segfault?
I am trying to learn how to create shellcode, my goal is to call execve(). I wrote the code in assembly and it works perfectly, there are no null-bytes or absolute addressing methods. The code works fine, but when I copy the opcodes into a c program…
tropz
- 79
- 1
- 3
7
votes
1 answer
Blueborne - Attack Scenario Clarification
Based on the Technical White Paper
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf?t=1505319664351
After reading it, I understand it as follows (Page 13, bottom)
So to exploit (Linux kernel RCE vulnerability -…
dev
- 937
- 1
- 8
- 23
7
votes
1 answer
Exploit only works in gdb
tl;dr: Why my exploit only works inside gdb.
I'm very new to the buffer overflow and exploit development fields. To improve my skills based on a serie of papers and videos I wrote this simple C software:
Note: I disabled ASLR
I believe that my…
Joao Daniel
- 101
- 3
7
votes
2 answers
Are all vulnerabilities exploitable?
I understand the difference between a vulnerability and an exploit, but as I surf the exploit databases, I see more vulnerabilities and less exploits. Shouldn't there be at least one exploit for every vulnerability which is uncovered? Aren't all…
GypsyCosmonaut
- 882
- 1
- 7
- 16
7
votes
1 answer
ROP Programming/Exploitation on ARM - Gadget chain
Unfortunately, I cannot find this gadget in my libc.so. How can we reprogram this using different instructions:
pop {r0, r1, r2, r3, pc}
Which instructions will achieve the same? What gadgets I have to look for?
It relates to this exploit
# pivot…
dev
- 937
- 1
- 8
- 23
6
votes
2 answers
Cost of finding vulnerabilities vs developing exploits
From the perspective of someone who wants to develop a zero-day exploit against some software application or target, there are broadly speaking two tasks that the attacker must do: (1) find a new exploitable vulnerability in the software; (2)…
D.W.
- 98,420
- 30
- 267
- 572
6
votes
2 answers
Buffer overflow exploit works with gdb but not without
I am learning about buffer overflows and I’m developing my very first exploit.
There is a server process that listens to a socket and forks a new process for each client. The child process has a buffer overflow vulnerability which I’m…
Andrei Socaciu
- 255
- 1
- 5
5
votes
1 answer
How to bypass ASLR with ROP
I was reading this article by the InfoSec institute:
http://resources.infosecinstitute.com/an-introduction-to-returned-oriented-programming-linux/#gref
And was able to follow along until he did the ROP Chain.
He finds the offset of printf and execve…
alloy
- 51
- 1
- 3
5
votes
1 answer
Using (cat $file; cat) to run a simple BOF exploit
Im getting acquainted with Buffer Overflows (BOF) and was replicating a simple attack described by Techorganic. They create a simple C program called "classic", which contains an obvious BOF vulnerability (when it reads up to 400bytes into an 80byte…
Fernando Pérez
- 133
- 2
- 7