For questions about development of software which takes advantage of exploits (vulnerabilities in security systems).
Questions tagged [exploit-development]
195 questions
3
votes
1 answer
msfvenom -b flag not working?
When using msfvenom, I am under the assumption that the following syntax should give me shellcode without \x00 \x0a \x0d or \x40, because of the -b option
msfvenom -p windows/shell/bind_tcp -b '\x00\x0a\x0d\x40' -f python
However, every shell code…
Jordan Hanna
- 378
- 2
- 5
3
votes
1 answer
Problem with overwriting the return address (buffer overflow)
I'm trying to exploit the following code with a buffer overflow and make it run the overflowed function:
#include
#include
void overflowed() {
printf("%s\n", "Execution Hijacked");
}
void function(char…
user1758952
- 131
- 1
- 1
- 3
3
votes
0 answers
EIP Overwrite Exploit not working
I am writing an exploit for an x86 binary on Linux and I'm learning exploitation.
The binary has no protections and the stack is also executable.
It has a buffer overflow when it uses memcpy() function and I am able to successfully control the value…
Neon Flash
- 929
- 2
- 11
- 17
3
votes
1 answer
Why ret2libc is not working in the below code on x86_64?
I am trying to bypass DEP in x86_64 (64 bit - ASLR OFF). I have my own vulnerable code and I have also written an exploit code with a basic ROP to jump into system() with parameter "/bin/sh", but it is not working I don't know why.
Vulnerable C…
bsdboy
- 51
- 1
- 4
3
votes
1 answer
Smashing stack in x86_64
Exploiting functions like strcpy() relies on the fact that the payload string must not contain zero bytes that would terminate the copy function. If the payload contains x86_64 addresses (e.g. in order to overwrite a return address on the stack),…
Andy
- 263
- 1
- 8
3
votes
1 answer
Exploit development - Will different devices with the same OS/Architecture have the same exact process memory (e.g. addresses) for a given binary?
Sometimes, when I develop an exploit that perfectly works on a given machine, it will fail on a different one, despite them having the same OS/Architecture and configurations (like language, which in my experience can have some effects on the…
Not Now
- 199
- 11
3
votes
0 answers
Is the difference between a loaded elf and libc a constant value?
While doing binary exploitation and studying the case when ASLR is enabled, I noticed I could make a reliable exploit by leaking an address of a function in the binary and finding the address of system in libc by adding a constant offset to that…
Benoit Sevens
- 31
- 1
3
votes
1 answer
Spectre Proof of Concept (PoC) Speculative Execution - Checking for value
Inspired by this question and based on this:
Why does me unpatched sytsem *appear* to be not vulenrable by Spectre?
Figured out I will open a new question, instead of "polluting" somebody else question with questions.
I wrote this code:
It should…
dev
- 937
- 1
- 8
- 23
3
votes
1 answer
How does brainstorming look like for a team like Google's "Project Zero"
The question is not necessary about technical details but more broad. I'm fascinated by the creativity involved in this process.
Since the news of Meltdown/Spectre I was wondering: How do teams like Project Zero come up with ideas to find 0-day…
NoRyb
- 131
- 4
3
votes
0 answers
Bypass DEP using NtSetInformationProcess on last Windows XP SP3 Pro update
Following the example of corelan team ROP version 2 (I was able to perform version 1): https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
I was able to produce this exploit:
import…
Lucian Nitescu
- 1,802
- 1
- 13
- 27
3
votes
2 answers
Unable to execute shellcode in basic buffer overflow example
I have a basic example of a program vulnerable to buffer overflow (extracted from this other question).
#include
void vuln(char *arg) {
char buffer[500];
strcpy(buffer, arg);
}
int main( int argc, char** argv ) {
…
Jausk
- 209
- 3
- 9
3
votes
2 answers
Cannot overwrite EIP in basic exploitation example
I'm trying to replicate a simple buffer overflow for which I have the following code (strcpy_ex.c):
#include
int main( int argc, char** argv ) {
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}
which I…
Jausk
- 209
- 3
- 9
3
votes
3 answers
EternalBlue exploit and ASLR
Why is the EternalBlue exploit so successful when ASLR is likely enabled on modern machines? I may be wrong as i'm not familiar with windows internals. I can't find any explanation on this including this. Any links would be much appreciated.
Thanks.
gigasai
- 153
- 4
3
votes
1 answer
Heap Overflow - unlink() technique exploitation on x86_64 (64 bit)
Trying to exploit this sample vulnerable program:
/*
Heap overflow vulnerable program.
*/
#include
#include
int main( int argc, char * argv[] )
{
char * first, * second;
/*[1]*/ first = malloc( 666 );
/*[2]*/…
dev
- 937
- 1
- 8
- 23
3
votes
1 answer
Compiling exploit on a different kernel than target (but same arch): is it un-smart or risky?
I'm in a situation where I've compiled about 15 or more exploits for a machine and each has failed. The failures had to do with the kernel being compiled with highly secure settings, i.e. mmap function being disabled, or ptrace function. Only one of…
Info5ek
- 402
- 4
- 13