Highest Voted 'exploit-development' Questions

3

votes

2 answers

Proof of concepts for published exploits

Do industry pros have VM's or various workstations setup to go through known exploits after they've been patched or is that less beneficial for learning than i'm imagining? I'm thinking, how can you understand the buffer overflow attack, or another…

exploit-development exploit-kits anti-exploitation

asked Apr 06 '16 at 18:43

inbinder

155
5

3

votes

1 answer

How to exploit a Use-After-Free vulnerability?

I want to learn more about use-after-free vulnerabilities and found this tutorial. Yet I don't understand it very well and hope for an explanation of how it works.

exploit injection exploit-development

asked Mar 23 '16 at 21:05

user104787

179
1
4
12

3

votes

1 answer

ROP chain on x64, get rid of nulls

So I have this ROP chain for x64 architecture: 0x0000000000400b60: pop rdi; ret; 0x482cf5 0x68732f6e69622f ('/bin/sh') 0x401550 In Payload: \x60\x0b\40\x00\x00\x00\x00\x00\xf5\x2c\x48\x50\x15\x40 How should I get rid of 0? Since my…

exploit exploit-development

asked Mar 10 '16 at 17:14

dev

937
1
8
23

3

votes

2 answers

Problems with overflowing the return address on stack x86_64

To note before compiling the program I disabled ASLR via: $ sudo -i root@laptop:~# echo "0" > /proc/sys/kernel/randomize_va_space root@laptop:~# exit logout I then compiled the program via: gcc -ggdb -mpreferred-stack-boundary=4 -o test vuln.c (I…

exploit buffer-overflow exploit-development

asked Nov 02 '15 at 19:38

reyyez

137
1
1
3

2

votes

1 answer

Security Features enabled in Linux Debian and Ubuntu

i am actually doing some tutorials about ROP on Linux. So i tried to follow the tutorial and compiled some of the example codes to try ROP in a small scope. But actually when i am trying to exploit the executables either get some message…

linux exploit-development

asked May 06 '14 at 05:36

Dirk

510
1
4
16

2

votes

2 answers

Python exploit question?

Can someone please explain how and why this struct.pack code is used in the below exploit? I'm trying to understand how it triggers the vulnerability. I understand the buffer overflow aspect, I'm referring to the below struct.pack method. I'm a ruby…

exploit buffer-overflow python exploit-development

asked Feb 28 '14 at 06:56

nanotechz9l

23
1
5

2

votes

1 answer

segmentation fault at strcpy while perforforming a buffer overflow

I have this code that I need to use to perform a ret2libc #include #include int main(int argc, char *argv[]) { char buf[256]; printf("buff is at:%p\n",buf); printf("%s",argv[1]); strcpy(buf, argv[1]); …

buffer-overflow exploit-development rop

asked May 24 '20 at 16:28

Luigi

23
4

2

votes

1 answer

How to use "jmp" in ROP

I'm trying to put together a ROP chain. I'm looking for a gadget to do the following: mov rdi, rdx ; mov rbp, rsp ; ret; But instead, I have a gadget like this : mov rdi, rdx ; mov rbp, rsp ; jmp 0x8109b3f7 So, I thought maybe I can use this…

memory exploit-development debugging rop

asked Mar 18 '20 at 07:11

perplex

31
1

2

votes

2 answers

Cannot build a ROP chain

My ROP exploit crashes with segmentation fault for unknown reason. This is a vulnerable code (compiled via command gcc h2.c -no-pie -fno-stack-protector -m32 -o h2): #include #include #include char string[100]; void…

buffer-overflow exploit-development rop

asked Jan 12 '20 at 01:31

Asm .

59
5

2

votes

1 answer

Leak multiple lines from file

I am researching this bug here, where the first line of an arbitrary file can be leaked by triggering a SyntaxError using the compile() function. Is there a method of leaking the rest of the file, such as similar to the way Heartbleed leaks data…

python exploit-development error-handling

asked Oct 09 '19 at 09:55

isopach

491
1
3
14

2

votes

0 answers

Why can't you jump from SEH straight to payload for SEH buffer overflow?

From my understanding a typical way to achieve SEP buffer overflow (ignoring protections like DEP, SafeSEH, etc.) is to overwrite SEH with POP POP RET which goes back to nSEH which we control. nSEH will then be used to point to our located shell…

exploit buffer-overflow exploit-development

asked Sep 14 '19 at 23:27

Anderson

475
6
12

2

votes

1 answer

Is it necessary to understand Linux kernel internals to do binary exploitation?

I am second-year CS student, I know C, OOP concepts, x86 architecture, reverse engineering basics, TCP/IP stack and OS concepts, also I love Linux OS. I have just one question: Is it a mandatory to learn in depth a Linux kernel and develop some…

linux exploit-development kernel arm

asked Jul 30 '19 at 22:15

Asm .

59
5

2

votes

1 answer

How to exploit buffer overflow without space after return address?

I'm working on a binary exploitation challenge where the target (ELF/x86_64) has stack canaries, NX and PIE enabled. It implements a simple forking TCP server. After a connection is established, it reads up to 0x420 bytes from the socket into a…

exploit buffer-overflow exploit-development aslr

asked Jun 09 '19 at 09:29

hackedd

121
1

2

votes

0 answers

Methods of exploiting a Windows executable protected by "Control Flow Guard" and "Return Flow Guard"?

I understand that obtaining code execution by stack buffer-overflows were mitigated by DEP, which in turn lead to SEH and ROP exploit techniques etc. However, I don't see how to exploit an executable simultaneously protected by "Control Flow Guard"…

windows exploit exploit-development anti-exploitation

asked Apr 01 '19 at 15:52

Shuzheng

1,097
4
22
37

2

votes

1 answer

Bypassing ASLR using information leaks

Most of my questions were answered in this post ASLR bypass with info leak However, I just want to know the process of getting the memory address from the information leak to then using it in the final exploit. It seems to me that there is a two…

exploit-development aslr

asked Mar 21 '19 at 06:16

localacct

177
1
1
7

Questions tagged [exploit-development]