Highest Voted 'exploit-development' Questions

2

votes

1 answer

Why are there no free resources on exploit development on macOS?

There are many resources on Linux exploit development, but I cannot find any resources targeting macOS, except for some bad ones on YouTube. Why are there no write-ups on macOS exploitation techniques, taking into account the Mach-O file format and…

exploit macos exploit-development

asked Mar 15 '19 at 14:51

Shuzheng

1,097
4
22
37

2

votes

0 answers

String Format Exploit x64 compiled with -Wformat-security -D_FORTIFY_SOURCE=2 on

I found a daemon running as uid 0 that has a string format vulnerability. It is compiled with -Wformat-security and -D_FORTIFY_SOURCE=2 on. I'm trying to write an exploit for it, but what I get is: 0000000000018370 : …

linux vulnerability exploit-development format-string

asked Jan 16 '19 at 11:15

Marshall Whittaker

183
5

2

votes

1 answer

Exploit Development - Find system address in a given libc

If I have a libc file which is used on another server where the vulnerable binary is running, then how can I find the address of system in it? I have both the vulnerable binary and the libc file with me. Usually, on local system, I would use gdb to…

linux exploit-development

asked Dec 06 '18 at 03:48

Neon Flash

929
2
11
17

2

votes

1 answer

Does an Egghunter attack still make sense in a 64 bit system?

Background An Egghunter is basically a low size stub that acts as a first stage in a 2 stage exploitation attempt (whereas second stage is usually the malicious payload shellcode). In the first stage, the stub will search through the process VAS…

linux exploit exploit-development

asked Oct 22 '18 at 04:25

0x5929

335
4
13

2

votes

1 answer

BufferOverflow attack Segment Fault

I'm trying to exploit simple stack overflow vulnerability. But I have trouble writing the exploit.c file. After getting the stack pointer using __asm__("movl %esp, %eax"), I put the address and shellcode in the buffer. This is stack.c file: int…

buffer-overflow c exploit-development

asked Oct 21 '18 at 11:07

K.Doe.x

19
3

2

votes

1 answer

stdin does not wait for next input after ROP chain

I was trying to exploit a vulnerability in a ctf but I can not make fgets() reopen stdin to put my second stage ROP chain. I am using pwntool but the problem is more socket oriented. I recreated the above situation. In a test program. The concept…

exploit python exploit-development programming

asked Apr 05 '18 at 16:54

ItsYou

23
5

2

votes

1 answer

Leak a GOT entry using return-to-printf@plt

I have a small binary compiled as non-pie, but ASLR is enabled, so the shared libraries are randomized. My plan was to leak any libc address from GOT via returning to plt, but the only useful plt-stub i have is a printf. Previously i wrote a…

exploit exploit-development

asked Feb 14 '18 at 01:06

awerv

21
1
3

2

votes

0 answers

Meltdown - Reading processes info from leaked memory

Found this video: https://www.youtube.com/watch?v=De4rBaAdKNA In the video Meltdown is used to read process memory based by PID/name. How it is done? The program looks for task_struct in leaked memory and parses data out of if, based on struct…

exploit exploit-development meltdown

asked Jan 22 '18 at 18:48

dev

937
1
8
23

2

votes

1 answer

Spectre: Problem with Understanding POC - Reading data from cache

I understand the vulnerability (Spectre) and, in theory, what the PoC does. But I do not understand the part of the PoC, when it reads or identifys the data from the cache, between the lines 86 - 108. I know that the PoC is reading the data from the…

exploit exploit-development code-review meltdown spectre

asked Jan 11 '18 at 15:45

user104787

179
1
4
12

2

votes

1 answer

Understanding a crash

Say you're fuzzing a Windows x32 application for a file format bug and, say, you found a pattern that causes the application to crash. My normal steps are: load application into a debugger generate and investigate the crash. In my actual…

exploit-development stack-overflow

asked Jan 10 '18 at 22:40

Kartone

171
8

2

votes

1 answer

KPTI - Meltdown - PoC Analysis

Based on this PoC: https://twitter.com/brainsmoke/status/948561799875502080 I see there are four rows outputed, the second one are two bytes of address of sys_read. What is the first one? Would third row be sys_write? I did some calculations on my…

exploit-development intel

asked Jan 03 '18 at 20:00

dev

937
1
8
23

2

votes

1 answer

Stackpivoting techniques

I'm practicing exploit development and one of the scenario I am haing most difficulties with is stack pivoting besides the "ADD ESP, XXX" or something like that. The question is, during the writing of a ROP chain, when you don't have any usable…

exploit exploit-development dep stack-overflow

asked Sep 22 '17 at 09:02

Kartone

171
8

2

votes

2 answers

x32 VS x64 Reverse Engineering and Exploit Development

I started to learn RE and Exploit Development and most materials almost all of them are on 32 bit architecture. what the difference in the point of view of Exploit Development. I know in Shellcoding is quite different and how hard is to pick up…

exploit-development

asked Sep 12 '17 at 16:28

user3551034

51
1
5

2

votes

1 answer

How to exploit binary with no syscall gadget or information leak in full ASLR and NX?

So I have a Linux x86-64 binary linked with libc dynamically running on patched Ubuntu 16.04 remotely. The executable makes one call to libc read and exits, allowing simple stack overflow into ROP. That's the only code compiled into the…

linux exploit exploit-development

asked Apr 09 '17 at 02:09

Gbps

171
1
6

2

votes

1 answer

Stagefright - building ROP stack - pivoting

Here I control r2 (vtable) 0xb6712c48 <+7120>: ldr r5, [r2, #28] 0xb6712c4a <+7122>: ldrd r2, r3, [r8] 0xb6712c4e <+7126>: blx r5 How I understand it: I control the r2 register (vtable), it loads an offset value off of r2 (28 bytes)…

exploit exploit-development stagefright

asked Apr 01 '17 at 20:11

dev

937
1
8
23

Questions tagged [exploit-development]