Questions tagged [stack-overflow]
55 questions
45
votes
3 answers
Does a buffer overflow vulnerability always mean a code execution vulnerability?
Since buffer overflows always let an evil hacker write outside the buffer and overwrite the return pointer to a shellcode the evil hacker can place, does it mean that successful exploitation of a stack buffer overflow always means the ability to…
Sreeraj
- 1,297
- 1
- 13
- 21
39
votes
3 answers
How big is a canary word on Linux, typically?
A canary word is a sequence of bits placed at the boundary between a buffer (such as a stack) and control data in a program, as a way of detecting and reacting to buffer overflows.
How many bits long are these canaries on Linux, usually?
MR.X_XD
- 501
- 1
- 4
- 5
11
votes
2 answers
How is the stack protection enforced in a binary?
On a linux box with an Intel CPU, lets say I compiled by binary with -fstack-protect-all.
How is this encoded into the binary? (Can I see this info using readelf? ). Is it encoded into every page/segment or is it added to the binary in one place…
SFlow
- 263
- 1
- 2
- 7
10
votes
2 answers
Why must a ret2libc attack follow the order "system(),exit(),command?
In a ret2libc attack, I understand that the return address can be overwritten with the address of the system command, which takes a command string as an argument. In this case, shouldn't the address of the command string come directly after the…
Lew Wei Hao
- 429
- 5
- 13
10
votes
4 answers
If the stack grows downwards, how can a buffer overflow overwrite content above the variable?
I realize how a buffer overflow works but I have a problem understanding the direction in which the overflow is directed. So if the stack grows downwards, that means that the return address is above the variable's reserved space. When that variable…
AdHominem
- 3,006
- 1
- 16
- 26
7
votes
1 answer
Using instruction set architecture (ISA) to stop stack overflows
I have been learning about using stack overflows to get arbitrary code execution, one of the tricks used is overwriting the return address to make control flow go the way you want it. Assuming our system has NX bit.
What if we made the CPU…
river
- 183
- 4
5
votes
1 answer
Exploit does not work outside GDB
I already tried various solutions provided to other "exploit doesn't work outside gdb" questions (r.sh, invoke.sh, removing environment variables) and at this point I legit have no idea why the exploit does not work (behemoth1 on overthewire…
shxdow
- 123
- 2
- 8
4
votes
1 answer
How are stack canaries padded by unmapped pages?
I was reading the wikipedia article on this subject and it states that when a program starts, the canary is calculated at random, stored in a local variable(which I presume was introduced by the compiler) and is padded by unmapped pages but i'm …
Trey
- 113
- 1
- 9
4
votes
2 answers
How does gcc compiler guard stack for stack overflow?
When we compile c program with gcc, we have to inlude "-z execstack" option to enable stack overflow attack.
The question I want to ask is how does gcc implement this .
Without this option, how does gcc guard the stack?
Please explain me in detail…
popo
- 61
- 1
- 4
4
votes
2 answers
Why do we need to remove null bytes from shell code?
I'm studying the basics of making shell codes. I have a question about it.
In my textbook, the author stores his shell code in an environment variable, and injects the address of it using strcpy() in a program.
When he makes his shell code, he…
John Smith
- 41
- 1
- 3
3
votes
1 answer
Smashing stack in x86_64
Exploiting functions like strcpy() relies on the fact that the payload string must not contain zero bytes that would terminate the copy function. If the payload contains x86_64 addresses (e.g. in order to overwrite a return address on the stack),…
Andy
- 263
- 1
- 8
3
votes
2 answers
Hard-wired vs relative addresses in shellcode
This question is primarily in the context of arbitrary command execution in a buffer (e.g. stack) overflow.
I read somewhere recently that hard-wired (absolute) addresses are not good for shellcode e.g. using /bin/sh for example. The problem is that…
Sean S
- 53
- 3
2
votes
1 answer
Is this paper on stack canaries outdated?
According to this paper on defeating stackguard, it seems canaries are placed lower in the stack (higher address) than EBP, allowing the attacker to overwrite EBP without being noticed. But when I look at more recent code it seems the canary is…
hehehe
- 21
- 1
2
votes
1 answer
Having trouble with learning Buffer Overflows
So I have this program in C that I'm trying to exploit which has a vulnerability in a function, namely it's using gets. I'm trying to overflow and change the return address so the program returns one or both of the two functions that are not…
Fiach ONeill
- 21
- 4
2
votes
1 answer
Cannot exploit stack-based buffer overflow with ASLR-disabled, since RSP differs heavily between executions?
I have made a little toy program, compiled with ALSR disabled, that I want to exploit using stack-based buffer overflow:
// gcc stackexec0x1.c -Wl,-z,execstack -no-pie -fno-stack-protector -o stackexec0x1
#include
#include…
Shuzheng
- 1,097
- 4
- 22
- 37