Questions tagged [exploit-development]
For questions about development of software which takes advantage of exploits (vulnerabilities in security systems).
197
questions
1
vote
0
answers
28
views
Can't print hexadecimal formatted address in buffer overflow
I'm trying to overwrite the return address caused by a buffer overflow. I've already calculated the distance between the buffer and the return address. The address that I want to jump to is ...
0
votes
0
answers
73
views
How can I safely write in my resume that I have written a MetaSploit exploit module without making employers nervous?
I have asked this question on The WorkPlace SE site and did not receive any comprehensive answers over there. I have around 10 years of cybersecurity industry experience and have gained proficiency ...
2
votes
1
answer
448
views
Python Code Injection With int()
I discovered reading the documentation for int() in python that I could execute operating system commands if something like the following were passed to the int() constructor:
type('',(),{'a':5,'b':6,'...
0
votes
1
answer
139
views
pvefindaddr p2 in mona?
Is there a !pvefindaddr p2 (search for all pop/pop/ret combinations in the entire process memory space) equivalent in mona.py?
Alternatively, is there any option to run pvefindaddr in latest versions ...
1
vote
1
answer
177
views
Get in depth information about vulnerability from a CVE
I'm trying to understand how to get more information about a vulnerability given a CVE. I noticed that some CVEs, on websites like https://www.cvedetails.com, have got references to articles or to ...
3
votes
1
answer
776
views
Can't get this memory addressing
I am working with this INE eCXD material and I am working on my basics of buffer overflow on Linux.
In the lab, there is supposed to be a binary that is using the strcpy() function and it SEGFAULTS ...
1
vote
2
answers
915
views
Rop: Handling a `push` in the middle of a gadget
In rop, often a gadget has an undesired pop or push in the middle.
For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well.
What about a push: What do we ...
1
vote
0
answers
224
views
How does glibc prevent malloc unlink exploits?
The classic malloc overflow, of overwriting pointers in a free chunk, to cause free() unlink to overwrite an arbitrary location with an arbitrary value, is no longer possible with modern glibc (...
0
votes
0
answers
342
views
64 Bit ELF Buffer Overflow Not working possibly due to if statement
I wrote the following:
#include <stdio.h>
int win(){
printf("Won!\n");
return 0;
}
int vulnerable(){
char buffer[20];
memset(buffer, 0, 10);
printf("Input: &...
1
vote
1
answer
402
views
How can an ELF binary call a Windows API from WSL(2) to deploy a payload?
In September 2021 Black Lotus Labs (BLL) posted a blog entry discussing a payload loader that was:
written in Python
compiled to an ELF exe using PyInstaller in Debian in WSL
and "injected into ...
4
votes
2
answers
3k
views
Are buffer overflow and similar attacks still possible?
The majority of my cyber security background comes in the form of web application vulnerability testing, and whilst I do have a degree of prior experience in studying and performing application ...
1
vote
1
answer
1k
views
How to read memory from format string exploit correctly
I'm trying to solve a problem on format string exploitation in which I have to overwrite anything in a specific address. Since the target address has a null byte at the begining, I need to write it at ...
1
vote
1
answer
1k
views
Can't overwrite EIP in bufferoverflow example
I am trying to make a simple buffer-overflow exploit on an example program to understand binary exploitation a bit better. The goal is to simple write shellcode on the stack and execute it.
However, ...
1
vote
1
answer
419
views
Is a single infoleak enough to break ASLR if you don't have access to the binary?
With a single infoleak and access to the binary you can calculate the other addresses. Is this still possible when you don't have access to the binary?
1
vote
1
answer
180
views
WebApp Windows Command Injection without "||"
I've found an application that allows arbitrary file upload (client side validation on file extensions), however those files are not stored in a folder which is accessible by the webserver, so a web ...