Questions tagged [glibc]
The GNU C Library (glibc) is the GNU Project's implementation of the C standard library.
33
questions
12
votes
2
answers
3k
views
Why isn't LD_PRELOAD disabled by default in Linux?
The Linux dynamic linker includes a mechanism of dynamically loading arbitrary code into every process using the LD_PRELOAD environment variable and the /etc/ld.so/preload file. This sounds dangerous ...
0
votes
0
answers
93
views
Bash deletes null bytes in exploit input for ROP/returntolibc
I am trying to do a returntolibc exploit. The goal is to gain a shell with root privilege by calling setuid(0) and then system("/bin/sh"). I have been agonizing over trying to get this thing ...
0
votes
0
answers
68
views
Questions on GLIBC Heap Exploitation (House of Force)
This is with reference to Max Kamper's video on GLIBC heap exploitation and these articles I read
https://www.crow.rip/crows-nest/binexp/heap/house-of-force-i
https://www.crow.rip/crows-nest/binexp/...
2
votes
2
answers
257
views
Debian's security tracker says a CVE is fixed, while BlackDuck scanner detects it
I stumbled across a vulnerability considered a critical security risk (CVE-2023-25139) in one of container images I build.
Debian's security tracker states it's fixed: https://security-tracker.debian....
0
votes
0
answers
126
views
Where do stack pointer differences to stack base originate from on Linux?
Let's assume we have this simple program:
void main() {
int x;
printf("%p", &x);
}
Assuming the stack is mapped something like this:
0x007ffffffdd000 0x007ffffffff000 ...
0
votes
1
answer
133
views
Why GNU libc's salt alphabet for `crypt` is limited to ./0-9A-Za-z?
According to docs:
To hash a new passphrase for storage, set salt to a string consisting of [a prefix plus] a sequence of randomly chosen characters ...
and
In all cases, the random characters ...
2
votes
1
answer
2k
views
CTF setup for debugging heap exploits
I'm currently studying binary heap exploitation (mainly the glibc (ptmalloc2) implementation), for CTF competitions. The problem I'm facing is debugging challenges designed for a certain glibc version....
1
vote
0
answers
900
views
Could not load library libcutils.so while injecting shellcode
I am working on my school thesis.
I am trying to inject some shellcode into a shared library using Dirty Cow vulnerability on Android x86.
My shellcode is written in asembly and only calls ...
9
votes
1
answer
1k
views
Jump Oriented Programming segmentation fault issue
I found this interesting post on jop, and since I was not familiar with the concept I decided to play with it. I managed to call arbitrary functions defined in my binary with or without arguments, but ...
4
votes
1
answer
833
views
Return-to-libc Attack mystery
I'm studying the Return-to-libc Attack and I understand the concept. But one thing still does not make sense. In order to make the attack I need the memory address of system() and "/bin/sh", which is ...
6
votes
2
answers
42k
views
return to libc- finding libc's address and finding offsets
So I tried performing a return-to-libc according to https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-return-to-libc/ .
I found libc's address by using "ldd vuln", and found system's ...
1
vote
1
answer
579
views
How to increase gadget occurence in a program
I'm exercising with ROP. In a vulnerable program I control the RIP, use "ropeme" and search for gadgets I find many references to 32 bits long registers, but not a single extended register.
I need a ...
5
votes
1
answer
7k
views
How to bypass ASLR with ROP
I was reading this article by the InfoSec institute:
http://resources.infosecinstitute.com/an-introduction-to-returned-oriented-programming-linux/#gref
And was able to follow along until he did the ...
1
vote
1
answer
168
views
Where to get patches for recent CVEs announced for glibc?
My SoC vendor uses Yocto to create custom Embedded Linux distribution, that contains glibc 2.22.
As part of the distribution we have received patches till CVE-2016-4429. But, now there are some ...
7
votes
2
answers
9k
views
Is ASLR useless in preventing attacks such as return-to-libc in linux?
If i'm correct, due ASLR we load libc into some random address. And then in order to make that happen without allowing write permissions of text pages within memory we use plt/got. Now I can simply ...