Skip to main content
AI Assist is now on Stack Overflow. Start a chat to get instant answers from across the network. Sign up to save and share your chats.
801 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
-3 votes
0 answers
118 views

I'm working on an assignment where I need to overwrite the GOT table with the system call in order to execute a payload. The initial access is done via a stack buffer overflow. Here is the code of the ...
user29622040's user avatar
  • 11
4 votes
2 answers
211 views

I am studying for my Computer Security exam and I am on the Format String Bugs section. In the notes there is this code, and I was testing it on my VM: #include <stdio.h> void test(char *arg) { ...
teozzo's user avatar
  • 51
4 votes
1 answer
204 views

I made a simple vulnerable program greet.c: #include <stdio.h> #include <string.h> int main (int argc, char **argv) { char buf[32]; strcpy(buf, argv[1]); printf("%s\n"...
AISK's user avatar
  • 65
1 vote
1 answer
215 views

I am working on phase 4 of the buffer overflow attack lab, where the solution is is to use ROP (Return Oriented Programming). The idea is that you are given a "farm" where you will look for ...
Ian Burns's user avatar
  • 43
2 votes
0 answers
112 views

I am following a walkthrough of a box on VulnHub, The Planets: Venus. I got the shell to run through a buffer overflow, by putting an 8 byte padding, a gadget(pop rdi; ret), an address pointing to &...
DeceptiveRat's user avatar
  • 31
0 votes
1 answer
44 views

I have the disassamble bytes of a simple function 89 4C 24 08 mov dword ptr [sum],ecx while (sum>=1) { 83 7C 24 08 01 cmp dword ptr [sum],1 7C 0C ...
wanyancan's user avatar
  • 392
2 votes
2 answers
890 views

I am trying to test this example from StackOverflow (how-can-i-invoke-buffer-overflow), but I am not having success. I also asked for clarification two weeks ago, directly on the post (through a ...
nostromo's user avatar
  • 423
5 votes
2 answers
131 views

I am learning about shellcode development in C with an example from here. I can compile the assembly code and get de opcodes, also I can run successfully the ELF compiled with NASM, but I get a ...
RobertGG's user avatar
  • 135
2 votes
0 answers
129 views

There is a vulnerability in Tomcat 10.1.28 where inserting a semicolon in the url path will allow seeing the contents of a file. For example, the URL: mysite.com/myapp;/thisfile.config will display ...
JPCharlie's user avatar
  • 21
0 votes
0 answers
44 views

I'm working with CVE-2019-0704 (BlueKeep) and have found myself working with PDU protocols. I understand the surface-level, but I need a deeper understanding of the ways that it interacts with the RDP ...
X the Mystic's user avatar
  • 1
1 vote
0 answers
107 views

PROBLEM I am trying to put together a short demonstration of a simple hack for a presentation about cyber-security. I thought about using a format string vulnerability, and heavily inspired by this ...
arg_arthur's user avatar
  • 108
0 votes
1 answer
99 views

I am currently playing around with some exploitation techniques in 64-bit Intel executable. My program was compiled with canary protection disabled (-fno-stack-protector), buffer overflow error ...
Anh Phan's user avatar
  • 13
2 votes
1 answer
330 views

I discovered a driver vulnerability that allows arbitrary modification of the msr register. A common attack scenario is to modify msr[lstar] to point it to the attacker's malicious code. Then, when ...
007 996's user avatar
  • 33
-1 votes
2 answers
98 views

I define object a with an empty method b(). The method has no parameter and does nothing! Please someone tell me, why when I call a.b() and pass JS code as a parameter, does it execute the code? ...
KeepCalmBaby's user avatar
  • 24
1 vote
1 answer
135 views

#include <stdio.h> #include <stdlib.h> #include <time.h> #include <string.h> /* I obtained access to the professor's grade management program. Can I change my grade to an '...
vivian phung's user avatar
  • 39
0 votes
1 answer
58 views

Just a quick question, lets say we have this following C code: int hello(){ char arr[16]; scanf("%s",arr); printf("%s",arr); return 0; } I have a doubt that when the arr ...
Zishan Ansari's user avatar
  • 1
1 vote
0 answers
72 views

I have the following simple program: #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char ** argv) { if(argc < 2) { printf("Missing ...
Ukk's user avatar
  • 121
0 votes
0 answers
530 views

I'm doing a research & working around Math.random() like a month ago. Math.random() uses XORSHIFT128+, so, if we can get the state of the PRNG, it'll be easy to predict future outputs. It is ...
laut3n's user avatar
  • 1
1 vote
0 answers
203 views

I'm working on a challenge that requires me to overwrite a memory address with a libc address, which is usually around 48 bits. I can write a 32-bit number into an address but with anything larger ...
john's user avatar
  • 11
0 votes
0 answers
1k views

I recently came across CVE-2023-3824, which has been rated as critical with a score of 9.8. This vulnerability constitutes a Remote Code Execution (RCE) and does not require any user interaction. The ...
Vignesh SB's user avatar
  • 21
1 vote
0 answers
23 views

I am trying out a challenge where the system has an app installed from which I need to extract a variable called x. The app has a man-in-the-disk vulnerability where it calls a file in the external ...
crispypants's user avatar
  • 11
0 votes
0 answers
205 views

Could someone explain what this assembly code does and how could it be used in a ROP attack? What type of data could go in the registers to successfully perform a ROP attack? Should it be chained to ...
ethcker's user avatar
  • 1
0 votes
0 answers
93 views

errorI'm testing the Sambacry Vulnerability with the exploit from Github. My current machine is Kali Linux 2021 and Python version is 2.7.18. I have already installed the Impacket. But I still have ...
Paing Thet Kyaw's user avatar
  • 1
1 vote
1 answer
283 views

x/16i 0xdeadbeef yields: 0x80481be <_init+22>: shlb $0x3a,-0x18(%ebp,%eax,1) 0x80481c3 <_init+27>: jle 0x80481c0 <_init+24> 0x80481c5 <_init+29>: .byte ...
brunge's user avatar
  • 13
1 vote
0 answers
236 views

I am working with buffer overflow exploit to understand it. I have been provided with a program called is_log_file.c to test the buf_exploit.c program I write on it. I am trying to write a program ...
green box's user avatar
  • 11
0 votes
0 answers
90 views

I created a file with echo "/bin/sh" > cp Made it an executable and updated the $PATH variable to consider the current folder first. chmod +x cp export PATH=.:$PATH The program cp is ...
Alekh Avinash's user avatar
  • 1
-1 votes
1 answer
798 views

To be as concise as possible, I am running a python exploit that passes all the checks that it needs to, but when the original ELF is supposed to write the flag to flag.txt, nothing gets displayed. I ...
thebigstapla's user avatar
  • 19
0 votes
1 answer
819 views

I was making a simple CTF(Capture The Flag) problem with docker. The current case is simple(It's not a real problem, it's just a test.); enter a specified string and get a shell(/bin/bash) if correct. ...
KnightChaser's user avatar
  • 356
0 votes
0 answers
177 views

Why is this code generating a php.mail.multipart.form exploit malware detection from my hosting provider? My hosting provider is detecting this code as containing malware? Why is this? it seems that ...
luckyclover's user avatar
  • 1
3 votes
1 answer
124 views

The program is shown in the similar thread here. Let's assume that my OS doesn't implement ASLR or other protections from buffer overflow. Long story short, the author is spawning a child process from ...
noob_user's user avatar
  • 117
-3 votes
1 answer
2k views

suppose I need to implement a system to brute force a 6-digit OTP. I have 100 Core 2 Duo computers. Each computer has 1/2gb ram and a 20mbps Broadband connection, but OTPs expire within 300 seconds or ...
Shafkat Raihan's user avatar
  • 1
-1 votes
1 answer
436 views

So I've been trying to develop a ret2libc exploit for my program as shown below: #include <stdlib.h> #include <stdio.h> void vuln() { char arr[0x10]; scanf("%s", arr); ...
bruh's user avatar
  • 1
4 votes
1 answer
5k views

I'm doing a Capture The Flag (CTF) and I'm trying to exploit a server vulnerable to Jinja2 Server Side Template Injection (SSTI). I can't use the following characters: \, |, ,, . and _. I'm trying to ...
faint's user avatar
  • 41
1 vote
2 answers
375 views

I have a C program to exploit buffer overflow #include <stdlib.h> #include <stdio.h> #include <string.h> int overflow(char *input) { char buf[256]; strcpy(buf, input); return ...
leandror's user avatar
  • 59
0 votes
0 answers
120 views

OK this has been bothering my for a while. I have a x86 binary which I'm supposed to attack via ROP. I already have all the offsets I need which I will show you in a minute. I know that I need 44 ...
IRP_HANDLER's user avatar
  • 309
1 vote
0 answers
33 views

So, In the binary files of C program compiled using old gcc versions like 3.3.6 there is a section like .dtors but there is nothing like that in the binary files of C program compiled using new gcc ...
Vignesh SB's user avatar
  • 21
0 votes
0 answers
198 views

I am failing to see any use of nop's in rop why do people use them? I have seen some examples of rop gadget chains like (G2,G3,G4 are some gadgets) nop(return gadget)-(G2)-(G3)-somedata-(G4)---nop(...
Mike's user avatar
  • 43
0 votes
0 answers
88 views

I recently found out that clients can "spy" on other clients and all of their communications by joining the room with the victim's session id. Is this secure? My usage of socket.IO involves ...
py660's user avatar
  • 147
0 votes
1 answer
125 views

I kept getting error, but its seems already good at if and elseif statements, kept giving me last line error How the code works? When chat :example it does do ..., You can check under below, also this ...
user20853472's user avatar
  • 13
0 votes
0 answers
990 views

Hy Guys, I know this will sound weird but can u guys help me with finding readme value. I know python and still having a hard time cracking this variable from Crypto.Util.number import getPrime, ...
HOH_HOH's user avatar
  • 135
0 votes
1 answer
1k views

So I am currently doing a beginner CTF challengeon pwnable.tw, the "start" challenge specifically. After reversing the challenge binary I found out there was a buffer overflow exploit, and ...
leatherprofitable's user avatar
  • 1
0 votes
0 answers
100 views

I am writing a simple Mail Server-Client App which is taking a users input for a receiver, a subject line and a message. To store the message, there is a directory in which a subdirectory is being ...
user avatar
0 votes
0 answers
35 views

I've been focused on this book for several years trying to get through it slowly but truly by understanding all of the details. However, I've come to a roadblock with a specific line of code in the ...
Iceman's user avatar
  • 11
0 votes
1 answer
216 views

I see the words compromise and exploit being used interchangeably. When I did basic Google searches for this question, the answers were about the difference between an exploit and a vulnerability, not ...
Nora McDougall-Collins's user avatar
  • 531
0 votes
1 answer
407 views

I'm trying to get chrome's V8 (d8) x64.release version to use the V8 support tools in GDB, specifically for the job and telescope commands (predominantly the former). My x64.debug version has this ...
jnz's user avatar
  • 189
0 votes
1 answer
179 views

This is a little bit strange question. I am trying to find a syscall that allowed to execute code on the stack without parameters on i386. I am doing ctf and I success to find a way to call syscall ...
nadav levin's user avatar
  • 91
0 votes
1 answer
227 views

I'm searching for an alternative to NONCES to prevent replay attacks. My scenario: I have implanted a ticket shop where you can buy tickets and to prevent two persons trying to buy the same ticket, I ...
Fatorice's user avatar
  • 772
0 votes
1 answer
46 views

so I've got a buggy C file in which i need to find an exploit. I have found a bug when accessing the following struct: #define BOARD_SIZE 10 typedef int (*turn_function_t)(struct board *); typedef ...
Dan23's user avatar
  • 1
0 votes
0 answers
110 views

How do I get "\x90" to be read as the byte value corresponding to the x86 NOP instruction when supplied as a field within the standard argument list in Linux? I have a buffer being stuffed ...
William Raezer's user avatar
  • 1
1 vote
1 answer
870 views

I'm trying to call execve("/bin/cat", "filename" , NULL) via a chain of ROP gadget I'm able to step through the syscall but no output or error is shown so I'm not sure what is the ...
nkt's user avatar
  • 413

1
2 3 4 5
17