Buffer overflow Mona modules all show Rebase SafeSEH ASLR True

Almost every beginners (noob friendly) tutorial written for Stack based buffer overflow explains when using mona module to locate a safe reliable memory address for our EIP to JMP to our shellcode should have Rebase, Safe SEH, ASLR disabled.

enter image description here

However in a recent stack based buffer overflow challenge, all the modules mona provided showed they were protected except for the executable itself.

I used a module (DLL) that had those protections shown by mona to JMP to my shellcode and successfully execute my shellcode which really confused me.

If the executable itself is not protected does that mean we can use any DLL to JMP to our shellcode? if not what is the proper way to handle this situation?

Bypass ASLR in buffer overflow

Iam new in buffer overflow and i have some questions :

0- Is all dll files in windows are loaded at memory or some of them only , If some of them , Who tell windows to load this and leave this

1- How an .exe program know a dll’s functions memory location , after it (program) became an exe file (0,1) // While ASLR is enabled and location changed every time windows reboot

2- Why we didn’t use it’s method to find a (call/jmp esp)’s location in buffer overflow when ASLR is enabled

3- I want a resources to study basics of how os work and reverse engineering that I need for a (pentester) not a malware analyst or reverse engineer

How to tell how big size of a buffer to choose? [migrated]

I’m learning about networking with Python and I’ve encountered something I don’t understand.

particularly:

packet = server.recvfrom(2048)

I understand that .recv() and .recvfrom() methods determine the size of a buffer to work with but sometimes I see 1024, 2048, … and I can’t seem to connect the dots correctly as to how to know what size of a buffer to choose. The learning resources I’m working with aren’t explaining this and I would like to know.

I also understand that a buffer is a temporary data storage allocated within RAM.

Any exploit details regarding CVE-2019-3846 : Linux Kernel ‘marvell/mwifiex/scan.c’ Heap Buffer Overflow Vulnerability

How to get this exploit working or any method for this.

I have seen and read a lot about this issue at various references

It is seen that various Linux version < 8 is vulnerable to this issue

Linux Kernel ‘marvell/mwifiex/scan.c’ Heap Buffer Overflow Vulnerability

Issue Description: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.

Can you share exploit details regarding this.?

https://vulners.com/cve/CVE-2019-3846 https://www.securityfocus.com/bid/69867/exploit : NO exploit there

Any tips on how to exploit this.

What is this “prepare” variable used for in this SEH based buffer overflow payload?

I am trying to understand how a SEH based buffer overflow is working and I have to write a paper about how an exploit works. I took this PoC for my paper.

junk = "\x41" * 4091  nseh = "\x61\x62" seh  = "\x57\x42"           # Overwrite Seh # 0x00420057 : {pivot 8}  prepare =  "\x44\x6e\x53\x6e\x58\x6e\x05" prepare += "\x14\x11\x6e\x2d\x13\x11\x6e\x50\x6d\xc3" prepare += "\x41" * 107; ... 

I don’t really understand how it’s jumping over the next SEH.

  • What is \x61\x62 used for in the nseh variable?
  • What is the prepare variable used for?
  • How is it jumping to the shellcode?

I already understand that the \x57\x42 is used as a pointer to target a pop pop ret to trigger a second error but I am stuck after that…

Understanding why this buffer overflow attack isn’t working

I’m doing a buffer overflow challenge, and I can’t understand what exactly I’m doing wrong. Through debugging, I managed to figure out how my input should look like such that I can force the program to return to a function. From gdb I figured if I entered “aaaaaaaaaaaaaaaaaaaaaaaaaaaacdefbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb” I can get the program to return to cdef of 0x66656463. Here’s a sc just in case: enter image description here As you can see, the program managed to go to 0x66656463. Now I the function’s address through gdb and I tried placing this in cdef’s spot in little endian order using pwntools:

payload = "a" * 28 + "\x56\x85\x04\x08" + "b"*47 msg = "-1\n" + payload  io.sendline(msg) 

The reason for the “-1\n” is because the program asks for input twice: the first time I just enter -1 and then the second input I try the exploit. So far, I’m just getting a segfault and the address I want to jump to should be starting a shell for me to exploit. I’m not sure what exactly I’m doing wrong, and any help would be appreciated. If I had to guess it’s that I’m somehow dealing with the two inputs incorrectly (they’re being read via fgets() in C if that matters.)

EDIT: I have the source binary and I tried running it locally. I created the following txt file

-1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaV\x85\x04\x08bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 

and I redirect it in gdb via

run < <(cat input.txt) 

this works the same but whenever I add an escaped hex in place of the cdef, I get a different seg fault at a different address: enter image description here

It looks like if I replace any of the cdef with an escaped hex, I get a segfault at 0x08048726. Is something wrong with passing in the bytes?

Buffer Overflow Works Locally But Not Remotely

So I made a simple buffer overflow challenge and attempted to host it on a digitalocean droplet. The challenge source is below, and is compiled using gcc welcome.c -fno-stack-protector -no-pie -o welcome.

#include <unistd.h> #include <stdio.h>  int main(void) {     setvbuf(stdout, NULL, _IONBF, 0);     char name[25];     printf("whats your name? ");     gets(name);     printf("welcome to pwn, %s!\n", name);     return 0; }  void flag() {     char flag[50];     FILE* stream = fopen("flag.txt", "r");     fgets(flag, 50, stream);     printf("%s", flag); } 

Locally on the Docker the challenge is running on, I am able to use the exploit seen here. Trying to use it over the netcat connection though, it doesn’t work! All of the files I am using to host the challenge can be found here. Any help or other tips would be appreciated. I have spent a large part of the day confused about this.

Bonus question, why does the binary hang after completion on the remote server until the user hits enter? Maybe my setvbuf is incorrect? If someone could explain this that would be great! I am fairly new to this stuff.

Cannot execute shellcode using buffer overflow

As a home exercise I’m trying to achieve buffer overflow attack by running a simple char array program that stores the input argument in the program stack and then overflowing that stack with long enough input so that EIP gets overwritten with one of the NOP instructions and then it would slide to the shellcode and execute it.

I’m currently running Ubuntu 16.04 32-bit in Virtualbox, with kernel ASLR set to disabled.

My C code:

#include <stdio.h> #include <string.h>  int main(int argc, char **argv) {   char buffer[500]   strcpy(buffer, argv[1]);   printf("%s\n", buffer);   return 0; } 

I compiled the code with options: -z execstack -fno-stack-protector

When I’m trying to execute the code in gdb using some bash code to generate the input, I manage to change the register value to the one containing the NOPs but the code just throws segmentation fault and I am unable to execute the shellcode.

I started with 504 byte input, 476 NOPs + 24 shellcode + 4x 0x45 bytes.

enter image description here

I was able to find my input in the memory. I took the address somewhere between the NOPs (0xbfffed60).

To overwrite the ESP register, I grew the total input length to 508 bytes, which consisted of: 476 NOPs + 24 shellcode + 2x memory address (0xbfffed60, with bytes in inverted order \x60\xed\xff\xbf).

When I run the code with that input, I’m just receiving segmentation fault and not getting the shellcode to execute.

enter image description here

It seems to go in the exact spot where I’m telling it to go but it does not execute the NOPs nor the shellcode.