Buffer Overflow

I am trying to overflow the buffer shown bellow, yet can never reach it. I know that the location of buf is before i and len, and in my case to overload the return instruction I need to amend the integer len. I know I need to fill in the buffer till I get to the len variable, but don’t know how to avoid filling the i variable without screwing up the counter.

I’ve tried filling the input string with just a bunch of NOP but that automatically overflows the variable i with 0x909, when I try to change it and just fill it with numbers from 0 to 272 it makes it go into a loop and changes back to a number in the loop.

int function( char *input) {     char    buf[256];     int i, len;      if (strlen(input) > 272) {          len = 272;     } else {         len = strlen(input);     }     for (i = 0; i <= len; i++) {         buf[i] = arg[i];     }     return (0); }  int lab_main ( int argc, char *argv[] ) {     foo ( argv[1] ); } 

Handling text overflow in wireframes

This is something that has bothered me a lot on how to approach.

I like to use “ugly data” in my wireframes since my goal isn’t to have pretty wireframes, but functional ones. Using simple single-line words is easy and pretty, but it’s not real.

Here are some ways I can think of to handle longer text in a preview before selecting an item: A list of ways to handle long text in previews But then what if you have a nefarious user who exploits Unicode to overflow these fields? Various ways of exploiting unicode

The first example is the user using either or to create new lines, making a simple character count inaccurate.

The second example is the user using a long Unicode character to abuse a character counting method.

The third example is using a whitespace rendering character to create an ellipsis out of seemingly nowhere.

You’d need to somehow not only measure the width of a piece of text, but also make sure it doesn’t flow vertically. Or sanitize inputs so this doesn’t happen in the first place. But these precautions aren’t always technically feasible.

In addition, you need to display the full text somewhere anyways, and it starts getting ridiculous with the longer Unicode characters. As an example, longer title that ends in an ellipsis is 37 characters, below is an example of a 20 character string, if you were to use newlines it would only take 17 characters to completely overflow the screen at that font size.

Too long of strings

With all that in mind, how would you handle this? Do you scroll-overflow the text after a certain height? What if it’s composed of newlines? Do you decrease font size?

I’ve been told that it doesn’t matter because it would be ridiculous to have a user input such long text. I don’t like this response since it does and will happen, and it should be my task to figure out the best way to display these edge-cases.

Overflow when adding multiple binary numbers

Perform the following binary operation assuming our resultant has a maximum of 8 bits: 00110110 + 01111001 – 00001100 Was there an overflow, a signed overflow, or no overflow? (a signed overflow occurs when a carry changes the sign bit. An overflow occurs when a carry goes beyond the available bits to store the result.) I was wondering how the computer works when adding multiple binary numbers and if the number is represented by 8-bits, will it be signed binary numbers or…?

Why can’t you jump from SEH straight to payload for SEH buffer overflow?

From my understanding a typical way to achieve SEP buffer overflow (ignoring protections like DEP, SafeSEH, etc.) is to overwrite SEH with POP POP RET which goes back to nSEH which we control. nSEH will then be used to point to our located shell code. Below is how the stack will look.

[BUFFER][nSEH to payload][SE handler for POP-POP-RET][Payload] 

My question is, why can’t you just overwrite SEH with some opcode to jump x amount of bytes straight to the shellcode?

Is a Buffer Overflow / NOP Slide possible for memory addresses that contain null bytes?

I have been reading up on Buffer Overflows and NOP Sleds. I tried to use the exploit on an example target and I got stuck because I needed to inject a null byte in the return address for my BP so that my program does not crash. I have become aware of the fact that it is not possible to call a C program from command-line with a string that contains null bytes.

So, my questions is how to perform a buffer overflow in case the target memory address contains null bytes? Also, this would make NOP sleds as useless because the return address would contain null bytes as well, right?

Because I am completely new to C programming and exploitation in general it might be that I overlooked something obvious like zeroing out a part of memory after injection to construct a valid memory address but google search did not yield any understandable results for me.

At last, it is always the case that a stored memory address in memory ends with a null byte? Based on my observations I assume this is necessarily the case but there might be other options to interpret stored data as memory addresses without a null byte at the end.

How to prepare privilege escalation from buffer overflow on Linux? [on hold]

I compiled a vulnerable application on my Kali Linux 2019.2, gave to application permissions (-r-sr-x—).

Then I used my payload with non-root user and got shell, but whoami shows that I’m not root, I’m still the same user.

Could someone give me advice? I can’t figure out what I’m missing. I tried to find guide, but without luck.

Remote Buffer Overflow w/out Memory Leak

I’m working on an exploit development challenge right now in which I’ve been presented with a compiled binary and I have to exploit it on a remote server. No stack protections have been enabled and ASLR is disabled. I’ve written the exploit successfully and tested on my device and it works. However when I run it on the remote server it fails.

There aren’t any memory leaks so I can’t do a ret2libc style attack and I’m not very good at ROP. The buffer overflows by quite a bit and there is an executable stack. What are the other options rather than ROP that I could use to get EIP pointing to my buffer without knowing it’s exact location? Is it possible to use just a couple gadgets to point EIP to some location relative to the current stack? If so, could one potentially help explain the ASM required to do that?

Thank you in advance.

Casting fraction number to decimal throws Arithmetic overflow error

I have a table called AssignmentMarks that stores Student’s assignment marks for different subjects. This table has a column called Marks varchar(10) which stores the marks. The marks can be like 1, 2, and also it can be +, - or -+ which represents each sign a specific marks.

Note: + is 1 mark, - is -1 and -+ is 0.5

While getting a student marks from the table I am facing the Arithmetic Overflow error which I don’t know what is the cause of this error.

The query is as follow:

SELECT SUM(    CAST(       CASE         WHEN a.Marks IS NULL OR a.Marks = '' THEN 0        WHEN a.Marks = '+' THEN 1        WHEN a.Marks = '-' THEN -1        WHEN a.Marks = '-+' THEN 0.5        ELSE a.Marks       END AS DECIMAL(5,2)    ) ) FROM AssignmentMarks AS a WHERE a.StudentID=10 AND a.SubjectID=1 

After Executing the above query I get the following error.

Msg 8115, Level 16, State 8, Line 7

Arithmetic overflow error converting varchar to data type numeric.

Any idea what is the main cause of this error?