Questions tagged [x86]
The processor architecture of most PCs and servers, including the 386/486/Pentium/… (IA-32) 32-bit family and the amd64 64-bit family. Most x86 processors are made by Intel or AMD.
35 questions
0
votes
0
answers
113
views
How do I prevent the random alignment of the instructions during debugging using gdb? Even tried turning off the optimization with -O0 in gcc
I have started with the book 'Hacking: The art of exploitation!'. I know some of you might suggest that it's pretty old... But I think great buildings withstand due to their strong foundational base. ...
20
votes
6
answers
10k
views
Do high level languages allow for buffer / heap overflow?
I'm learning about basic x86 overflows in C but normally I code with Python. Is there anyway that programs written in higher level languages can suffer from buffer/heap overflow?
- 235
1
vote
2
answers
179
views
Can a meltdown attack also violate data integrity of other processes or is it just violating data secrecy?
Can a meltdown attack also violate data integrity of other processes by obtaining different passwords or is it just violating data secrecy by reading data it is unauthorized to do?
1
vote
0
answers
1k
views
msfvenom: how to output assembly of windows payload for inline assembly in C?
My goal is to obfuscate metasploit windows payloads' assembly code (adding junk code to the payload itself), then adding the obfuscated shellcode to inline assembly in C. The issue is there is no ...
- 11
1
vote
0
answers
971
views
Buffer bomb level 3 - Prevent stack corruption
I am trying to complete level 3 of buffer bomb lab. The task is to supply an exploit string that will cause getbuf to return my cookie (0x4b64b076) back to test, rather than the value 1. The exploit ...
- 111
0
votes
2
answers
556
views
In Return-Oriented Programming how can the machine execute unaligned instructions?
I am reading "The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)".
The author claims that x86 code is like English written without punctuation or spaces, ...
- 120
1
vote
3
answers
4k
views
If x86 architecture has overflow flag in the CPU, then why can't we use it to detect integer overflows in C binaries? [closed]
I'm talking about the overflow flag that is used in some architectures like x86:
https://en.wikipedia.org/wiki/Overflow_flag
why aren't operating systems using this overflow flag to stop integer ...
- 410
0
votes
1
answer
1k
views
Android x86 vs Android on Qemu ARM
Situation: Emulating Android devices for pen-testing
Problem: Choosing between emulating Android x86 or emulating Android on Qemu runing on ARM
Question: In terms of vulnerabilities/exploitability, ...
- 173
7
votes
1
answer
8k
views
Why does my x86 shellcode test program segfault?
I am trying to learn how to create shellcode, my goal is to call execve(). I wrote the code in assembly and it works perfectly, there are no null-bytes or absolute addressing methods. The code works ...
- 79
6
votes
2
answers
1k
views
Linux Kernel ROP - Returning to userland from kernel context?
I have a vulnerable Linux Kernel module (32-bit), which I can successfully exploit, and have gained privileges out of it. Basically, my exploit uses an ROP chain to disable SMEP, and directly jumps to ...
- 220
17
votes
1
answer
9k
views
Why are AMD processors not/less vulnerable to Meltdown and Spectre?
I’ve read up on Meltdown and Spectre and it’s not obvious to me why AMD would be less vulnerable. Do AMD processors simply not have speculative execution? Or do they have some way of not exploding the ...
- 323
4
votes
0
answers
165
views
What is known about the latest vulnerability related to Linux Page Table Isolation patches? [duplicate]
Recently, on Hacker News front page, there was a post mentioning a new vulnerability that seems to affect Intel processors. The post is mostly speculation and there is no PoC or an exploit that I'm ...
- 6,594
7
votes
2
answers
7k
views
How to exploit variable's value
I'm trying to exploit a binary file which I have access to the source code.
int flag = 0;
int main() {
char buf[0x50];
puts("Who are you? ");
printf("> ");
fgets(buf, 0x50, stdin);...
- 119
4
votes
2
answers
9k
views
Buffer Overflow doesn't have enough space for exploit after being crashed
So I'm trying to write a buffer overflow for a knowingly vulnerable server application, I want to learn how to do this on my own and just want some direction.
I'm watching it in immunity debugger on ...
- 53
1
vote
1
answer
3k
views
BufferOverflow : ESP and access violation
The context :
I have a small question regarding ESP and access violation.
I just exploited a buffer overflow, with little space after ESP.
So i did this :
part 1 : NOP SLED
part 2 : my shellcode : ...
- 11
2
votes
1
answer
354
views
C library functions in statically linked ELF32 binary no longer use int 0x80
I've been practicing shell coding on Linux for a while. I used a VM to develop and test my shell code. The VM ran inside VMware workstation 12 pro, on Windows 10. Everything was fine and I could use ...
- 113
2
votes
1
answer
415
views
ROP payload layout confusion
I was reading an article (exploitresearch.wordpress.com) about using ROP to bypass DEP/ASLR. Near the end he lays out the 33 steps for his payload. These are layed out in the order that the shellcode ...
- 199
4
votes
2
answers
1k
views
What lies behind this complicated shellcode on linux?
It's pretty much my first time playing around with a buffer overflow exploit. I've written a simple C program that is vulnerable to buffer overflows:
#include <stdio.h>
#include <stdlib.h>...
- 143
10
votes
2
answers
1k
views
Are memcpy() based race conditions exploitable for causing remote code execution?
Let’s say I have the following pseudocode in the trusted part of a sandbox which prevent untrusted code calling mprotect() and mmap() and ptrace() directly (mutext isn’t accessible from sandboxed ...
- 1,492
11
votes
1
answer
4k
views
Do fTPM implementations protect against physical attacks?
I see that there is an increasing number of PCs shipped with firmware based TPM (fTPM), e.g. the Intel NUC.
As far as I understand, these solutions practically emulate a TPM chip using the CPUs ...
- 333
22
votes
2
answers
9k
views
What is known about the capabilities of AMD's Secure Processor?
I've found a fair amount of research about what Intel's ME does, including the "Intel x86 considered harmful (Chapter 4 is about ME)" survey paper by Joanna Rutkowska, but I'm having a much ...
- 221
4
votes
2
answers
647
views
Is dereferencing a null pointer in C a security risk if the program isn’t a daemon, but a small script lauched as a separate process for each request?
The following code is part of a program that is spawned at every request by the nginx’s ruby on rails script :
static void time_t_to_dos_time(time_t user_supplied_time_t, int *dos_date, int *dos_time)...
- 1,492
3
votes
3
answers
3k
views
Exploit a buffer overflow without SIGSEGV
For my studies I try to create a payload so that it overflows the buffer and calls a "secret" function called "target"
This is the code I use for testing on an i686
#include "stdio.h"
#include "...
- 131
2
votes
1
answer
2k
views
Is using IsBadReadPtr and IsBadWritePtr considered to be insecure?
I am auditing (reverse engineering) an x86 C++ application without source code.
Static analysis revealed that the application is using the IsBadReadPtr and IsBadWritePtr Win32 functions in almost ALL ...
- 21
3
votes
1
answer
301
views
Defeating ROP attacks in x86
Most defense techniques against ROP revolves around randomization, such as ASLR.
If I mark all regions of memory, other than the code segment, non-executable, will this defeat ROP?
- 739
2
votes
1
answer
390
views
Defeating code injection attacks in x86
In x86 systems, there are three requirements for a code injection attack to work:
write attack payload to memory
attack payload to be executable
divert control-flow to payload
How can we prevent 2) ...
- 739
7
votes
1
answer
2k
views
Return oriented programming without int 0x80
I have a program with a stack based buffer overflow. It is running PIE with ASLR and DEP, however there is a section of executable code that is at a fixed location.
However, this region does not ...
- 277
0
votes
0
answers
570
views
Stack buffer overflow: Is compiler changing variables order, preventing me to overwrite EIP properly?
I am learning about stack buffer overflow. A little info about my target: A x86 little endian intel-based computer, with a target compiled with TCC Compiler with no protections of any kind running on ...
4
votes
3
answers
10k
views
Program exiting after executing int 0x80 instruction when running shellcode
In school I was given an assignment to perform a buffer overflow, which would execute some shellcode and open a new shell. After a bit of fiddling the buffer overflow succeeded, and when I ran the ...
- 153
13
votes
4
answers
2k
views
Adding 65K buffer to protect from buffer overflows?
If you had a very complex and important function in C that you wanted to protect, would it be worth it to put a 65K buffer at the top of the stack to protect from buffer overflows? You would put your ...
- 413
16
votes
1
answer
9k
views
Return-oriented programming: how to find a stack pivot
I have a program with a heap overflow. It contains some code that is not randomized (is not using ASLR). I want to do a return-oriented programming exploit. Since this is a heap overflow, the first ...
- 100k
4
votes
1
answer
2k
views
Occurence of ROP gadget
I'm researching various buffer overflow techniques, one I encounter and is pretty interested in the moment is Return Oriented Programming (ROP), and the use of small groups of instructions known as ...
9
votes
1
answer
1k
views
Better way to import Win32 APIs from injected shellcode
I'm injecting native x86 code into a .NET application, via a TLS callback in the binary image. Unfortunately, .NET executables only import mscorlib.dll within the PE, and have kernel32.dll mapped ...
- 136k
6
votes
1
answer
1k
views
Hardware enforced DEP on different CPUs
Are there any differences how hardware DEP is implemented on CPUs from different manufacturers (Intel, AMD, nVidia, Texas,...)?
Are there any significant differences how hardware DEP works on x86 ...
- 2,822
5
votes
2
answers
2k
views
Where can I find information about how to implement Intel embedded AES256 encryption?
I heard this can really speed up encryption performance, but I can't find any good information about how to implement it.
- 79