Questions tagged [exploit-development]
For questions about development of software which takes advantage of exploits (vulnerabilities in security systems).
202 questions
1
vote
0
answers
105
views
How to exploit Object.assign in Express/Mongoose application?
I have a legacy Express/Mongoose application laying around and found a potentially dangerous line of code in it: Object.assign with user input as second argument. I thought it would be a nice exercise ...
- 417
0
votes
0
answers
97
views
Why are the Chrome/Chromium JavaScript engines (V8) vulnerabilities more difficult to reproduce on Android compared to Windows and Debian?
I conducted tests on the vulnerabilities of 5 Chrome/Chromium JavaScript engines (V8) on three platforms (the list of vulnerabilities is as follows).
Without exception, the Android system failed to ...
- 1
1
vote
1
answer
77
views
Payload doesnt fires up outside gdb?
I'm very beginner in exploitation, I'm stuck in rather very famous why my exploit works in gdb but not in terminal?
Context: I'm using Qemu emulator, using Qcow2 image of amd64 https://exploit....
- 21
1
vote
0
answers
267
views
could XXE vulnerability lead to an RCE
I have identified an XXE vulnerability in an XML parser of an application that allows external entities.
I used the below crafted xml to do a get request on localhost on port 9090, and on the same ...
- 559
3
votes
1
answer
213
views
can vulnerabilities in transitive dependencies be exploitable?
I am running nmap on an http server, and I got the netty version used by the server.
Netty version used is 9.4.53.v20231009 , I tried to check online for CVEs related to this version, and it seems ...
- 559
1
vote
0
answers
61
views
Can't print hexadecimal formatted address in buffer overflow
I'm trying to overwrite the return address caused by a buffer overflow. I've already calculated the distance between the buffer and the return address. The address that I want to jump to is ...
- 81
0
votes
0
answers
127
views
How can I safely write in my resume that I have written a MetaSploit exploit module without making employers nervous?
I have asked this question on The WorkPlace SE site and did not receive any comprehensive answers over there. I have around 10 years of cybersecurity industry experience and have gained proficiency ...
- 1,766
2
votes
1
answer
973
views
Python Code Injection With int()
I discovered reading the documentation for int() in python that I could execute operating system commands if something like the following were passed to the int() constructor:
type('',(),{'a':5,'b':6,'...
- 21
0
votes
1
answer
188
views
pvefindaddr p2 in mona?
Is there a !pvefindaddr p2 (search for all pop/pop/ret combinations in the entire process memory space) equivalent in mona.py?
Alternatively, is there any option to run pvefindaddr in latest versions ...
1
vote
1
answer
280
views
Get in depth information about vulnerability from a CVE
I'm trying to understand how to get more information about a vulnerability given a CVE. I noticed that some CVEs, on websites like https://www.cvedetails.com, have got references to articles or to ...
- 13
3
votes
1
answer
805
views
Can't get this memory addressing
I am working with this INE eCXD material and I am working on my basics of buffer overflow on Linux.
In the lab, there is supposed to be a binary that is using the strcpy() function and it SEGFAULTS ...
- 31
1
vote
2
answers
1k
views
Rop: Handling a `push` in the middle of a gadget
In rop, often a gadget has an undesired pop or push in the middle.
For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well.
What about a push: What do we ...
- 307
1
vote
0
answers
278
views
How does glibc prevent malloc unlink exploits?
The classic malloc overflow, of overwriting pointers in a free chunk, to cause free() unlink to overwrite an arbitrary location with an arbitrary value, is no longer possible with modern glibc (...
- 307
0
votes
0
answers
373
views
64 Bit ELF Buffer Overflow Not working possibly due to if statement
I wrote the following:
#include <stdio.h>
int win(){
printf("Won!\n");
return 0;
}
int vulnerable(){
char buffer[20];
memset(buffer, 0, 10);
printf("Input: &...
1
vote
1
answer
529
views
How can an ELF binary call a Windows API from WSL(2) to deploy a payload?
In September 2021 Black Lotus Labs (BLL) posted a blog entry discussing a payload loader that was:
written in Python
compiled to an ELF exe using PyInstaller in Debian in WSL
and "injected into ...
- 138