What do you put in the overwritten return adress in stack buffer over?

I understand the idea, but let’s assume I have properly overflown buff. Now i now that buff is 10 bytes long and since it is the 5th local variables, my shellchode would be at esp + (size of the 4 others variables) +10. First, is this kind of calculations correct ?
Second, how would I still compute it, since I don’t know the value of esp to calculate the above ? Do I have to find it based on the whole stack length and stack starting address ?

Working code examples for stack or heap buffer overflows?

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

operating systems – Can the sandboxing technique prevent a buffer overflow attack?

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

mysql – Using double write buffer is 8x slower in SSD (compared with 2x~3x in HDD)

I understand the double-write-buffer enhances the reliability of data, so it makes transactions slower. But it is amazing that the slow down is such severe in the newest Samsung 980 pro (M.2 PCIe 4.0, which is about 400$ for 1TB).

Workload: https://github.com/Percona-Lab/tpcc-mysql
Configurations: other parameters are defaults.
CPU: AMD Ryzen 3900XT
MEM: 64GB, 3200MHz
OS: Ubuntu 20.10, all disks are ext4
MySQL: 8.0.22

Why does this happen? Did I hit a performance bug?

Thanks!

en ter image description here

encryption – Secure memory buffer

We are designing a Python application and we need to “load” encryption secret key in “memory” at the application boot.
It can be also an admin pin code. Anyway, just some data.

Our application will run under docker container.

What is the most secure process to do it ?
Can we trust the OS from any memory dump ?

Can we use some containers feature to isolate that part of memory to our process ?

Is there any kind of “secure/encrypted” cache system ? Redis ?

I believe that we MAY not find any extreme secure process, thus us there any obfuscation recommendations ?

Our application is targeted to run on the Cloud

execution condition for buffer overflow

You need to have root privileges to modify your password. This can be done by supplying the passwd utility with your user (non-root) password, since that utility is setuid and automatically runs itself as root no matter who executes it. If it verifies that the password you gave it matches the password on record for that user, it will allow you to change it by editing /etc/shadow for you.

There are many ways to get root on a system that you only have unprivileged local access to. This type of attack is termed local privilege escalation, or LPE. It usually relies on attacking a vulnerable setuid application, or attacking the kernel itself. Both of these require exploit development knowledge, which is not something someone can learn in one day, nor is it something that can be captured in a single answer here. If the system is running outdated software, you may be able to find a public vulnerability which you could use to elevate privileges. Otherwise, don’t count on it.

As for using a buffer overflow exclusively, that’s not going to work on any modern software. It might have worked in the 90s, but not today. There are numerous security techniques employed that make the na├»ve buffer overflow a thing of the past. Nowadays you need to bypass those techniques, which is not trivial. If you want to begin learning binary exploitation, start with a tutorial where you learn to exploit an intentionally insecure application with all the modern exploit mitigations manually disabled. Eventually you’ll start learning how to perform the exploit even with mitigations in place (e.g. learning how to execute code in non-executable memory by leveraging ROP). This is the kind of thing you’ll have to understand before exploiting a modern system with all the security in place.

Using payload to exploit a buffer overflow vulnerability

I downloaded an exploit code from exploit-db.com, the code I downloaded generated a one line string and wrote it to a file called ‘exploit.txt’ in my Downloads folder, the file contains a single repeated character and some binary directly next to it, I presume all that is the payload to attack the software.

My question is, what can I do with this or how can I use this to exploit the vulnerable software running on my local?

macOS Terminal middle-click accidentally pastes the entire screen buffer

I like being able to select text and then immediately middle-click to paste in the Terminal app, especially because its clipboard is separate from the system clipboard. However, sometimes when I middle-click to paste, it will paste what seems to be the entire contents of the screen buffer. In the Terminal preferences, I have the scrollback set to “limit to available memory”, so my scrollback buffer often spans days of history.

Am I somehow accidentally selecting the entire buffer when I’m pasting? Is there a way to prevent Terminal from pasting so much data? I don’t want to disable middle-click pasting, but whenever this happens, I am forced to close the tab, since the paste doesn’t get canceled by Ctl-C.

I am currently using Terminal version 2.10 on macOS Catalina, but I have encountered this issue numerous times on previous versions of Terminal and macOS.

sql server 2016 – Dirty buffer pages after issuing CHECKPOINT

I am currently working on a test system and due to the nature of the queries I want to optimise, I am trying to simulate a “cold” read a well as I can. Part of that is clearing the buffer cache before performing the queries. From everything I can find dirty buffer pages are supposed to be written during a checkpoint. However, even after issuing a CHECKPOINT, there still seem to be 169 dirty pages of my database in the buffer pool (assessed via SELECT * FROM sys.dm_os_buffer_descriptors WHERE database_id=7 AND is_modified=1).

Is there anything I am misunderstanding about checkpoints or the content of sys.dm_os_buffer_descriptors? If not, why do I still have dirty pages after they were supposedly written away?

Basic questions about a buffer overflow attack example

People say buffer overflows are serious security bugs that can usually be exploited. Here is an artificial buffer overflow

#include <stdio.h>

int main(){
    int a(3)={0,1,2};
    printf("value = %dn",a(10));      

}

I have two basic questions:

  1. Does “exploit the buffer overflow” mean to change the code? If so, how to change the code above to make an attack?
  2. What if the code is read-only? Can attackers still do something?