Stack Based Overflows

The Basics

 

What is Buffer Overflow ?

In computer every application runs on a defined memory boundary and if part of the application exceeds the boundary then program crashes or in technical word “segmentation fault occurs”.



Let’s see an example to understand it much better. Below is a smallest buggy code written in C programming language .

First try to understand the code below.

If you don’t understand most of C ( just like me ) it’s ok. Just follow along for now.

  • int main( int argc, char **argv)

everything in C starts from main. Here char **argv  means that this program will accept arguments from command line. For this program command line argument is  Welcome

  • foo(argv[1])

foo is a function which takes value passed in char**argv as an argument or some people say parameter. The value of char **argv is Welcome.

  • Now the program execution jumps to foo.

What is happening in the above code ? The argument Welcome is passed to foo as a parameter . After that we declare c[12] is a array which creates a memory space which can hold 12 characters only.

Strcpy(a,b) is a inbuld function which comes with C program library . As you might have guessed by now, it just copies string from a variable b to another variable a.

Strcpy(c,bar) is just copying the value stored in bar ( welcome ) to our c variable .

Well after copying the variable the execution return back to last statement of main which is } and exits . Below is the diagram created by me (it’s one of my masterpiece actually…. )

Now why the above code is vulnerable?

 

Every application is written using a one or more programming language. Every programming language is not foolproof. However, C is one the oldest and buggy programming language because it contains some functions which lacks some security checks.

Strcpy() function is a C built-in function which lacks bound checking. Bound checking means you can write more values in c[12] i.e., you can execute the above program like below with more than 12 characters.

 

./mycode.c AAAAAAAAAAAAAX

But how a hacker can use this for his benefit. See the below diagram.

 

From the above diagram you should have got the point why the code is vulnerable. Thanks to my awesome drawing skills. If not (however that’s impossible) ,let’s say application 1 is written using vulnerable code like C and application 2 is written using a modern high level programming language. Hacker exploited the strcpy() vulnerability and written beyond the allocated memory boundary (in our case it is 12 ) and put the memory address of another application example notepad.exe

Note: Next section is about stacks and registers. If you try to understand buffer overflow exploitation works and follow along for all the coming sections , please pay your full attention. I will also add a demo video how exploitation works at the  end of next section

26 thoughts on “Stack Based Overflows

  • Good writing. But wish you had discussed use of strncpy() as a mitigation strategy as conclusion of your article.

  • Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates. I’ve been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.
    http://educationguide.eu

  • Simply desire to say your article is as astonishing. The clarity on your post is simply spectacular and i can think you’re a professional in this subject. Fine along with your permission let me to grasp your RSS feed to stay up to date with drawing close post. Thanks one million and please continue the enjoyable work.

  • Hello There. I discovered your weblog the usage of msn. This is an extremely smartly written article. I will make sure to bookmark it and return to learn more of your useful information. Thank you for the post. I will certainly comeback.

  • Nice weblog right here! Additionally your web site rather a lot up very fast! What web host are you the usage of? Can I get your associate hyperlink for your host? I want my web site loaded up as quickly as yours lol

  • Hi! Quick question that’s entirely off topic. Do you know how to make your site mobile friendly? My weblog looks weird when browsing from my apple iphone. I’m trying to find a theme or plugin that might be able to resolve this issue. If you have any recommendations, please share. Thank you!

  • Thanks everyone for reading my article and giving positive comments…yeah I am quite occupied nowadays but will keep rolling new articles and tutorials….

  • Whats up are using WordPress for your blog platform? I’m new to the blog world but I’m trying to get started and create my own. Do you require any coding expertise to make your own blog? Any help would be greatly appreciated!

    • Well… Thanks for your comment… At this moment I am doing it all by my own… But will contact you if I need any assistance…

  • Fantastic blog! Do you have any tips and hints for aspiring writers? I’m planning to start my own blog soon but I’m a little lost on everything. Would you advise starting with a free platform like WordPress or go for a paid option? There are so many options out there that I’m totally overwhelmed .. Any tips? Appreciate it!

  • Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, for one you do not use all three H tags in your post, also I notice that you are not using bold or italics properly in your SEO optimization. On-Page SEO means more now than ever since the new Google update: Panda. No longer are backlinks and simply pinging or sending out a RSS feed the key to getting Google PageRank or Alexa Rankings, You now NEED On-Page SEO. So what is good On-Page SEO?First your keyword must appear in the title.Then it must appear in the URL.You have to optimize your keyword and make sure that it has a nice keyword density of 3-5% in your article with relevant LSI (Latent Semantic Indexing). Then you should spread all H1,H2,H3 tags in your article.Your Keyword should appear in your first paragraph and in the last sentence of the page. You should have relevant usage of Bold and italics of your keyword.There should be one internal link to a page on your blog and you should have one image with an alt tag that has your keyword….wait there’s even more Now what if i told you there was a simple WordPress plugin that does all the On-Page SEO, and automatically for you? That’s right AUTOMATICALLY, just watch this 4minute video for more information at. Seo Plugin

  • I see you don’t monetize your website, don’t waste your traffic,
    you can earn additional cash every month because you’ve got hi quality content.
    If you want to know what is the best adsense alternative,
    type in google: adsense alternative Mertiso’s tips

  • Great post. I was checkiing constantly this blig and I’m inspired!
    Extremely helpful info particularly the closing part 🙂 I take
    care of such information a lot. I uded to be looking for this particular info for a very lengthy time.
    Thanks and best of luck.
    universitas unggulan di jakarta

Leave a Reply

Your email address will not be published. Required fields are marked *