Basics

Data overwrite

With a buffer overflow, it's possible to overwrite values into the stack. The most popular beginner challenge aim to overwrite a value of another variable.

How it works ?

Each variables stored into the stack need have a fix allocated space into it depending on the variable declaration, here is some examples :

  • int a; --> Will allocate 4 bytes

  • char a; --> Will allocate 1 byte

  • char a[16]; -->Wil allocate 16 bytes

  • long a; --> Will allocate 8 bytes

  • etc.

All defined variables are in fact pointers to a position in memory, here into the stack.

When a data is written into a variable, the data is written from the pointed address to the end of the variable length

char a[16];
strcpy(a, "AAAAAAAAAAAAAAA"); // write 15 A

The process will allocate 16 bytes onto the stack and return the pointers ( ex: 0xffffd4dc)

And then the 15 A will be write from this address

  address   |   values
------------+-------------------------------------------------------------------
            |   +--------------------------- a ------------------------------+
0xffffd4dc: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x41 |
0xffffd4e4: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x00 |
            |   +------------------------------------------------------------+
            |   +------------------------------------------------------------+
0xffffd4ec: |   | 0x53  0x75    0x70    0x65    0x72    0x50    0x61    0x73 |
0xffffd4f4: |   | 0x73  0x77    0x6f    0x72    0x64    0x21    0x21    0x00 |
            |   +------------------------------------------------------------+
  ...       |    ...

But what happens if more than 16 bytes will be written ?

char a[16];
strcpy(a, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); // write 31 A
  address   |   values
------------+-------------------------------------------------------------------
            |   +--------------------------- a ------------------------------+
0xffffd4dc: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x41 |
0xffffd4e4: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x41 |
            |   +------------------------------------------------------------+
            |   +------------------------------------------------------------+
0xffffd4ec: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x41 |
0xffffd4f4: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x00 |
            |   +------------------------------------------------------------+
  ...       |    ...

The data after the a space are overwritten

This can happen when the program use a dangerous function or any other method to store data (most of the time user input) into the stack without any size control a buffer overflow can occur.

Last updated