# Basics With a buffer overflow, it's possible to overwrite values into the stack. The most popular beginner challenge aim to overwrite a value of another variable. ## How it works ? Each variables stored into the stack need have a fix allocated space into it depending on the variable declaration, here is some examples : * `int a;` --> Will allocate 4 bytes * `char a;` --> Will allocate 1 byte * `char a[16];` -->Wil allocate 16 bytes * `long a;` --> Will allocate 8 bytes * etc. {% hint style="info" %} All defined variables are in fact pointers to a position in memory, here into the stack. {% endhint %} When a data is written into a variable, the data is written from the pointed address to the end of the variable length ```c char a[16]; strcpy(a, "AAAAAAAAAAAAAAA"); // write 15 A ``` The process will allocate 16 bytes onto the stack and return the pointers ( ex: `0xffffd4dc`) And then the 15 `A` will be write from this address ``` address | values ------------+------------------------------------------------------------------- | +--------------------------- a ------------------------------+ 0xffffd4dc: | | 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 | 0xffffd4e4: | | 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x00 | | +------------------------------------------------------------+ | +------------------------------------------------------------+ 0xffffd4ec: | | 0x53 0x75 0x70 0x65 0x72 0x50 0x61 0x73 | 0xffffd4f4: | | 0x73 0x77 0x6f 0x72 0x64 0x21 0x21 0x00 | | +------------------------------------------------------------+ ... | ... ``` But what happens if more than 16 bytes will be written ? ```c char a[16]; strcpy(a, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); // write 31 A ``` ``` address | values ------------+------------------------------------------------------------------- | +--------------------------- a ------------------------------+ 0xffffd4dc: | | 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 | 0xffffd4e4: | | 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 | | +------------------------------------------------------------+ | +------------------------------------------------------------+ 0xffffd4ec: | | 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 | 0xffffd4f4: | | 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x00 | | +------------------------------------------------------------+ ... | ... ``` {% hint style="success" %} The data after the `a` space are overwritten {% endhint %} This can happen when the program use a [dangerous function](/pwn/stack-exploitation/format-string/dangerous-functions.md) or any other method to store data (most of the time user input) into the stack without any size control a buffer overflow can occur. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ctfrecipes.com/pwn/stack-exploitation/stack-buffer-overflow/basics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.