# Basics

With a buffer overflow, it's possible to overwrite values into the stack. The most popular beginner challenge aim to overwrite a value of another variable.

## How it works ? 

Each variables stored into the stack need have a fix allocated space into it depending on the variable declaration, here is some examples : 

* `int a;`  --> Will allocate 4 bytes
* `char a;` --> Will allocate 1 byte
* `char a[16];` -->Wil allocate 16 bytes
* `long a;` --> Will allocate 8 bytes
* etc.

{% hint style="info" %}
All defined variables are in fact pointers to a position in memory, here into the stack. 
{% endhint %}

When a data is written into a variable, the data is written from the pointed address to the end of the variable length

```c
char a[16];
strcpy(a, "AAAAAAAAAAAAAAA"); // write 15 A
```

The process will allocate 16 bytes onto the stack and return the pointers ( ex: `0xffffd4dc`)

And then the 15 `A` will be write from this address 

```
  address   |   values
------------+-------------------------------------------------------------------
            |   +--------------------------- a ------------------------------+
0xffffd4dc: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x41 |
0xffffd4e4: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x00 |
            |   +------------------------------------------------------------+
            |   +------------------------------------------------------------+
0xffffd4ec: |   | 0x53  0x75    0x70    0x65    0x72    0x50    0x61    0x73 |
0xffffd4f4: |   | 0x73  0x77    0x6f    0x72    0x64    0x21    0x21    0x00 |
            |   +------------------------------------------------------------+
  ...       |    ...
```

But what happens if more than 16 bytes will be written ? 

```c
char a[16];
strcpy(a, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); // write 31 A
```

```
  address   |   values
------------+-------------------------------------------------------------------
            |   +--------------------------- a ------------------------------+
0xffffd4dc: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x41 |
0xffffd4e4: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x41 |
            |   +------------------------------------------------------------+
            |   +------------------------------------------------------------+
0xffffd4ec: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x41 |
0xffffd4f4: |   | 0x41  0x41    0x41    0x41    0x41    0x41    0x41    0x00 |
            |   +------------------------------------------------------------+
  ...       |    ...
```

{% hint style="success" %}
The data after the `a` space are overwritten
{% endhint %}

This can happen when the program use a [dangerous function](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/dangerous-functions) or any other method to store data (most of the time user input) into the stack without any size control a buffer overflow can occur.