Stack overflow is a type of buffer overflow vulnerability. When we pour water in a glass more than its capacity the water spills or overflow, similarly when we enter data in a buffer more than its capacity the data overflows to adjacent memory location causing program to crash. This is know as . buffer overflow is an old vulnerability. We will see this vulnerabiltiy in the C or C++ languages, because in these languages we can use pointer freely. An attacker or hacker can use this vulnerability to exploit the system. To understand Stack Overflow we need to understand what happens in the background or in the stack when a program executes. Stack Overflow A is a (Last In First Out) data structure. It support two operations and . To enter a value on the stack we use operation and to remove a value from the stack we use operation. When a program is compiled its memory is divided into five segments – text, data, bss, heap and stack. In machine language instructions or assembly language instructions are stored. Stack LIFO PUSH POP PUSH POP text segment is used to store initialized global and static variables and is used to store uninitialized variables. is used to dynamically allocate memory. Data segment bss segment Heap segment is used as temporary storage to store local function variable when the function is call. Stack overflow is concerned with this stack segment. In x86 Architecture stack grows from high memory address to low memory address. Stack segment Different architectures have different memory layouts. When a function with arguments is called by a caller function, first the parameters in the callee function (or called function) are pushed onto the stack from right to left. Then the return address is pushed onto the stack. After the callee function’s execution is completed this return address jump to location at which to continue execution after the callee function is executed. Then local variables are pushed onto the stack. A register Stack Pointer ( ) is used to track top of the stack and it changes when an item is pushed onto or poped from the stack. A register Base Pointer( ) is used to point to local variables of the function. This complete collection for a function on stack is known as . These stack frames are pushed onto the stack when a function is called and popped from the stack when its execution is completed. ESP EBP Stack Frame Here is a simple C program to understand this. { c; c = a + b; c; } { a = , b = ; c = sum(a, b); (“Sum is : %d”, c); } # include <stdio.h> int sum ( a, b) int int int return void main () int 4 5 int printf Now lets understand stack buffer overflow with a simple example. { a = ; buf[ ]; (buf, ); (a == ) { ( ); } { ( ); } } { check_user(); ; } # include <stdio.h> # include <stdlib.h> # include <string.h> void check_user () char 'D' char 4 strcpy "AAAAA" if 'A' printf "Correct password\n" else printf "Wrong password\n" int main () return 0 In function , to print “Correct password”, must be equal to “A” and using function we have passed 5 characters while the size of buffer is 4. So the extra character will overflow and it will overwrite the value of from “D” to “A”. check_user a strcpy a Here is the stack frame of function check_user Modern systems doesn’t allow buffer-overflow, so to test it on a system add with command while compiling. -fno-stack-protector The code was compiled and run on Ubuntu 18.04. We are able to overwrite variable because of function . It doesn’t allow bound checking means it doesn’t check the size of the data being entered. strcpy() References: Hacking: The Art of Exploitation The Shellcoder′s Handbook: Discovering and Exploiting Security Holes Buffer Overflow Attacks: Detect, Exploit, Prevent Originally posted at Programmercave
![Learn Linux Command by Playing Bandit Wargame [Level 12 → Level 13]](https://images.unsplash.com/photo-1541728472741-03e45a58cf88?ixlib=rb-1.2.1&q=80&fm=jpg&crop=entropy&cs=tinysrgb&w=1080&fit=max&ixid=eyJhcHBfaWQiOjEwMDk2Mn0&auto=format)
