Buffer -> Buffer is a memory location which is used by a running program. This memory location store temporary data.
char ..  -> This is where we specify the buffer, it’s 20 chars/bytes.
Buffer Overflow -> Buffer Overflow is when a running program attempts to write data outside the buffer
The buffer for username is 20bytes, it’s good if username length is less than 20 bytes. But if we enter more than 20 bytes the program will crash.
Now let’s enter 50bytes!
Now we don’t see the
program exited normally but we get a
Segmentation fault error.
This happened because we entered 30 extra bytes.
Segmentation fault (segfault) -> Error caused by accessing memory that does not belong to you.
gdb (GNU Project debugger) -> Allows you to see what is going on inside the program while it executes.
The input “atom” is less than 20 bytes so the program exited normally. Now let’s input more than 20bytes.
Let’s input now a hex value & let’s look at the registers.
Register -> Register is a storage area inside the CPU.
We can see most memory addresses are overwritten with 11.
Buffer Overflow Dangerous ?
A buffer overflow is dangerous when the vulnerable binary is
SUID, for example we can get a root shell!
Vulnerable C functions to Buffer Overflow
Ways To Print (n) “A” (one-liners)
Command output as argument
$ ./binary `cmd_here`
$ ./binary $(cmd_here)
Command output as input
$ cmd_here | ./binary
Use file as input
$ cmd_here > file
$ ./binary < file
Check if the binary is vulnerable
segfault confirms that binary is vulnerable to buffer overflow.
Find out the size of the buffer (number of characters that overwrite the EIP)
Get memory address of a function
Program Memory (Segments)
Computer CPU stores data in big or little endian format, depending on the CPU architecture.
Big Endian -> The most significant byte of the data is placed at the byte with the lowest address.
Little Endian -> The least significant byte of the data is placed at the byte with the lowest address.
Big Endian ->
12 67 45 92
Little Endian ->
92 45 67 12
Little Endian Python Ways!
CPU(Central Processing Units) -> processing and executing instructions.
memory address -> memory address is an exact location in RAM used to track where information is stored.
32-bit or x86 or i686 or i386 -> A 32-bit CPU can store 2³² or 4,294,967,296 memory addresses.
64-bit or x86_64 -> A 64-bit CPU can store 2⁶⁴ or 18,446,744,073,709,551,616 memory addresses.
gdb cheat sheet
gdb -q ./binary -> enter binary in gdb
set disassembly-flavor intel -> set assembly syntax into Intel, it’s easier to read
info functions -> list binary functions
disassemble Function/Address -> gets assembly code
break *Address -> breakpoint makes your program to stop
x/Length-Format E.g. : x/40x $esp -> displays the memory contents
r -> run binary
c -> continue execution
q -> exit gdb