# Buffer Overflow Vulnerability ## **1. Introduction** Buffer overflow is a security vulnerability that occurs when a program writes more data to a buffer than it can hold, leading to unintended behavior, memory corruption, or even code execution by an attacker. Exploiting buffer overflows can allow attackers to gain control over a system by injecting malicious code. *** ## **2. Understanding Buffer Overflow** ### **How It Happens** * A buffer is a fixed-size memory storage area. * When a program writes data beyond the allocated buffer size, it overwrites adjacent memory locations. * This can lead to **program crashes, data corruption, or remote code execution**. ### **Types of Buffer Overflow** * **Stack-based Buffer Overflow**: Overflows occur in the call stack, overwriting return addresses. * **Heap-based Buffer Overflow**: Overflows occur in dynamically allocated memory (heap), affecting adjacent structures. *** ## **3. Exploiting a Buffer Overflow Vulnerability** ### **Step 1: Setting Up the Vulnerable Application** We'll use a simple C program that is vulnerable to buffer overflow: ```c #include #include void vulnerable_function(char *input) { char buffer[64]; strcpy(buffer, input); // No bounds checking printf("User input: %s\n", buffer); } int main(int argc, char *argv[]) { if (argc < 2) { printf("Usage: %s \n", argv[0]); return 1; } vulnerable_function(argv[1]); return 0; } ``` ### **Step 2: Compiling Without Protections** ```bash gcc -fno-stack-protector -z execstack -o vuln_program vuln.c ``` ### **Step 3: Finding the Overflow Point** Using **pattern generation** from Metasploit to identify offset: ```bash python3 -c 'print("A" * 100)' | ./vuln_program ``` ### **Step 4: Overwriting the Return Address** Find the exact offset where the program crashes and inject shellcode: ```bash python3 -c 'print("A" * 64 + "B" * 4 + "\x90" * 20 + "\xCC" * 20)' | ./vuln_program ``` * **NOP sled (\x90)** helps ensure smooth execution. * **\xCC (INT3)** helps debug execution flow. ### **Step 5: Injecting Shellcode** Replace **\xCC** with shellcode to spawn a shell: ```bash python3 -c 'print("A" * 64 + "B" * 4 + "\x90" * 20 + shellcode)' | ./vuln_program ``` *** ## **4. Impact of Buffer Overflow** * **System Compromise**: Attackers can execute arbitrary code. * **Denial of Service (DoS)**: Applications crash due to memory corruption. * **Privilege Escalation**: Attackers gain higher access rights. *** ## **5. Mitigation Strategies** * **Use Safe Functions**: Replace `strcpy` with `strncpy`. * **Enable Compiler Protections**: * `gcc -fstack-protector` (Stack protection) * `gcc -D_FORTIFY_SOURCE=2` (Buffer overflow detection) * **Address Space Layout Randomization (ASLR)**: * Randomizes memory addresses to prevent predictable overflows. * **Non-Executable Stack (DEP)**: * Prevents execution of injected shellcode. ***