Binary Exploitation - Buffer Overflow Explained in Detail by 0xRick

Guys this is my article about buffer overflow
Hope you like it . Feedback is appreciated !

In the “Examining Buffer Overflows with gdb” section, when it says “return 0; And this is our return address” I think could cause confusion because some people could think 0 is the return address when actually it’s a value passed to the calling function. Aside from that it’s a pretty good explained article, nice work!

Yea I didn’t mean that it’s the actual address but yea I’m gonna edit that thanks for letting me notice
also thanks for the kind words glad that you liked it :slight_smile:

You might want to relook the memory segment layout. Also, it might be a good idea to explain heap grows towards higher memory address and stack grows towards lower memory address. It’s the fundamentals that confused people when they are starting out with exploit development. Keep writing!

I agree with you , I’m gonna add that. Thanks for your comment :slight_smile:

very good; just explain you compiled it in 32 bits, if Im right…

@Ahm3dH3sham . Very nice read. Coming from someone who just has an idea of what buffer flow is you were able to fill in the missing pieces in a clear and concise manner. I can’t wait for your next article.

yeah that’s right it was in 32 bit
Thanks for your feedback :slight_smile:

Thanks for the kind words , I’m really happy that my article was informative
Thanks again for your feedback :slight_smile:

Great article @Ahm3dH3sham it’s very clear for me. Thank you

Thanks ! :slight_smile:

Hi Ahm3dH3sham

First of all, thank you very much for this very thorough introduction to BOFs. If you don’t mind, I have a few questions which I am not 100% sure of. If you would be so kind as to help, I (and others I’m sure) will surely appreciate it:

1- You mentioned “A buffer overflow happens when the length of the data entered exceeds the buffer limit”.
In your program you used a char variable with a max of 20 characters, many programmers would just as well use a string variable which can apparently contain 2^32 characters (on 32 bit systems) and 2^64 (on 64 bit systems), even though many people say that 2^48 is more than enough characters needed for any circumstance.

So technically speaking, one should be able to BOF any string variable if you force more that 2^48 characters into the memory address right? Theoretically it makes sense, not sure if one can do it practically, and if that is the case one should be able to BOF literally any variable (string, char, array, integer etc) right?

2- You wrote in the protostar tutorial to execute more than 64 characters to the “buffer” variable, Your syntax for python was:

python -c “print (‘A’ * 65)” | ./stack0

Since there are two variable at play here at the moment (int modified & char buffer[64]), how exactly does the terminal determine which variable it writes to first (modified or buffer [64])? Because real life programs there will be hundreds of different variables coded into a program, does it start filling up from the first declared variable, then the second, then the third etc in such a linear sequence or is there a way to specify which variable exactly in residing memory you want to overflow?

3- Lastly, it’s great that one now can enter the second part of the if statement, in actual applications one would use this to call/bypass other functions to your advantage etc, but in reality one would want to get to shell as root. So obviously the program you’re exploiting should firstly have read, write and executing privileges as root, but now we want to tell the program “instead of going to the next variable, just launch a bash terminal”

One tutorial I watched online said you should enter a bunch of hexadecimal syntax into the debugger, but I have no idea how to tell python to launch a bash terminal in hexadecimal. Must the original program you are exploiting have the actual functionality to be able launch a shell, or would that be code you “force” into the program you are exploiting?

Sorry if these are stupid questions, but one cannot only rely on brute forcing and dated exploits in the industry, in the fast paced IT industry one should be able to write your own exploits. If there are other posts on the site which explains it in detail, I do apologise for missing them, since I’ve been on the site only a few weeks now and there is a LOT to take in. I just want to get the theory down before starting to attempt the practical on htb

I just want to thank you all beforehand for taking the time to read this message, any tutorials and videos and additional exercises recommendations (example as mentioned in your tutorial) would be highly appreciated.