visit
Stack overflow is a type of buffer overflow vulnerability. When we pour water in a glass more than its capacity the water spills or overflow, similarly when we enter data in a buffer more than its capacity the data overflows to adjacent memory location causing program to crash. This is know as buffer overflow.
Stack Overflow is an old vulnerability. We will see this vulnerabiltiy in the C or C++ languages, because in these languages we can use pointer freely. An attacker or hacker can use this vulnerability to exploit the system. To understand Stack Overflow we need to understand what happens in the background or in the stack when a program executes.
A Stack is a LIFO(Last In First Out) data structure. It support two operations PUSH and POP. To enter a value on the stack we use PUSH operation and to remove a value from the stack we use POP operation. When a program is compiled its memory is divided into five segments – text, data, bss, heap and stack. In text segment machine language instructions or assembly language instructions are stored.
Data segment is used to store initialized global and static variables and bss segment is used to store uninitialized variables. Heap segment is used to dynamically allocate memory.
Stack segment is used as temporary storage to store local function variable when the function is call. Stack overflow is concerned with this stack segment. In x86 Architecture stack grows from high memory address to low memory address.
Different architectures have different memory layouts.A register Stack Pointer (ESP) is used to track top of the stack and it changes when an item is pushed onto or poped from the stack. A register Base Pointer(EBP) is used to point to local variables of the function. This complete collection for a function on stack is known as Stack Frame. These stack frames are pushed onto the stack when a function is called and popped from the stack when its execution is completed.
Here is a simple C program to understand this.#include <stdio.h>
int sum(int a, int b)
{
int c;
c = a + b;
return c;
}
void main()
{
int a = 4, b = 5;
int c = sum(a, b);
printf(“Sum is : %d”, c);
}
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void check_user()
{
char a = 'D';
char buf[4];
strcpy(buf, "AAAAA");
if (a == 'A')
{
printf("Correct password\n");
}
else
{
printf("Wrong password\n");
}
}
int main()
{
check_user();
return 0;
}
In function
check_user
, to print “Correct password”, a
must be equal to “A” and using strcpy
function we have passed 5 characters while the size of buffer is 4. So the extra character will overflow and it will overwrite the value of a
from “D” to “A”.Here is the stack frame of function
check_user
Modern systems doesn’t allow buffer-overflow, so to test it on a system add
-fno-stack-protector
with command while compiling.We are able to overwrite variable because of function
strcpy()
. It doesn’t allow bound checking means it doesn’t check the size of the data being entered.References:
Originally posted at