Questions tagged [buffer-overflow]

Usually occurs when you attempt to copy data into a buffer without checking for sufficient space, causing data to be overwritten in neighboring cells.

RAM is divided into memory cells with each cell capable of storing a single byte on it's own. Applications use different sizes of the same data type to fulfill their computational needs, which can vary between a single or multiple (arrays) or dynamically allocated (pointers). Problems usually arise when software developers employ the use of arrays or pointers without verifying the destination buffer has sufficient or adequate space.

char Target[10];
char Input[20];
strcpy( Target, Input); // 1st Parameter: Destination, 2nd Parameter: Data

The code listed above plus certain conditions can exhibit the buffer-overflow corruption. If the coder doesn't take the necessary precautions to validate target/input, it will result in data being fed into adjacent memory cells corrupting whatever contents is stored within them.

Such results can be devastating as they affect overall system integrity.

1483 questions
7
votes
6 answers

Does strlen() in a strncmp() expression defeat the purpose of using strncmp() over strcmp()?

By my understanding, strcmp() (no 'n'), upon seeing a null character in either argument, immediately stops processing and returns a result. Therefore, if one of the arguments is known with 100% certainty to be null-terminated (e.g. it is a string…
cvp
  • 73
  • 1
  • 3
7
votes
2 answers

What is the difference between STATUS_STACK_BUFFER_OVERRUN and STATUS_STACK_OVERFLOW?

I just found out that there is a STATUS_STACK_BUFFER_OVERRUN and a STATUS_STACK_OVERFLOW. What's the difference between those 2? I just found Stack overflow (stack exhaustion) not the same as stack buffer overflow but either it doesn't explain it…
Tobias Langner
  • 10,634
  • 6
  • 46
  • 76
7
votes
1 answer

Is snprintf or vsnprintf better, and how can I ensure I'm using them securely?

I decided to run a static analysis tool on some old code and I found a bunch of places where I'm using sprintf. The tool recommends replacing the calls with either vsnprintf or snprintf because sprintf doesn't do any sort of bounds checking for…
petFoo
  • 407
  • 1
  • 6
  • 16
6
votes
1 answer

How to get information on a Buffer Overflow Exception in a mixed application?

In all WPF application I develop there is a global exception handler subscribed to AppDomain.CurrentDomain.UnhandledException which logs everything it can find and then shows a dialog box telling the user to contact the author, where the log file is…
stijn
  • 34,664
  • 13
  • 111
  • 163
6
votes
3 answers

Is there any way to bypass SSP (StackSmashing Protection)/Propolice?

After some research i haven't found any paper describing method to do this (no even an unreliable one). It seems that SSP (StackSmashing Protection)/Propolice
Mistaqiu
6
votes
0 answers

Why does buffer overflow on `read()` syscall result in `EFAULT` only in GDB?

Short Story I am writing a simple program in Assembly to simulate buffer overflow. The buffer is simply memory allocation from 512 bytes stack and then read() syscall is called with 4096 bytes from stdin fd. The buffer overflow is working perfectly…
Ammar Faizi
  • 1,393
  • 2
  • 11
  • 26
6
votes
1 answer

*** stack smashing detected ***: terminated Aborted (core dumped) Error only occurring sometimes?

I am completing a homework assignment (I can't post the code because of this), and I get this runtime error very infrequently: * stack smashing detected *: terminated Aborted (core dumped) When I run the executable again after, and everything works…
sine_nomine
  • 109
  • 1
  • 1
  • 7
6
votes
1 answer

Simple Buffer overflow Exploit with shellcode doesn't work

I made a c vulnerable C code and tried to exploit it but it doesn't seem to work even though I copied other examples. I apologize if I included lot of code. #include #include #include void hello(char *name){ char…
Eye Patch
  • 881
  • 4
  • 11
  • 23
6
votes
1 answer

Runtime error: addition of unsigned offset

I was solving a question on Leetcode(Trapping rain water) and i wrote my solution which had been tested on my local machine as well as on GeeksForGeeks where it passed all TC's. the code is: int trap(vector& height) { int size =…
need_to_know_now
  • 328
  • 1
  • 2
  • 13
6
votes
3 answers

How is the modified return address in a stack based buffer overflow attack approximated?

I understand that a typical stack based buffer overflow attack payload looks something like this: (return address) (return address) ... (return address) (return address) (return address) (return address) (NOP) (NOP) (NOP) (NOP) ... (NOP) …
pepsi
  • 6,785
  • 6
  • 42
  • 74
6
votes
1 answer

read() - Check buffer boundaries if used in a loop including recursive loops

I have this code and run it with Flawinder, and i get this output on the read() functions: Check buffer boundaries if used in a loop including recursive loops Can anyone see the problem? #include void func(int fd) { char *buf; size_t…
6
votes
5 answers

How to find place of buffer overflow and memory corruptions?

valgrind can't find anything useful. I'm confused. Symptomes: my data corrupted by a malloc() call return address of my function is replaced via something wrong PS: code does NOT segfault Currently I have some progress via replacing all my…
vitaly.v.ch
  • 2,485
  • 4
  • 26
  • 36
6
votes
1 answer

why will my buffer overflow exploit open a user shell only instead of a root shell?

I have been following a few tutorials on bufferoverflow exploitation. But my problem is, that I am not able to open a root shell, I will always get a normal user shell instead. I have checked the following points I re-verified the following items…
Zapho Oxx
  • 275
  • 1
  • 16
6
votes
2 answers

GDB throws error while stepping into at breakpoint

I am trying to follow a video tutoial on buffer overflow from this link and below is the code which I am trying. #include GetInput() { char buffer[8]; gets(buffer); puts(buffer); } main() { GetInput(); …
TechJ
  • 512
  • 2
  • 5
  • 16
6
votes
4 answers

Heap Overflow Attack

I am learning about heap overflow attacks and my textbook provides the following vulnerable C code: /* record type to allocate on heap */ typedef struct chunk { char inp[64]; /* vulnerable input buffer */ void (*process)(char *);…
tam5
  • 3,197
  • 5
  • 24
  • 45