• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 353
  • Last Modified:

How can Buffer Overruns be exploited for Code Execution


I just wanted to know how Buffer Overruns may be exploited for code exection...

For example:

void myMethod(char * pStr) {
    char pBuff[10];
    int nCount = 0;
    strcpy(pBuff, pStr);

void foo()


If I overrun the pBuff[] array, how can i cause code to be exeucuted which as ppl say is why BO's are dangerous?

I'm just askign for a technical discussion on this as to how the function foo() might be executed when the pBuff is BO'd...

This has been taken from:
2 Solutions
Kent OlsenData Warehouse Architect / DBACommented:

Hi Rasys,

Without giving too much away, Buffer Overruns are particularly dangerous where the code and data are placed in the same "block".

Given your function:

void myMethod(char * pStr) {
    char pBuff[10];
    int nCount

    nCount = 0;
    strcpy(pBuff, pStr);

Build this into a complete program, dump the resulting binary, and if pBuff[] is positioned immediately before the statements "nCount = 0" then all you have to do is overrun pbuff with the correct binary data and you've accomplished a buffer overrun and can make the function do anything that you want.  You just need to be very proficient with assembly code and be able to plug in the correct codes.

Check out e.g. http://hack3rs.org/~shadown/Twister/papers/Intro%20to%20Win32%20Exploits.pdf ("Sergio Alvarez: Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow")
Nowdays you usually can't overwrite the code directly with the stack.  The stack is almost always in its own segment, and can't reach the code.

*But* the stack has both local variables and function return addresses.  This is an economical way to manage local variables and return addresses, as they naturally nest, BUT it has a downside.  If you overflow local variables, you'll smash the return address and then anything can happen.  

 If you overwrite the return address with random data, the program will return to some random address, 97% resulting in a program crash.

If you overwrite the local variabels with some known 4-byte value, the function will return to that address!  If you have the source code to the program you might be able to figure out the adderss of some interesting code inthe program that you could jump to.  Like a place that starts a sub-shell:  system("/bin/sh").

Or if you're really clever, you can overwrite the local variables with that same code "system("/bin/sh")", preceded by say 10 megabytes of NOP's.  Then you end it with an approximate return address.  The 10 megabytes of nIOP's gives you lots of slop-- any jump destination in that range will be close enough to fall into your code.

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Oh, and also http://www.phrack.org/phrack/49/P49-14 ("Smashing The Stack For Fun And Profit") as well as http://www.linuxfocus.org/English/March2003/article282.shtml#282lfindex11 ("Buffer overflow")
rasysAuthor Commented:
Hi all,

Thanx a lot for all your comments...They helped a lot.

Basically what i want is to demonstrate using a very basic example that using Buffer Overrun, one carry out code execution on a Windows based machine.

The first link posted by jkr didnt work so couldnt delve into that.
As posted by jkr :


this is indeed THE reference.

A lot depends on the way the software is written ... don't ever trust a user, check all user input, and of course check all buffer boundaries !! Always !
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now