Introduction to Computer Systems Buffer Overflow

Buffer Overflow

Processes in Memory

Standard Linux Memory Layout

Empiracle Analysis (MacOS)

Allocate all the things:


char big_array[1L << 24]; //16 MB
char hurg_array[1L << 31]; // 2 GB
int global = 0;


int useless()
{
    return 0;
}


int main()
{
    void *p1, *p2, *p3, *p4;
    int local = 0;

    p1 = malloc(1 << 28);  // 256 MB
    p2 = malloc(1L << 8);  // 256 B
    p3 = malloc(1L << 32); // 4 GB
    p4 = malloc(1L << 8);  // 256 B

    printf("p1 (256 MB) %14\n", p1); //and similar
}

Analysis:


Buffer Overflow

Simple Example


typedef struct
{
    int a[2];
    double d;
} struct_t;


double fun(int i)
{
    volitile struct_t s;
    s.d = 3.14
    s.a[i] = 1073741824;

    return s.d;
}


int main()
{
    for (int i = 0; i < 10; i++)
    {
        printf("fun(%d) = %f\n", i, fun(i));
    }
}

Output:


fun(0) = 3.140000
fun(1) = 3.140000
fun(2) = 3.140000
fun(3) = 2.000001
fun(4) = 3.140000
fun(5) = 3.140000
Segmentation fault: 11

Analysis

Who cares?

String Library Exploit


char *gets(char *dest)
{
    int c = getChar();
    char *p = dest;

    while(c != EOF && c != `\n`)
    {
        *p++ = c;
        c = getChar();
    }

    *p = '/0'


    return dest;
} //Nothing prevents user from typing more than what dest holds


//exploit
void echo ()
{
    char buf[4]; //Too Small!
    printf("Type a String!");
    ...
}

void callEcho()
{
    echo();
}