Stack Overflow Vulnerability

Publish date: 2019-10-18
Tags: Hacking, Exploitation, C, Cpp

Stack overflow is a type of buffer overflow vulnerability. When we pour water in a glass more than its capacity the water spills or overflow, similarly when we enter data in a buffer more than its capacity the data overflows to adjacents memory location causing program to crash. This is know as buffer overflow.

Stack Overflow is an old vulnerability. We will see this vulnerabiltiy in the C or C++ languages, because in these languages we can use pointer freely. An attacker or hacker can use this vulnerability to exploit the system. To understand Stack Overflow we need to understand what happens in the background or in the stack when a program executes.

A Stack is a LIFO(Last In First Out) data structure. It support two operations PUSH and POP. To enter a value on the stack we use PUSH operation and to remove a value from the stack we use POP operation. When a program is compiled its memory is divided into five segements – text, data, bss, heap and stack. In text segment machine language instructions or assembly language instructions are stored. Data segment is used to store initialized global and static variables and bss segment is used to store uninitialized variables. Heap segment is used to dynamically allocate memory. Stack segment is used as temporary storage to store local function variable when the function is call. Stack overflow is concerned with this stack segment. In x86 Architecture stack grows from high memory address to low memory address. Different architectures have different memory layouts.

Memory Layout

When a function with arguments is called by a caller function, first the parameters in the callee function (or called function) are pushed onto the stack from right to left. Then the return address is pushed onto the stack. After the callee function’s execution is completed this return address jump to location at which to continue execution after the callee function is executed. Then local variables are pushed onto the stack. A register Stack Pointer (ESP) is used to track top of the stack and it changes when an item is pushed onto or poped from the stack. A register Base Pointer(EBP) is used to point to local variables of the function. This complete collection for a function on stack is known as Stack Frame. These stack frames are pushed onto the stack when a function is called and popped from the stack when its execution is completed. Here is a simple C program to understand this.

#include <stdio.h>

int sum(int a, int b)
{
      int c;
      c = a + b;
      return c;
}

void main()
{
    int a = 4, b = 5;
    int c = sum(a, b);    
    printf(Sum is : %d, c);
}

Stack Frame

Now lets understand stack buffer overflow with a simple example.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void check_user()
{
	char a = 'D';
	char buf[4];

	strcpy(buf, "AAAAA");
	
	if (a == 'A')
	{
		printf("Correct password\n");
	}
	else
	{
		printf("Wrong password\n");
	}
}	

int main()
{

	check_user();
	return 0;
}

Here is the stack frame of function check_user

Stack Frame

Modern systems doesn’t allow buffer-overflow, so to test it on a system add -fno-stack-protector with command while compiling.

Output

The code was compiled and run on Ubuntu 18.04.

We are able to overwrite variable because of function strcpy(). It doesn’t allow bound checking means it doesn’t check the size of the data being entered.

References: Hacking: The Art of Exploitation The Shellcoder′s Handbook: Discovering and Exploiting Security Holes Buffer Overflow Attacks: Detect, Exploit, Prevent

Tags: Hacking, Exploitation, C, Cpp