How Overflows Work

How Overflows Work

As mentioned before, buffer overflows exploit poorly written code,
specifically code that does not perform bounds checking when copying
values into arrays. Let us expand the code in the first section to include
a simple overflow:
void doSomething(char *str) {
char buffer[100];
strcpy(buffer,str);
}
void main() {
char large_string[256];
int i;
for( i = 0; i < 256; i++)
large_string[i] = ’A’;
doSomething(large_string);
}


The last line of the doSomething function contains the code which
copies everything from the value str into the array buffer without first
checking that str is only 100 bytes long. What happens when 256 bytes
are copied into the 100 byte buffer is that the additional 156 bytes start
overwriting parts of the stack.
In the above example the stack looks like this:


buffer                                  100 bytes
Stack Frame Pointer             4 bytes
Saved Instruction Pointer      4 bytes


Our target will be to write shellcode into the 100 byte buffer and
overwrite the saved Instruction Pointer (start of buffer + 104 bytes) with
the address of our shellcode. When the function completes and looks
for the saved Instruction Pointer to determine where to continue
program execution, it gets pointed to the beginning of the shellcode,
which is then executed.