Why Stack Overflows Can Be Dangerous?

lionaneesh's Avatar author of Why Stack Overflows Can Be Dangerous?
This is an article on Why Stack Overflows Can Be Dangerous? in C.
Stack is a Last in First out(LIFO) abstract data structure...Stack is used as the main data structure for processing and data management on most of the OS architectures...like intel x86 etc etc..

Stack based Overflows



It happens when to much data is passed on the call stack and results in overwriting data...

The call stack is limited amount of memory , of ten determined at the start of the program..

When program tries to access more space that is available to the call stack it basically results in a overflow...

Why it is dangerous

It is dangerous because the call stack contains all our data (decrations) included the one used for user Input..

eg :-

if we declared
Code:
char pass[] = I am the password!!!;
int i = 0;
char userInput[10];
Then the stack would look like :-
Code:
=======
|userInput|
________
|int i = 0|
======
|char pass|
Now if we overflowed the userInput then we will successful overflow the int I with our desired value..It will be clear when we see the exploit example..

Exploiting



Exploit :-

buggyProgram.c

Code:
#include<stdio.h>
int main()
{
	int i=0;
	char userInput[10];
	printf("Please enter some data : ");
	gets(userInput); // depriciated function now you will get to know why we should not use this...
	if(i==0x31313131)
	{
		printf("You !!!! Just exploited me.. Aah! :( :'(\n");
	}
}
Compiling :-

We would be using gcc with the flag of no stack protector so that kernel does not stop us..

Code:
aneesh@aneesh-laptop:~/articles/C$ gcc buggyProgram.c -fno-stack-protector -o buggyProgram

/tmp/ccORWe40.o: In function `main':

buggyProgram.c:(.text+0x26): warning: the `gets' function is dangerous and should not be used.

aneesh@aneesh-laptop:~/articles/C$
Lets exploit it now....

Lets create a attact string first :-

As we know the userInput is just 10 bytes long. Thus, in order to exploit this we would need to pass 10 bytes to this... and further with 4 1's to overwrite the int I variable...

Attack string :-

Code:
[10 bytes garbage] +  [4 * 1]
   |                     |
for filling       for overwriting     
up userInput	  the int variable
Now lets pass this to the program and see what happens..

Code:
aneesh@aneesh-laptop:~/articles/C$ ./buggyProgram 

Please enter some data : AAAAAAAAAA1111

You !!!! Just exploited me.. Aah! :( :'(
And BooM!! We did it!!!
lionaneesh's Avatar, Join Date: Mar 2010
Invasive contributor
Hey thanks...For accepting...
Yeah and check your email please...
etrade123's Avatar
Banned
Thank you to all those are join our company. its really good.
pankajchandel's Avatar, Join Date: Apr 2011
Newbie Member
I am quite new in this forum lot of new things to learn although i am good at programming
lionaneesh's Avatar, Join Date: Mar 2010
Invasive contributor
Quote:
Originally Posted by pankajchandel View Post
I am quite new in this forum lot of new things to learn although i am good at programming
Thanks Sir , And please read my other articles too!!