{"id":17383402,"url":"https://github.com/meharehsaan/bufferoverflow","last_synced_at":"2025-08-03T01:33:03.894Z","repository":{"id":198753444,"uuid":"682384719","full_name":"meharehsaan/bufferoverflow","owner":"meharehsaan","description":"This repo educates developers about BOF vulnerabilities and provides practical solutions to prevent these risks. It equips developers with knowledge and tools to counter one of the most common security vulnerabilities.","archived":false,"fork":false,"pushed_at":"2024-05-23T17:56:34.000Z","size":567,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-09T02:22:17.587Z","etag":null,"topics":["bufferoverflow","hacking","pwntools","shellcode","stackoverflow"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/meharehsaan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-24T04:03:30.000Z","updated_at":"2024-05-23T17:56:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"e1fb43c0-2416-46b1-9db9-5ab4b8bee462","html_url":"https://github.com/meharehsaan/bufferoverflow","commit_stats":null,"previous_names":["meharehsaan/bufferoverflow"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/meharehsaan/bufferoverflow","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meharehsaan%2Fbufferoverflow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meharehsaan%2Fbufferoverflow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meharehsaan%2Fbufferoverflow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meharehsaan%2Fbufferoverflow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/meharehsaan","download_url":"https://codeload.github.com/meharehsaan/bufferoverflow/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/meharehsaan%2Fbufferoverflow/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268484054,"owners_count":24257634,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-02T02:00:12.353Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bufferoverflow","hacking","pwntools","shellcode","stackoverflow"],"created_at":"2024-10-16T07:41:30.933Z","updated_at":"2025-08-03T01:33:03.271Z","avatar_url":"https://github.com/meharehsaan.png","language":"Python","readme":"# Buffer Overflow (BOF)\n\nA buffer overflow is a bug in a program, which occurs when more data is\nwritten to a block of memory than it can handle. This can be stack based, heap\nbased, integer overflow, off-by-one, and a format string.\n\n## Cyber Security and Vulnerabilities\n\n[**Cyber-security**](https://www.simplilearn.com/tutorials/cyber-security-tutorial/what-is-cyber-security) encompasses all the techniques for **protecting**\ncomputers, networks, programs, and data from unauthorized access or\nattacks that are aimed for exploitation.\n\nA [**vulnerability**](https://owasp.org/www-community/vulnerabilities/) is a flaw/weakness in a system design, implementation\nor security procedure that could be exploited resulting in notable\ndamage. Example is a house with a weak lock on the main door. A **zero**-\n**day** vulnerability is a vulnerability that has been disclosed but is not yet\npatched. An exploit that attacks a zero-day vulnerability is called a zero-\nday exploit.\n\nAn [**exploit**](https://ctf101.org/binary-exploitation/overview/) is a software that take advantage of a vulnerability leading to\nprivilege escalation on the target. **Example** of an exploit is the duplicate\nkey with the robber using which he/she can enter the house.\n\nA [**payload**](https://www.baeldung.com/cs/exploit-vs-payload#:~:text=A%20payload%20is%20a%20code,reverse%20shells%2C%20and%20so%20on) is actual code which runs on the compromised system after\nexploitation. Example is the task that the robber will perform inside the\nhouse, i.e., **stealing jewelry and cash**.\n\n## Contents\n\n1. Stack overflow\n2. Shellcode\n3. Exploit\n4. Buffer Overflow\n5. Bypassing Non-eXexcutable bit\n\n### Introduction to BOF\n\n---\n\n- The first published paper on this vulnerability was published in 1996 by **Aleph**\n  One with the title of “Smashing The Stack For Fun And Profit”, and later\n  revived by **Avicoder** in 2017.\n- Buffer overflow exploit was first used by **Morris** **Worm** in 1988, followed by\n  **Code** **Red** **Worm** in 2001 and **Slammer** **worm** in 2003. It is still one of the top\n  vulnerability which cover a wide range of computer applications, libraries,\n  operating systems and networking\n- Hackers mostly use buffer overflows to corrupt the **execution** **stack** of a web\n  app. By transferring fully crafted input to a web app, a hacker can make the\n  web app to execute **arbitrary** code and probably taking over the **server**.\n- Although there are many **h/w and s/w** based techniques and tools that have\n  been proposed and developed to **detect** and **protect** from buffer overflow\n  vulnerability, but based on the trend it look likes this problem will continue to happen.\n\n- [Stack Smashing](https://www.eecs.umich.edu/courses/eecs588/static/stack_smashing.pdf)\n- [Smashing the Stack](https://avicoder.me/papers/pdf/smashthestack.pdf)\n\n![BufferOverflow](img/bof1.png)\n\n### Deep Dive in BOF\n\n---\n\nCertainly, let's dive into the details of a classic Buffer Overflow (BOF) vulnerability and how hackers exploit it step by step\n\n#### Vulnerability Identification\n\nHackers identify a software component (such as a function) that doesn't properly validate input size.\nThis component allocates a fixed-size buffer (e.g., an array) to store user-provided data.\n\n#### Crafting Payload\n\nThe hacker crafts input data that exceeds the buffer's allocated size.\nThe extra data overflows into adjacent memory, potentially overwriting other variables or control structures.\n\n#### Return Address Manipulation\n\nThe hacker's goal is to manipulate the function's return address, stored on the stack, to point to their malicious code (shellcode).\nThey craft the payload so that the buffer overflows and overwrites the return address.\n\n#### Stack Frame Manipulation\n\nThe stack frame of the vulnerable function includes local variables and the return address.\nBy controlling the return address, the hacker can redirect the program's execution flow.\n\n#### Controlled Execution Flow\n\nThe hacker places their shellcode in the payload, often represented by assembly instructions.\nThe payload could be a sequence of instructions to spawn a shell, download malware, or perform other malicious actions.\n\n#### Redirecting to Shellcode\n\nWhen the vulnerable function returns, the manipulated return address points to the shellcode, not the legitimate caller.\nThis redirection leads to the execution of the hacker's shellcode.\n\n#### Shellcode Execution\n\nThe shellcode executes, granting the hacker control over the compromised system.\nThe attacker can issue commands, access files, or exploit further vulnerabilities.\n\n#### Privilege Escalation\n\nIf the exploited function has elevated privileges (e.g., runs as administrator), the hacker gains the same privileges.\n\n#### Evasion Techniques\n\nHackers may use NOP sleds to increase the chance of hitting the shellcode precisely.\nThey may also modify the payload to avoid detection by intrusion detection systems.\n\n#### Persistence and Exploitation\n\nThe hacker might set up backdoors or exploit other vulnerabilities to maintain access or pivot to other systems.\n\n#### Cleanup and Concealment\n\nTo cover their tracks, attackers erase logs, manipulate system settings, or deploy anti-forensics techniques.\n\n## Security Protection Mechanisms (Mitigations)\n\n---\n\n#### NX Bit\n\nThe NX (No-eXecute) bit, also known as the **XD (eXecute Disable)** bit, is a **hardware**-based security feature found in modern computer processors. It is designed to prevent the **execution of code** stored in certain memory regions, primarily as a defense against various types of **malicious** software attacks, including Buffer Overflow (BOF) attacks and code injection.\n\n```bash\ngcc -z execstack programname.c\n```\n\n- The NX bit doesn't prevent all **types** of code execution attacks, such as those that involve **abusing** **legitimate** code **sequences**.\n\n#### Stack Canary\n\nBefore calling a function, the program places a random value (the stack canary) between the local variables and the return address on the stack.\nAfter the function executes, before it returns, the program checks if the canary value has been modified.\n\n```bash\ngcc -fno-stack-protector programname.c\n```\n\n- Stack canaries cannot prevent all types of buffer overflows or attacks that don't target the return address.\n\n#### ASLR (Address Space Layout Randomization)\n\nASLR randomizes the starting addresses of various memory segments, including the stack, heap, libraries, and executable code, in a process's address space.\nThis randomization is applied when the process starts, making it challenging for attackers to predict memory locations.\n\n```bash\necho 0 | sudo tee /proc/sys/kernel/randomize_va_space\n```\n\n#### PIE (Position Independent Executable)\n\nPIE is an extension of **ASLR** that focuses specifically on the **executable** code and data of an application.In a **non**-PIE executable, the base **address** of the program's code is fixed, making it easier for attackers to predict and target specific memory locations. With **PIE**, the base address of the executable's code is **randomized** each time the program is executed.\n\n```bash\ngcc -no-pie programname.c\n```\n\n- Like ASLR, PIE is not **foolproof** and doesn't prevent all possible exploitation scenarios.\n- PIE may introduce a small performance overhead due to the need to adjust relative offsets during runtime.\n\n#### Fortify_source\n\nFortify Source is integrated into the software development lifecycle, helping developers find and fix issues early in the development process.\nIt can be integrated into integrated development environments (IDEs) or run as part of automated build processes. Fortify Source allows organizations to define their own security rules and policies based on industry best practices, compliance requirements, and internal security standards.\n\n```bash\ngcc -D_FORTIFY_SOURCE -O2 programname.c\n```\n\n\u003cbr\u003e\n\n### Function Stack Frame\n\n---\n\n![FSF](img/fsf.png)\n\n### Machine, Assembly and Hi-Level Languages\n\n---\n\n#### High level language\n\n```C\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n\nint main(){\nprintf(\"I am High level Language C\\n\");\nexit(0);\n}\n```\n\n#### Assembly language\n\n```nasm\nSECTION .data\n    message db \"I am High level Language C\", 0\n\nSECTION .text\n    global main\n    extern printf, exit\nmain:\n    push message\n    call printf\n    add esp, 4\n    push 0\n    call exit\n```\n\n#### Machine code\n\n| Assembly Code | Hexadecimal Machine Code |\n| ------------- | ------------------------ |\n\n```\npush message                |     68 xx xx xx xx\ncall printf                 |     E8 xx xx xx xx\nadd esp, 4                  |     83 C4 04\npush 0                      |     6A 00\ncall exit                   |     E8 xx xx xx xx\n\n```\n\n### Assembly Language\n\n---\n\nAssembly language plays a crucial role in buffer overflow exploits. Buffer overflow exploits involve manipulating the memory contents of a vulnerable program to overwrite critical data, such as function return addresses, and redirect the program's execution flow to malicious code. Assembly language is used to craft the shellcode or payload that will be injected and executed in the compromised system's memory.\n\n- Check `Assembly language` from my [intelx86-64](https://github.com/meharehsaan/intelx86_64) repository where I explained assembly from zero with examples in detail.\n- [Endianness](https://github.com/meharehsaan/intelx86_64/tree/master/datatypes#endianness)\n- [Flag Registers](https://github.com/meharehsaan/intelx86_64#flags-register-eflagsrflags)\n- [General Purpose Registers](https://github.com/meharehsaan/intelx86_64#registers)\n- [Functions](https://github.com/meharehsaan/intelx86_64/tree/master/functions#proceduresfunctions-in-assembly-language)\n- [Function calling conventions](https://github.com/meharehsaan/intelx86_64/tree/master/funcallconvention#c-function-calling--the-run-time-stack)\n- [Stack Behind the Curtain](https://github.com/meharehsaan/system-programming/tree/master/stack-behind-the-curtain#stack) from system programming.\n- [Basic Assembly Instructions](https://github.com/meharehsaan/intelx86_64)\n\n## Links\n\n- [GDB](https://github.com/meharehsaan/intelx86_64/tree/master/gdb)\n- [BOF01](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow)\n- [BOF 02](https://www.jsums.edu/nmeghanathan/files/2015/05/CSC437-Fall2013-Module-5-Buffer-Overflow-Attacks.pdf)\n- [BOF in detail](https://infosecwriteups.com/buffer-overflow-basics-687f61216ebc)\n- [Buffer Overflows](https://courses.cs.washington.edu/courses/cse351/20sp/lectures/15/CSE351-L15-buffoverflow_20sp-ink.pdf)\n- [Binary Exploitation](https://dmz.torontomu.ca/wp-content/uploads/2021/03/Binary-Exploitation-201.pdf)\n- [Buffer Overflow Attack](https://web.ecs.syr.edu/~wedu/seed/Book/book_sample_buffer.pdf)\n- [Buffer Overflow Defenses](https://cseweb.ucsd.edu/classes/wi22/cse127-a/scribenotes/3-bufferoverflowdefenses-notes.pdf)\n- [Bypass defenses](https://www.appknox.com/security/bypassing-pie-nx-and-aslr)\n- [Stack Guard](http://myweb.usf.edu/~kevindennis/wcsc/defense.pdf)\n\n## Additional Links\n\n- [Learning C](https://github.com/meharehsaan/learning-c)\n- [Operating System](https://github.com/meharehsaan/operating-system)\n- [System Programming](https://github.com/meharehsaan/system-programming)\n- [Socket Programming](https://github.com/meharehsaan/socketprogramming)\n- [Linux Utilities](https://github.com/meharehsaan/linux-utilities)\n- [Programming Concepts](https://github.com/meharehsaan/progconcepts)\n- [Resources](https://github.com/meharehsaan/resources)\n\n---\n\nBest Regards - [Mehar Ehsaan](https://github.com/meharehsaan)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmeharehsaan%2Fbufferoverflow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmeharehsaan%2Fbufferoverflow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmeharehsaan%2Fbufferoverflow/lists"}