Diving Into Memory Allocation to Understand Buffer Overflow Better

MEMORY ALLOCATION
DIVING INTO
TO UNDERSTAND BUFFER OVERFLOW BETTER

DYNAMIC MEMORY ALLOCATION
WHOAMI
Oguzhan Topgul
Application Security Engineer @FORTINET
www.oguzhantopgul.com
@oguzhantopgul

CPU REGISTERS
▸ EIP: Instruction Pointer - Next instruction to be executed
▸ ESP: Stack Pointer - Top of the stack
▸ EBP: Base Pointer - Base of the stack
▸ EAX: Accumulator Register - Generally holds the return value
▸ EBX: Base Register - Generally used to address memory
▸ ECX: Counter Register - Generally used in shift, rotate instructions and loops
▸ EDX: Data Register - Generally used in arithmetic and I/O operations
▸ ESI: Source Index Register
▸ EDI: Destination Index Register

PROGRAM MEMORY
.TEXT
.DATA
HEAP
STACK
.BSS
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
- a.k.a Code Segment
- Executable Instructions
- Read-only

PROGRAM MEMORY
.TEXT
.DATA
HEAP
STACK
.BSS
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
- a.k.a initialized data
- global variables w/ pre-defined value
- static variables w/ pre-defined value
within the functions
keeps its value between invocations
#include <stdio.h>
void foo()
{
int a = 10;
static int sa = 10;
a += 5;
sa += 5;
printf("a = %d, sa = %dn", a, sa);
}
int main()
{
int i;
for (i = 0; i < 10; ++i)
foo();
}
a = 15, sa = 15
a = 15, sa = 20
a = 15, sa = 25
a = 15, sa = 30
a = 15, sa = 35
a = 15, sa = 40
a = 15, sa = 45
a = 15, sa = 50
a = 15, sa = 55
a = 15, sa = 60

PROGRAM MEMORY
.TEXT
.DATA
HEAP
STACK
.BSS
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
- a.k.a uninitialized data
- global variables w/o pre-defined value
- static variables w/o predefined value
within the functions

PROGRAM MEMORY
.TEXT
.DATA
HEAP
STACK
.BSS
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
- grows low->high
- malloc, calloc, realloc, free
- shared by all
- threads,
- shared libraries
- dynamically loaded modules

PROGRAM MEMORY
.TEXT
.DATA
HEAP
STACK
.BSS
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
- LIFO
- On x86, stack grows Higher->Lower
- What’s stored in Stack:
- Function arguments,
- Local variables
- Function return address
- PUSH adds to the top, POP removes from top
} Stack Frame

#include <stdio.h>
int x = 20;
int y;
int main()
{
char buf[5];
for (i = 0; i < 10; ++i)
foo(15);
}
void foo(int arg)
{
int a = 10;
static int sa = 10;
sa += 5;
char* int = malloc(10 * sizeof(int));
printf("sa = %dn”,sa);
}
PROGRAM MEMORY
.TEXT
.DATA
HEAP
STACK
.BSS
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS

double multiplyByTwo (double input) {
double twice = input * 2.0;
return twice;
}
int main (int argc, char *argv[])
{
int age = 30;
double salary = 12345.67;
double myList[3] = {1.2, 2.3, 3.4};
printf("salary is %.3fn", multiplyByTwo(salary));
return 0;
}
double *multiplyByTwo (double *input) {
double *twice = malloc(sizeof(double));
*twice = *input * 2.0;
return twice;
}
int main (int argc, char *argv[])
{
int *age = malloc(sizeof(int));
*age = 30;
double *salary = malloc(sizeof(double));
*salary = 12345.67;
double *myList = malloc(3 * sizeof(double));
myList[0] = 1.2;
myList[1] = 2.3;
myList[2] = 3.4;
double *twiceSalary = multiplyByTwo(salary);
printf(“salary is %.3fn", *twiceSalary);
free(age);
free(salary);
free(myList);
free(twiceSalary);
return 0;
}
DEFINE VARIABLES ON STACK VS HEAP

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
- Stack Pointer (SP, ESP) tracks the top of the
stack (last address on the stack)
- Changes during the execution (PUSH&POP)
- Base Pointer (BP, EBP) a.k.a Frame Pointer (FP)
shows the bottom of the stack
- Fixed during the execution
- local variables and arguments are
referenced by their offset from EBP
EBP
ARG 1
ARG 2
LOCAL VAR 2
LOCAL VAR 1
EBP + 8
EBP + 12
EBP - 8
EBP - 4
ESP
RETURN ADDREBP + 4

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
int main()
{
function(1,2,3);
}
void function(int a, int b, int c)
{
char buffer1[5];
}
<function>:
push ebp
mov ebp,esp
sub esp,0x10
call 11ba <__x86.get_pc_thunk.ax>
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
call 1189 <function>
add esp,0xc
nop
leave
ret
EBP - MAIN ESP

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
ARG 3
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret
ESP

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
ARG 3
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret
ARG 2 ESP

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
ARG 3
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret
ARG 2
ARG 1 ESP

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
ARG 3
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret
ARG 2
ARG 1
RETURN ADDR ESP
EIP
{
PUSH EIP
JMP function

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
ARG 3
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret
ARG 2
ARG 1
RETURN ADDR
EBP - FUNCTION ESP

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - FUNCTION
ARG 1
ARG 2
EBP + 8
EBP + 12
EBP - 8
EBP - 4
RETURN ADDREBP + 4
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
ARG 3EBP + 16
EBP - 12
EBP - 16 ESP
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret

DYNAMIC MEMORY ALLOCATIONTEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
ARG 1
ARG 2
RETURN ADDR
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
ARG 3
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret
ESP
{
RESTORE ALLOCATED MEMORY
POP EBP
POP RETURN ADDR
JMP RETURN ADDR

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
ARG 1
ARG 2
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
ARG 3
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret
ESP

STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
int main()
{
function(1,2,3);
}
{
char buffer1[5];
}
EBP - MAIN
<function>:
push ebp
mov ebp,esp
sub esp,0x10
add eax,0x2e6c
nop
leave
ret
<main>:
push ebp
mov ebp,esp
add eax,0x2e5c
push 0x3
push 0x2
push 0x1
add esp,0xc
nop
leave
ret
ESP

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
00001199 <function>:
1199:55 push ebp
119a:89 e5 mov ebp,esp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11aa:83 ec 08 sub esp,0x8
11ad:ff 75 08 push DWORD PTR [ebp+0x8]
11b0:8d 55 e8 lea edx,[ebp-0x18]
11b3:52 push edx
11b4:89 c3 mov ebx,eax
11b6:e8 75 fe ff ff call 1030 <strcpy@plt>
11bb:83 c4 10 add esp,0x10
11be:90 nop
11bf:8b 5d fc mov ebx,DWORD PTR [ebp-0x4]
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11cf:89 e5 mov ebp,esp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
11e2:c7 45 f4 00 00 00 00 mov DWORD PTR [ebp-0xc],0x0
11e9:eb 12 jmp 11fd <main+0x39>
11eb:8d 95 f4 fe ff ff lea edx,[ebp-0x10c]
11f1:8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
11f4:01 d0 add eax,edx
11f6:c6 00 41 mov BYTE PTR [eax],0x41
11f9:83 45 f4 01 add DWORD PTR [ebp-0xc],0x1
11fd:81 7d f4 fe 00 00 00 cmp DWORD PTR [ebp-0xc],0xfe
1204:7e e5 jle 11eb <main+0x27>
1206:83 ec 0c sub esp,0xc
1209:8d 85 f4 fe ff ff lea eax,[ebp-0x10c]
120f:50 push eax
1210:e8 84 ff ff ff call 1199 <function>
1215:83 c4 10 add esp,0x10
1218:90 nop
1219:8b 4d fc mov ecx,DWORD PTR [ebp-0x4]
121c:c9 leave
121d:8d 61 fc lea esp,[ecx-0x4]
1220:c3 ret
ESP
void function(char *str)
{
char buffer[16];
strcpy(buffer,str);
}
int main()
{
char large_string[256];
int i;
for(i = 0; i < 255; i++)
large_string[i] = 'A';
function(large_string);
}

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECX ESP

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECX
EBP - 280 ESP
EBP - 4

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECX
EBP - 280 ESP
EBP - 4
EBP - 8
EBP - 12 0x00 0x00 0x00 0x00

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECX
EBP - 280 ESP
EBP - 4
EBP - 8
EBP - 12 0x00 0x00 0x00 0x00
EBP - 276
EBP - 272
EBP - 268

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECX
EBP - 280 ESP
EBP - 4
EBP - 8
EBP - 12 0x00 0x00 0x00 0x00
EBP - 276
EBP - 272
EBP - 268 0x41

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECX
EBP - 280 ESP
EBP - 4
EBP - 8
EBP - 12 0x00 0x00 0x00 0x01
EBP - 276
EBP - 272
EBP - 268 0x41

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECX
EBP - 280 ESP
EBP - 4
EBP - 8
EBP - 12 0x00 0x00 0x00 0xff
EBP - 276
EBP - 272
EBP - 268 0x41
}for loop
0x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECX
EBP - 280
ESP
EBP - 4
EBP - 8
EBP - 12 0x00 0x00 0x00 0xff
EBP - 276
EBP - 272
EBP - 268 0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
EBP - 284
EBP - 288
EBP - 292

TEXT
STACK
LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECXEBP - 4
EBP - 8
EBP - 12 0x00 0x00 0x00 0xff
EBP - 268 0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
ADDRESS OF EBP-267 ESPEBP - 296

LOW MEMORY ADDRESS
HIGH MEMORY ADDRESS
EBP - MAIN
1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
ECXEBP - 4
EBP - 8
EBP - 12 0x00 0x00 0x00 0xff
EBP - 268 0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
RETURN ADDR ESP
ADDRESS OF EBP-267EBP - 296

1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
HIGH MEMORY ADDRESS
EBP - MAIN
ECX
0x00 0x00 0x00 0xff
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
EBX
RETURN ADDR
ADDRESS OF LARGE_STRING
EBP - 4 ESP
EBP - FUNCTION

1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
HIGH MEMORY ADDRESS
EBP - MAIN
ECX
0x00 0x00 0x00 0xff
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
EBX
RETURN ADDR
EBP - 4
.
.
.
EBP - 24
EBP - FUNCTION
ESP

1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
HIGH MEMORY ADDRESS
EBP - MAIN
ECX
0x00 0x00 0x00 0xff
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
EBP - FUNCTION
EBX
RETURN ADDR
EBP - 4
.
.
.
EBP - 24
EBP - 28
EBP - 32 ESP

1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
HIGH MEMORY ADDRESS
EBP - MAIN
ECX
0x00 0x00 0x00 0xff
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
EBP - FUNCTION
EBX
RETURN ADDR
EBP - 4
.
.
.
EBP - 24
EBP - 28
EBP - 32 ESP
EBP + 8
ADDRESS OF LARGE_STRINGEBP - 36

1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
HIGH MEMORY ADDRESS
EBP - MAIN
ECX
0x00 0x00 0x00 0xff
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
EBP - FUNCTION
EBX
RETURN ADDR
EBP - 4
16 BYTE BUFFER.
.
.
EBP - 24
EBP - 28
EBP - 32
EBP + 8
ADDRESS OF BUFFEREBP - 40 ESP

1199:55 push ebp
119c:53 push ebx
119d:83 ec 14 sub esp,0x14
…
11b3:52 push edx
11bb:83 c4 10 add esp,0x10
11be:90 nop
11c2:c9 leave
11c3:c3 ret
000011c4 <main>:
…
11ce:55 push ebp
11d1:51 push ecx
11d2:81 ec 14 01 00 00 sub esp,0x114
…
1204:7e e5 jle 11eb <main+0x27>
120f:50 push eax
1215:83 c4 10 add esp,0x10
1218:90 nop
121c:c9 leave
1220:c3 ret
HIGH MEMORY ADDRESS
EBP - MAIN
ECX
0x00 0x00 0x00 0xff
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
EBP - FUNCTION
EBX
RETURN ADDR
EBP - 4
16 BYTE BUFFER.
.
.
EBP - 24
EBP - 28
EBP - 32
EBP + 8
ADDRESS OF BUFFEREBP - 40 ESP
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

STACK AFTER STRCPY

BUFFER OVERFLOW
int main()
{
char large_string[256];
int i;
for(i = 0; i < 255; i++)
large_string[i] = 'A';
char buffer[16];
strcpy(buffer, large_string);
}
int main(int argc, char **argv)
{
char buffer[16];
gets(buffer);
}
▸ What happens if you ﬁll the buffer with a user input?
▸ User can enter an input with the length > 16

HIGH MEMORY ADDRESS
EBP - MAIN
ECX
0x00 0x00 0x00 0xff
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
.
.
.
0x410x410x410x41
EBP - FUNCTION
EBX
RETURN ADDR
16 BYTE BUFFER
0x410x410x410x41
0x410x410x410x41
0x410x410x410x41
user codemyofAddress
0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
USER CODE
BUFFER OVERFLOW
▸ Overwrite the return address
▸ Change the program ﬂow

Diving Into Memory Allocation to Understand Buffer Overflow Better

More Related Content

What's hot (20)

Similar to Diving Into Memory Allocation to Understand Buffer Overflow Better (20)

More from Oguzhan Topgul (7)

Recently uploaded (20)

Diving Into Memory Allocation to Understand Buffer Overflow Better