The author simply assumes that the C compiler will place the stacks of those two programs at the same (or very similar) virtual addresses and that the operating system will not perform address randomization (ASLR). This means that the stack frames of both main functions will be roughly at the same location, enabling this exploit. … Read more
No, fgets is not actually deprecated in C99 or the current standard, C11. But the author of that tutorial is right that fgets will not stop when it encounters a NUL, and has no mechanism for reporting its reading of such a character. The fgets function reads at most one less than the number of … Read more
Why is gets() dangerous The first internet worm (the Morris Internet Worm) escaped about 30 years ago (1988-11-02), and it used gets() and a buffer overflow as one of its methods of propagating from system to system. The basic problem is that the function doesn’t know how big the buffer is, so it continues reading … Read more
Since Java Strings are based on char arrays and Java automatically checks array bounds, buffer overflows are only possible in unusual scenarios: If you call native code via JNI In the JVM itself (usually written in C++) The interpreter or JIT compiler does not work correctly (Java bytecode mandated bounds checks)
For GNU glibc: SYNOPSIS #include <malloc.h> size_t malloc_usable_size (void *ptr); DESCRIPTION The malloc_usable_size() function returns the number of usable bytes in the block pointed to by ptr, a pointer to a block of memory allocated by malloc(3) or a related function.
Exploit development can lead to serious headaches if you don’t adequately account for factors that introduce non-determinism into the debugging process. In particular, the stack addresses in the debugger may not match the addresses during normal execution. This artifact occurs because the operating system loader places both environment variables and program arguments before the beginning … Read more
That’s a good problem. In order to solve that problem you will also have to disable ASLR otherwise the address of g() will be unpredictable. Disable ASLR: sudo bash -c ‘echo 0 > /proc/sys/kernel/randomize_va_space’ Disable canaries: gcc overflow.c -o overflow -fno-stack-protector After canaries and ASLR are disabled it should be a straight forward attack like … Read more
The strncpy() function was designed with a very particular problem in mind: manipulating strings stored in the manner of original UNIX directory entries. These used a short fixed-sized array (14 bytes), and a nul-terminator was only used if the filename was shorter than the array. That’s what’s behind the two oddities of strncpy(): It doesn’t … Read more
In their book The Practice of Programming (which is well worth reading), Kernighan and Pike discuss this problem, and they solve it by using snprintf() to create the string with the correct buffer size for passing to the scanf() family of functions. In effect: int scanner(const char *data, char *buffer, size_t buflen) { char format[32]; … Read more