Binary Exploitation (Buffer Overflow)
1 Global Definition
Binary Exploitation refers to attacking software by manipulating its execution flow at the binary level. The most common example is the Buffer Overflow, where attackers supply more input than expected, corrupting memory and potentially executing malicious code.
1.1 Key Concepts
- Buffer: A temporary memory storage area.
- Stack: A structured memory region used for function calls, local variables, and return addresses.
- Return Address: The memory location where the program should continue after a function call. Overwriting this is the core of buffer overflow exploitation.
- Shellcode: Small machine code payload designed to give the attacker control (e.g., spawning a shell).
- Segmentation Fault: Program crash caused when memory outside allowed regions is accessed.
1.2 How Buffer Overflows Work
When a program allocates a fixed-size buffer (e.g., 32 bytes) but does not validate user input, an attacker can send a larger payload (e.g., 100 bytes). The extra data overwrites critical stack values, such as the functionโs return address, allowing the attacker to redirect execution to malicious shellcode.
char buffer[32];
gets(buffer); // โ Vulnerable: No input size check
If the attacker inputs 64+ characters, the program writes beyond the bufferโs limit, corrupting adjacent memory and potentially hijacking control flow.
1.3 Exploitation Techniques
- Stack-based Buffer Overflow: Overwriting the return address on the stack.
- Heap Overflow: Targeting dynamically allocated memory structures in the heap.
- Return-Oriented Programming (ROP): Chaining small existing code snippets (gadgets) to bypass security defenses.
- Format String Exploits: Misusing printf-style functions to read/write arbitrary memory.
- Shellcode Injection: Inserting payloads directly into memory to execute arbitrary code.
1.4 Defense Mechanisms
- DEP (Data Execution Prevention): Prevents execution of code in non-executable memory regions.
- ASLR (Address Space Layout Randomization): Randomizes memory addresses to prevent predictable exploits.
- Stack Canaries: Special values placed before the return address to detect corruption.
-
Safe Functions: Using functions like
fgets()instead of unsafe ones likegets(). -
Compiler Protections: Flags such as
-fstack-protectorandFORTIFY_SOURCE.
1.5 Tools for Binary Exploitation
- GDB: GNU Debugger for analyzing program execution.
- pwntools: A Python library for automating exploitation.
- Radare2: Open-source reverse engineering framework.
- IDA Pro / Ghidra: Disassemblers for analyzing binary code.
- Checksec: Tool for verifying binary protections (ASLR, DEP, etc.).
1.6 Why It Matters
Buffer overflows have historically enabled some of the most impactful cyberattacks, from early Internet worms to modern privilege escalation exploits. Understanding binary exploitation helps defenders secure software and penetration testers evaluate real-world vulnerabilities.