## https://sploitus.com/exploit?id=7A424E9B-0926-51B8-A4B6-FA6D0D1DEE24
# Buffer Overflow & Shellcode Exploitation
## Overview
This project explores a real-world stack-based buffer overflow vulnerability
in a network-facing C program and demonstrates how it can be exploited to
achieve arbitrary code execution.
The target program processes attacker-controlled input received over the
network and copies it into a fixed-size stack buffer without proper bounds
checking. By carefully analyzing the stack frame layout and leveraging an
information disclosure vulnerability, the exploit reliably hijacks control
flow and redirects execution to injected shellcode.
---
## Threat Model
- The attacker can send arbitrary input to a vulnerable server function
- The server processes network data using unsafe memory operations
- Address Space Layout Randomization (ASLR) is enabled
- The binary is setuid-root, making successful exploitation security-critical
The attacker’s goal is to gain arbitrary code execution by corrupting stack
state and redirecting program control flow.
---
## Vulnerability Analysis
The vulnerability resides in a function that copies attacker-controlled data
into a local stack buffer using `memcpy` without validating the input length.
Key issues include:
- A fixed-size stack buffer
- No bounds checking on the copied length
- Overwriting of adjacent stack data, including the saved frame pointer and
return address
This results in a classic **stack-based buffer overflow** vulnerability that
allows the attacker to overwrite control data on the stack.
---
## Stack Frame Reasoning
To exploit the vulnerability, the project analyzes the runtime stack layout
under the x86-64 calling convention:
- Location of the local buffer within the stack frame
- Position of the saved frame pointer (RBP)
- Position of the saved return address
Understanding these relationships enables precise calculation of overwrite
offsets required for reliable exploitation.
---
## Information Disclosure
Although ASLR randomizes stack addresses, the program contains an echo-style
behavior that allows attacker-controlled output length.
By exploiting this behavior, the exploit leaks stack memory contents at
runtime, including the saved frame pointer. This information leak enables
calculation of the exact stack buffer address, effectively bypassing ASLR.
---
## Exploit Strategy
The exploit proceeds as a chained attack:
1. Trigger the buffer overflow to overwrite stack memory
2. Leak the saved frame pointer using the information disclosure
3. Compute the runtime address of the stack buffer
4. Construct a payload containing:
- A NOP sled
- Injected shellcode
- Restored frame pointer
- Overwritten return address
5. Redirect execution to attacker-controlled shellcode
When the vulnerable function returns, execution jumps directly into the
payload.
---
## Result and Impact
The exploit achieves:
- Reliable control-flow hijacking
- Arbitrary code execution
- Privilege escalation via a setuid-root binary
This demonstrates the severe security impact of memory safety vulnerabilities
in low-level systems code.
---
## Tools and Environment
- **Language:** C
- **Architecture:** x86-64
- **Debugger:** GDB
- **Environment:** Linux
- **Isolation:** Docker
The exploit was developed and tested in a controlled Linux environment using
debugging and runtime inspection tools.
---
## Lessons Learned
- Memory safety violations can completely compromise program control flow
- Exploits often rely on chaining multiple weaknesses, not a single bug
- Information leaks are critical in bypassing modern defenses such as ASLR
- Understanding calling conventions and stack layout is essential for
low-level security work
- Defensive coding practices and bounds checking are mandatory for
security-critical software