Stack Smashing

Tags: security

Is a security attack where we pass in a very large string and get the program to overflow past the buffer the string is being read into and get the program to do something unintended.

void greeting(const char *name) {
    char buf[32];
    // No check on size of main, it may overflow buf.
    strcpy(buf, name);
    printf("Hello, %s!\n", buf);
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
	return 0;
    }

    greeting(argv[1]);
    return 0;
}

Code Snippet 1: Example of a program vulnerable to stack smashing.

In figure 1 if we manipulate the bytes in a certain way and the program was compiled with the correct flags, instead of getting a segmentation-violation when our buffer overflow, we'll get access to a shell. If the string beyond the buffer size is valid bytecode (for example for the instruction execve(’/bin/sh’, ’/bin/sh’, NULL , NULL)), then we can make the program run that bytecode.

Links to this note

Stack Protectors