Introduction To Buffer

Goal: Getting control of the EIP cpu register.

Sample Vulnerable C Code

#include <stdio.h> 
#include <string.h> 

int main(int argc, char *argv[]) {     
    char buffer[64]; 
    if (argc < 2)     {         
        printf("Error - You must supply at least one argument\n");                  
        return 1;     
    }          
    strcpy(buffer, argv[1]);        
    return 0; 
} 

The buffer variable is defined within a function, thus it's a local variable and C compiler reserves space (64 bytes) for it in the stack.

strcpy(buffer, argv[1]); copies first cmd argument to it

If argument is shorter than 64 bytes, everything will be fine.

But if the argument is longer than 64 bytes, say 80, the remaining 16 bytes will overwrite what's adjacent to the reserved space on the stack, overflowing the array boundaries.

Immunity Debugger

Assembly Level Debugger

Introduction To Buffer

Immunity Debugger​

Immunity Debugger