Quiz Entry - updated: 2026.07.07
How does a buffer overflow attack work?
Oversized input spills past a buffer and overwrites adjacent stack data — notably the saved return address — letting the attacker redirect execution.
* An overflow past a local buffer grows upward through the saved frame pointer into the return address, redirecting execution when the function returns. *
The stack layout (simplified):
High addresses
+------------------+
| Return address | ← Where to go after function returns
+------------------+
| Saved frame ptr | ← Previous stack frame
+------------------+
| Local buffer[32] | ← Where user input goes
+------------------+
Low addresses
What the attacker does:
- Find the buffer size - send increasing input until crash
- Calculate offset - how many bytes until we reach return address?
- Craft payload - fill buffer + overwrite return address with target
Example attack:
$ ./ls -lllllllllllllllllllllllllllll
# Found it! Program crashed
Segmentation fault
Exploitation (redirecting to delete function):
Input: "AAAA...AAAA" + address_of_delete()
\_________/
fills buffer, overwrites return address
When function returns, jumps to delete() instead of caller!
$ ./ls "------------------------"$'\x20\x63\x55\x56'
$ ./ls --long
# Files are gone! Attacker redirected execution to delete()
Modern defenses:
- Stack canaries: Random value before return address, checked before return
- ASLR: Randomize memory layout so attacker can't predict addresses
- NX/DEP: Mark stack as non-executable (can't inject shellcode)
- Input validation: Check input length before copying!
Tip: Understanding buffer overflows is essential for both attacking and defending systems.
Go deeper:
Stack buffer overflow (Wikipedia) — how overrunning a stack buffer overwrites the saved return address and hijacks control flow.
How Buffer Overflows work: overwriting the return address (LiveOverflow) — a short hands-on walkthrough of smashing the stack to redirect execution.
Return-oriented programming (Wikipedia) — how attackers chain existing gadgets to bypass a non-executable stack once the return address is theirs.