This is the conclusion of a three part series exploring how stack buffer overflow vulnerabilities work and what developers can do to protect their code.  Read on for a demonstration of how the 'synscan' example program can be exploited to gain a root shell by using BASH environment variables to store and locate shellcode in memory.

Part 1 of 'VERT Vuln School: Stack Buffer Overflows 101' introduced an example program containing a common programming error known as a buffer overflow.  Specifically as outlined in part 1, this program fails to provide bounds checking when processing user-input and enables an overflow of user-controlled data onto the stack.  This installment of Stack Buffer Overflows 101 answers some of the most common questions pertaining to the stack overflow vulnerability category.  By looking at what the stack is and how the stack is organized in memory we can begin to understand how unbounded string manipulation can enable system exploitation. 

I still remember the first time read AlephOne’s ‘Smashing the Stack for Fun and Profit’ – despite not having the proper knowledge to understand it at the time, it put the security bug in my head.   It was truly a consciousness raising experience to get that first glimpse of my computer’s inner workings.  One thing I did understand from it, loud and clear, is that bounds checking is a must when manipulating strings.  Apparently many programmers have not gotten the memo yet however as a search on NVD for ‘stack overflow’ limited to just the past 3 months of published CVEs returns 30 matches!