Can buffer overflow attacks work when there is a limited number of bytes one can overwrite?

For example, consider a scenario where one uses strncpy to copy some kind of text (assume 27 characters in length including a null terminator) into a buffer that can contain a maximum of 100 characters, and then strncat is used to move another 100 characters.

In this case, the buffer will have 127 characters even though it has only been allocated 100 bytes on the stack. Since I can't overwrite the return address with mere 27 bytes because it is placed further on the stack, is there a way I could make an exploit out of this behavior? Perhaps by injecting assembly code that will allow me to overwrite more characters/overwrite the return address?

CodePudding user response：

You're overwriting something that wasn't intended to be overwritten. Whether you can exploit this depends on how the program was going to use the memory you overwrote, as well as your own ingenuity.

If it only contains variables that the program has finished using and that will not be read again before they are overwritten by normal program execution, then the bug is not exploitable.

If it contains variables that will be used again, then you look at what it does with them. For instance:

• if one of them is bool has_administrator_privileges then you are in business.

• if one of them is a function pointer that is going to be called later, you can point it to whatever code you want to have executed.

• if one of them is a data pointer that will be dereferenced to write somewhere in memory, you can alter it so that some other piece of memory is written. Which in turn could be valuable for one of the same reasons.

And so on.

But if they are boring variables whose values don't alter program behavior in any way that is useful to you (e.g. char user_nickname[50]) then you may not be able to usefully exploit the bug.