buffer-overflow | allow penetration testers / researchers to quickly test | Hacking library

So, apparently it's disabled by default on your platform; this behavior is configurable when gcc is built from source, and this is what your OS or packager chose to do. Use -fstack-protector to enable it (if your platform supports it at all).

For more about how gcc's stack canary system works, see Stack smashing detected.

In ordinary English, a canary is a type of bird that was used to detect toxic gases in mines. The birds were more sensitive to these gases than humans are, and so if the bird died, this could alert the miners to the danger while they still had time to evacuate. The analogy is that the value on the stack is like a canary: if it "dies" (is overwritten) then the program can "evacuate" (abort) before an exploit can occur.

I see loads of dynamic allocation (Why should C++ programmers minimize use of 'new'?).

I see repeated magic constants (1s, 2048), failure to NUL-terminate the recv_buf and then treating it as a C string, swallowing errors.

Removing all these:

Live On Coliru

Live On Wandbox

• udp_timer.h

The proper way to prevent such errors is to avoid casts, use the proper types everywhere, and configure the compiler to produce more warnings (-Wall -Wextra) and to consider these warnings errors (-Werror).

If add_param expects a pointer to int, do not pass a pointer to something that is not compatible with type int.

If you want add_param to handle different types, you can define the valp argument as a pointer to void and pass the expected type with another argument, such as an appropriate setter function. You would explicitly bypass the compiler type checking mechanisms and be on your own if the program has semantic errors.

Here is an example:

If you want your char * to be processed properly as a string, you must make sure it's null-terminated:

The problem was that I didn't call vcvars64.bat (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat)

I did set all library paths manually and also did set the PATH to the llvm-symbolizer.exe ( located in C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29333\bin\HostX64\x64 ) but apparently the clang_rt.asan_dynamic... libs seem to look at another environment variable to perform the symbolizing.

It turned out after trial and error that for 64bit the symbolizing looks additionally in the PATH and searches msdia140.dll (found in C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Team Tools\Performance Tools\x64 in my VC installation ).

The summary is that the PATH need to point to the directories containing llvm-symbolizer.exe and msdia140.dll in order to let the symbolizer work correctly.

2nd solution: I discovered that there is also the ability to override the location of llvm-symbolizer.exe with the env variable ASAN_SYMBOLIZER_PATH (this variable isn't set in the vcvars64.bat call chain). This overrides the location found in the PATH.

set ASAN_SYMBOLIZER_PATH=C:\Users\leo\llvm-symbolizer.exe would set a custom symbolizer: note that the name needs to be llvm-symbolizer.exe !

ASAN_SYMBOLIZER_PATH can also point to a directory name instead of the executable (the runtime tries to find then llvm-symbolizer.exe in this directory) .

And: still the PATH to msdia140.dll is needed to ensure proper symbolizing.

In 'convert' you allocate the memory for a string for the exact length of the string. A C String is terminated by a 0-byte so you have to allocate this extra bayte and initialize it to 0.

A heap buffer overflow is when you access outside an array that was allocated on the heap (i.e. using malloc()).

The problem is that the best_split array isn't big enough.

I think you wrongly calculated some offset. I modified your script to automate some calculation. I am using Ubuntu 20.04 for testing. Btw, you should use %p instead of %llx for address.

Set breakpoint after printf(input); then inspected the stack, I decided to go for __libc_start_main to leak libc base: