off by one buffer overflow

Off-by-one vulnerability is a type of buffer overflow that allows you to only modify one byte. It is a result of miscalculation of the buffer length. Below is an example of off-by-one vulnerability in C language:

int get_user(char *user)


    char buf[1024];


    if(strlen(user) > sizeof(buf))

        die("error: user string too long\n");


    strcpy(buf, user);




The art of software security assessment, Listing 5-3

Here the strlen function return the size of string but does not consider the null termination character. The strcpy copies the user in buf variable and writes the null byte to the adjacent variable. If compiler does not use any padding the adjacent variable is EBP.

Sometimes because of compiler padding and reordering of variables, exploiting Off-by-one vulnerabilities is not possible but sometimes we can execute arbitrary codes in certain situations although in stack overflow off-by-one vulnerabilities we have no control on ESP. Depending on the compiler ordering of variables you may also have the opportunity to overwrite a specific variable that is vital for an application

Exploiting Off-by-one buffer overflow vulnerability

Exploiting an off-by-one vulnerability really depends to the place of the vulnerable buffer and also other buffers the user has control on. If the variable is just above the EBP (the variable is the first variable after EBP on the stack) the Off-by-one allows us to change the least significant byte of the EBP. This provides us the ability to manipulate the ESP of previous function since in some situations after the function returns the EBP is restored to ESP. Being allowed to alter the stack pointer of a function explicitly can provide us the opportunity to manipulate the EIP. If we change the least significant byte of the EBP so that it points to a buffer controllable by us, we can make up the buffer so that it contains a custom address to be restored as the saved EIP. This custom address can point to another user controllable buffer that contains the shellcode. Bam, after the second function returns, which its ESP points to altered EBP, our arbitrary code is executed.

 off by one stack buffer overflow exploit

Read 939 times Last modified on Tuesday, 23 June 2015 08:02
Rate this item
(0 votes)
About Author
Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

Advanced Programming Concepts
News Letter

Subscribe our Email News Letter to get Instant Update at anytime