Buffer Overflow Vulnerability in strcpy() Leading to Remote Code Execution

## Summary: The vulnerability in the program arises from a classic buffer overflow, triggered by the unsafe use of the strcpy() function without bounds checking. The program copies data from a source buffer to a destination buffer, allowing attackers to overflow the buffer if the input string exceeds the buffer's allocated size. This vulnerability can lead to the overwriting of critical memory, such as the return address on the stack, enabling arbitrary code execution and control over the system. The vulnerability is caused by the unsafe use of strcpy(), which does not check the length of the input string before copying it into the buffer. When the input exceeds the buffer size, the overflow overwrites the adjacent memory, including the return address. The buffer overflow occurs within the strcpy() function, as seen in the following stack trace: `#0 __strcpy_evex () at ../sysdeps/x86_64/multiarch/strcpy-evex.S:94, #1 0x00007ffff765d2cd in CRYPTO_strdup () from /lib/x86_64-linux-gnu/libcrypto.so.3, #2 0x00007ffff756ef96 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3...`. While libcrypto is present in the stack trace, the root cause of the overflow is in the curl program, not OpenSSL. The vulnerability is within the unsafe use of strcpy() in the curl application. At the overflow point, the CPU registers indicate the instruction pointer (IP) is inside `__strcpy_evex`. The register information shows values such as `rax 0x472cf0 4664560`, `rbx 0x7ffff7832be3 140737345956835`, `rip 0x7ffff7e31b80 0x7ffff7e31b80 <__strcpy_evex>`. The program is executing inside `__strcpy_evex`, where the buffer overflow occurs, allowing us to manipulate adjacent memory. The memory dump shows the stack around the overflow location with values such as `0x7fffffffd988: 0xf765d2cd 0x00007fff 0x00464a60 0x00000000, 0x7fffffffd998: 0x00472aa0 0x00000000 0x00000000 0x00000000...`. The return address, which is overwritten, is located at `0x7fffffffd9b8`. By overflowing the buffer, we can replace this return address with a controlled value. The overflowed buffer is used by strcpy() to copy user-provided data. The buffer resides on the stack, and because the size is unchecked, overflowing the buffer leads to the overwriting of crucial stack elements, including the return address. The key target for overwriting is the return address at `0x4005d0`. By overwriting it, the attacker can control the program’s execution flow. The exploit strategy involves filling the buffer with a long string (e.g., filled with "A"s) to overflow the buffer and reach the return address, then overwriting the return address with `0x4005d0`, the address of a shell-spawning function. Once the return address is overwritten, the program will return to `0x4005d0`, which triggers the execution of a shell for the attacker. The impact of this vulnerability includes code execution, privilege escalation if the program runs with elevated privileges, system compromise, and potentially a denial of service (DoS) if the overflow causes the program to crash or become unresponsive. An attacker can execute arbitrary code by redirecting the program flow, gaining a command shell and performing malicious actions such as stealing, manipulating, or deleting sensitive data. ## Steps To Reproduce: 1. Launch the vulnerable program: Start the application that contains the buffer overflow vulnerability, which uses the unsafe `strcpy()` function. 2. Provide oversized input: Input a string that exceeds the buffer size. This can be done by sending a large string (such as a series of "A"s) to the program, triggering the buffer overflow. Ensure the input is large enough to overwrite the return address. 3. Monitor the overflow: Use a debugger like GDB to monitor the program's execution and watch for the point where the buffer overflow occurs. Look for memory overwriting in the stack around the return address location. 4. Overwrite the return address: After the buffer is filled, overwrite the return address with a controlled value, such as the address of a function that spawns a shell (e.g., `system("/bin/sh")`). 5. Execute the exploit: The program will return to the overwritten address, which should point to the shell-spawning function. If successful, the attacker will gain control of the system and can execute arbitrary commands. 6. Confirm the impact: If the exploit works as intended, the program will execute the shell, giving the attacker control over the system. ## Impact Thid bug can allow attackers to overwrite the return address on the stack, enabling them to execute arbitrary code or gain control of the system. By exploiting this vulnerability, attackers can redirect the program’s execution to a location of their choice, typically resulting in remote code execution or the execution of malicious commands, such as spawning a shell. This can lead to full system compromise, privilege escalation (if the program runs with elevated privileges), unauthorized access to sensitive data, manipulation of data, or even the complete takeover of the system. Additionally, if the buffer overflow leads to a program crash, it may result in a denial of service (DoS).