Alexander Sotirov, a.k.a Solar Eclipse, is a well known security researcher who specializes in buffer overflow exploit development and binary reverse engineering. In the following video, Solar gives a couple of simple advices which may come as a breakthrough for the readers who are new to the fields of binary software hacking.

To summarize his word, buffer overflow exploitation starts and finishes with a crash. The crash occurs due to the fact that the input supplied to the program hasn’t been correctly sanitized. In most cases, this results into overwriting a memory segment behind a buffer. This segment often contains data which is crucial to the program execution. If the corrupted buffer is in fact a local variable relative to a function (could be C/C++ main as well), then we are dealing with a stack-based buffer overflow which traditionally is very simple to exploit. In case the buffer is dynamically allocated at runtime (malloc and the rest of the family), we are dealing with heap-based buffer overflow which often is very hard to work with. There are other conditions we have to keep in mind although stack and heap overflows compose the majority of all bin software vulnerabilities.

No matter whether it is stack or heap based exploitable condition, the simple fact is that buffer overflow vulnerabilities are often very easy to locate, although they may require a bit of time to exploit. As long as you can supply data, which influences the EIP register at runtime, you are on the right path. The next step is to identify the type of vulnerability by tracking the execution path a couple of instructions back. From that you should be able to see whether the execution is caused by RET or some function pointer. And all in all, this is all what buffer overflows are. Of course, based on the circumstances, you might make use of several other techniques (nops, return to libc, exception handler overwrites, bla, bla), which help to bypass certain restrictions. However, the first step is always to find the crash.