Re: Windows Heap Overflows In General

From: David Litchfield (david@ngssoftware.com)
Date: 12/02/02

Next message: Vizzy: "Re: Windows Heap Overflows In General"

Previous message: dsanchez@sanchezsantiago.com: "Re: Lotus NOTES"
In reply to: Brett Moore: "Windows Heap Overflows In General"
Next in thread: Brett Moore: "RE: Windows Heap Overflows In General"
Reply: Brett Moore: "RE: Windows Heap Overflows In General"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "David Litchfield" <david@ngssoftware.com>
To: <pen-test@securityfocus.com>, <vuln-dev@securityfocus.com>
Date: Mon, 2 Dec 2002 09:29:19 -0000

> *) Remember with heap based overflows you can write multiple sets of 4
> bytes. It's not the registers you are overflowing, but a structure. What
do
> the other structure bytes control? Size does matter!
> http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html
> * Wheres our code at? It's not just esp that holds important variable
> locations. Where do all those other numbers point?

In the case overflowing the data section of one object into the vtable of
another object you'll be overwriting function pointers and when one is
called you can redirect program control

e.g.
call dword ptr [ecx + 14H]

It's important to remember that heap overflows isn't just about overflowing
character arrays that have been malloc()ed.

Cheers,
David Litchfield
http://www.ngssoftware.com/

Next message: Vizzy: "Re: Windows Heap Overflows In General"
Previous message: dsanchez@sanchezsantiago.com: "Re: Lotus NOTES"
In reply to: Brett Moore: "Windows Heap Overflows In General"
Next in thread: Brett Moore: "RE: Windows Heap Overflows In General"
Reply: Brett Moore: "RE: Windows Heap Overflows In General"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]