Re: Windows Heap Overflows In General

From: David Litchfield (david@ngssoftware.com)
Date: 12/02/02

  • Next message: Vizzy: "Re: Windows Heap Overflows In General"
    From: "David Litchfield" <david@ngssoftware.com>
    To: <pen-test@securityfocus.com>, <vuln-dev@securityfocus.com>
    Date: Mon, 2 Dec 2002 09:29:19 -0000
    
    

    > *) Remember with heap based overflows you can write multiple sets of 4
    > bytes. It's not the registers you are overflowing, but a structure. What
    do
    > the other structure bytes control? Size does matter!
    > http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html
    > * Wheres our code at? It's not just esp that holds important variable
    > locations. Where do all those other numbers point?

    In the case overflowing the data section of one object into the vtable of
    another object you'll be overwriting function pointers and when one is
    called you can redirect program control

    e.g.
    call dword ptr [ecx + 14H]

    It's important to remember that heap overflows isn't just about overflowing
    character arrays that have been malloc()ed.

    Cheers,
    David Litchfield
    http://www.ngssoftware.com/