Skip to content

Latest commit

 

History

History
58 lines (36 loc) · 1.29 KB

heap-based-buffer-overflows.md

File metadata and controls

58 lines (36 loc) · 1.29 KB
description
10/16/2023

Heap-based Buffer Overflows

Introduction

Essentially, this can be easily explained as a buffer overflow that occurs on the heap portion of memory.

Exploitation

This can be possible by overwriting the adjacent heap metadata and data such as:

  • Objects
  • Structs
  • Function Pointers
  • etc.

This can result in memory corruption and code execution.

Example

heap-overflow.c:

int main(int argc, char **argv[])
{
    char *ptr1, *ptr2;
    ptr = malloc(512);
    ptr2 = malloc(512);
    
    strcpy(ptr1, argv[1]);
    
    free(ptr2);
    free(ptr1);
    
    return 0;
}

When free(ptr2) is executed, the memory manager will freak out as the data has been corrupted.

Heap-Based Buffer Overflow w/ malloc() & strcpy()

strcpy(b->buffer, argv[1]);

f->fp();

If you are able to overwrite the function pointer (fp), you can overwrite it with whatever you want called and it will be called as it is a pointer.

This is essentially because we have control of the pointer.

Metadata Corruption

This results in modifying or overwriting metadata and arrenges the heap in a way that points to your shellcode.

More Coming Soon!