Vulnerability Development mailing list archives
Re: Windows Heap Overflows In General
From: "David Litchfield" <david () ngssoftware com>
Date: Mon, 2 Dec 2002 09:29:19 -0000
*) Remember with heap based overflows you can write multiple sets of 4 bytes. It's not the registers you are overflowing, but a structure. What
do
the other structure bytes control? Size does matter! http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html * Wheres our code at? It's not just esp that holds important variable locations. Where do all those other numbers point?
In the case overflowing the data section of one object into the vtable of another object you'll be overwriting function pointers and when one is called you can redirect program control e.g. call dword ptr [ecx + 14H] It's important to remember that heap overflows isn't just about overflowing character arrays that have been malloc()ed. Cheers, David Litchfield http://www.ngssoftware.com/
Current thread:
- Windows Heap Overflows In General Brett Moore (Dec 02)
- Re: Windows Heap Overflows In General David Litchfield (Dec 02)
- RE: Windows Heap Overflows In General Brett Moore (Dec 02)
- Re: Windows Heap Overflows In General Vizzy (Dec 02)
- Re: Windows Heap Overflows In General David Litchfield (Dec 02)