Re: Windows Heap Overflows In General

["David Litchfield" <david () ngssoftware com>]

> *) Remember with heap based overflows you can write multiple sets of 4
> bytes. It's not the registers you are overflowing, but a structure. What
do
> the other structure bytes control? Size does matter!
> http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0105.html
> * Wheres our code at? It's not just esp that holds important variable
> locations. Where do all those other numbers point?

In the case overflowing the data section of one object into the vtable of
another object you'll be overwriting function pointers and when one is
called you can redirect program control

e.g.
call dword ptr [ecx + 14H]

It's important to remember that heap overflows isn't just about overflowing
character arrays that have been malloc()ed.

Cheers,
David Litchfield
http://www.ngssoftware.com/