chrisferret.lmh.ox.ac.uk

• Next message: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• Previous message: Chris Evans: "Heap overflows - thanks"
• In reply to: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• Next in thread: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• Next in thread: typoinferno.tusculum.edu: "Re: Exploiting overflow of heap-based buffers"
• Reply: Chris Evans: "Re: Exploiting overflow of heap-based buffers"
• Reply: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 24 May 2000, Solar Designer wrote:

> > Has anyone played with this much? It's an interesting topic....
>
> I came up with a generic approach for Doug Lea's malloc, which is
> what most of our Linux boxes use. Of course, it still has some

I was just talking to a friend (Matt Kirkwood) about
malloc() implementations, since I know little about them :-)

Matt informed me that there's a class of malloc which use free()'d areas
to store objects pointing to free heap space.

So if you can corrupt free heap space pointers, you could play interesting
games like mark the area of the stack containing the return address as
free. Or mark a few function pointers used by atexit() as free.

Is your technique related to the above?

Cheers
Chris

• Next message: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• Previous message: Chris Evans: "Heap overflows - thanks"
• In reply to: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• Next in thread: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• Next in thread: typoinferno.tusculum.edu: "Re: Exploiting overflow of heap-based buffers"
• Reply: Chris Evans: "Re: Exploiting overflow of heap-based buffers"
• Reply: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]