Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: David Litchfield (david_at_ngssoftware.com)
Date: Mon Dec 02 2002 - 03:29:19 CST
> *) Remember with heap based overflows you can write multiple sets of 4
> bytes. It's not the registers you are overflowing, but a structure. What
> the other structure bytes control? Size does matter!
> * Wheres our code at? It's not just esp that holds important variable
> locations. Where do all those other numbers point?
In the case overflowing the data section of one object into the vtable of
another object you'll be overwriting function pointers and when one is
called you can redirect program control
call dword ptr [ecx + 14H]
It's important to remember that heap overflows isn't just about overflowing
character arrays that have been malloc()ed.