Re: Windows Heap Overflows In General

From: Vizzy (vizzyat_private)
Date: Mon Dec 02 2002 - 04:49:52 PST

Next message: Brett Moore: "RE: Windows Heap Overflows In General"

Previous message: David Litchfield: "Re: Windows Heap Overflows In General"
In reply to: Brett Moore: "Windows Heap Overflows In General"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Monday, December 02, 2002, 2:03:04 AM, you wrote:

BM> *) Remember with heap based overflows you can write multiple sets of 4
BM> bytes. It's not the registers you are overflowing, but a structure. What do
BM> the other structure bytes control? Size does matter!
Well, it's not always possible.

What if you can overwrite only one free chunk structure?
Then, possibility to overwrite choosen 4 bytes will occur in a call to free(),
when *BK (previous free chunk pointer) would be replaced with the offset to a
newly free()'ed one, containing our supplied data.

-- 
have phun,
 Vizzy

Next message: Brett Moore: "RE: Windows Heap Overflows In General"
Previous message: David Litchfield: "Re: Windows Heap Overflows In General"
In reply to: Brett Moore: "Windows Heap Overflows In General"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 09:14:07 PST