The uppermost memory location is called the wilderness
and is always free. The wilderness is the only chunk that can get bigger as needed.
The fundamental rule of the heap is that no two adjacent chunks can be free.
As is seen in Figure 8-2, two adjacent chunks can be allocated and hold data. If a
buffer overflow exists and the first chunk (lower) is overflowed, it will overwrite the second
chunk (higher).
Gray Hat Hacking: The Ethical Hacker??™s Handbook
180
PART III
Chapter 8: Advanced Linux Exploits
181
Example Heap Overflow
For example, examine the following vulnerable program:
# cat heap1.c
//heap1.c
#include
#include
#include
#include
#define BUFSIZE 10 //set up a constant value for use later
#define OVERSIZE 5 /* overflow buf2 by OVERSIZE bytes */
int main(){
u_long diff;
char *buf1 = (char *)malloc(BUFSIZE); //allocate 10 bytes on heap
char *buf2 = (char *)malloc(BUFSIZE); //allocate 10 bytes on heap
diff=(u_long)buf2-(u_long)buf1; //calc the difference in the heap
printf("diff = %d bytes\n",diff); //print the diff in decimal bytes
strcat(buf2,"AAAAAAAAAA");//fill buf2 first, so we can see overflow
printf("buf 2 before heap overflow = %s\n", buf2); //before
memset(buf1,'B',(u_int)(diff+OVERSIZE));//overflow buf1 with 'B's
printf("buf 2 after heap overflow = %s\n", buf2); //after
return 0;
}
The program allocates two 10-byte buffers on the heap.
Pages:
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361