buf2 is allocated directly after
buf1. The difference between the memory locations is calculated and printed. buf2 is
filled with As in order to observe the overflow later. buf2 is printed prior to the overflow.
The memset command is used to fill buf1 with a number of Bs calculated by adding the
difference in addresses and 5. That is enough to overflow exactly 5 bytes beyond buf1??™s
boundary. Sure enough, buf2 is printed and demonstrates the overflow.
If compiled and executed, the following results are obtained:
# gcc -o heap1 heap1.c
# ./heap1
diff = 16 bytes
buf 2 before heap overflow = AAAAAAAAAA
buf 2 after heap overflow = BBBBBAAAAA
#
As you can see, the second buffer (buf2) was overflowed by 5 bytes after the memset
command.
Figure 8-2
Diagram of a
process heap
Gray Hat Hacking: The Ethical Hacker??™s Handbook
182
Implications
This is a very basic example but serves to illustrate the problem at hand. In fact, the concept
of this basic example is the basis of all heap overflow vulnerabilities and exploits.
To make matters worse, the data and bss sections of memory are also vulnerable to this
type of vulnerability. Since they are next to each other in memory, they are often presented
along with heap overflows.
Pages:
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362