NOTE It is important at this point to realize that the target to be overwritten
must be higher in memory address than the buffer that is overflowed, which
happens to be higher on the heap, because the heap grows toward higher
memory addresses on x86 systems.
Unlike buffer overflows, there is no saved eip on the heap to overwrite; however, there
are targets that are just as lucrative:
??? Adjacent variable corruption As demonstrated earlier, often not too
interesting unless that value held something like financial information!
??? Function pointers Used by programmers to dynamically assign functions and
control the flow of programs. Often stored in the bss segment of memory and
initialized at runtime. Other interesting function pointers can be found in the
elf file header, as with format string attacks.
??? Authentication values Such as effective user ID (EUID) stored on the heap by
some applications.
??? Arbitrary memory locations You will need to hit the ???I believe??? button
here??”we will prove this later in the chapter.
References
Aleph One, ???Smashing the Stack??? www.phrack.org/archives/49/P49-14
Jon Erickson, Hacking: The Art of Exploitation (San Francisco: No Starch Press, 2003)
Koziol et al.
Pages:
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363