Heap overflows provide a classic example of the distinction between preconditions
and postconditions. In a heap overflow, all of the conditions to set up the exploit
are satisfied when your input overflows a heap-allocated buffer. With the heap buffer
properly overflowed, it still remains to trigger the heap operation that will utilize the
control structures you have corrupted, which in itself usually only gives us an arbitrary
overwrite. Since the goal in an overwrite is often to control a function pointer, you must
further understand what functions will be called after the overwrite takes place in order
to properly select which pointer to overwrite. In other words, it does us no good to
Gray Hat Hacking: The Ethical Hacker??™s Handbook
466
overwrite the .got address of the strcmp() function if strcmp() will never be called after
the overwrite has taken place. At a minimum, a little study is needed.
Another example is the situation where a vulnerable buffer is being processed by a
function other than the one in which it is declared. The pseudo-code that follows provides
an example in which a function foo() declares a buffer and asks function bar() to
process it. It may well be the case that bar() fails to do any bounds checking and overflows
the provided buffer (strcpy() is one such function), but the exploit is not triggered
when bar() returns.
Pages:
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817