[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows Heap Overflows In General

Monday, December 02, 2002, 2:03:04 AM, you wrote:

BM> *) Remember with heap based overflows you can write multiple sets of 4
BM> bytes. It's not the registers you are overflowing, but a structure. What do
BM> the other structure bytes control? Size does matter!
Well, it's not always possible.

What if you can overwrite only one free chunk structure?
Then, possibility to overwrite choosen 4 bytes will occur in a call to free(),
when *BK (previous free chunk pointer) would be replaced with the offset to a
newly free()'ed one, containing our supplied data.

have phun,