Heap based overflows !

When I first heard about this category of overflow attacks I found it interesting since I could not understand if it can be maliciously exploited by any ‘so called’ hack3rs. Logic behind my thought was – how can you execute the code in data section. In case of stack overflows, vulnerable point is return address. Here hack3rs do not have that freedom.

My thought was correct but that does not prevent from exploitation of the vulnerability that can be there due to heap based overflow and one very simple example can be found in Jon Ericsson‘s ‘Hacking – The Art of Exploitation‘.

What is ‘Heap based overflow’ ?

Every program when executes, it is called a process. A proces in memory can be divided into some subsections.

  • text (or code)
  • data (or initialized global variables)
  • bss  (or uninitialized global variables. name is historical.)
  • heap (dynamically allocated memory areas)
  • stack

stack grows from higher memory areas to lower and heap moves from lower to higher. so they grow towards each other. intelligent design.

Heap is a free/used linked list of memory that operating systems refer for allocation and deallocation of memory. Now when we allocate two variables we get memory which are *some* bytes  apart. e.g.

char *p = (char *) malloc (10);
char *q = (char *) malloc (10);

so p will be having some address say 0x80498d0 and q will have some address say 0x80498e8. so these are 24 bytes apart. say our code did something like:

strcpy(q, “/tmp/myfile”);
strcpy(p, argv[1]);

FILE *fp; //defined in the begining of program

fp = fopen(q, “a”);
if(!fp) {
         // error
fprintf(fp, “%s\n”, p);

this nice little program will write the contents of ‘p’ to the file ‘q’. This is perhaps what I intend to do. But, this will work fine only for the cases when our user given input in ‘p’ are <24 bytes. Once it is 24 bytes or more it overwrites the memory allocated to ‘q’ and you get returned from ‘fopen’ call itself.

But so what ? what _bad_ can he do ??

well, my dear, this file can be /tmp/etc/passwd which _may_ be created as a symlink to /etc/passwd and the 24 byte user string can be


Still not getting how to make it ? read ‘Hacking – The Art of Exploitation’ or search with some keywords on your favourite search engine (I have stopped advertising for a *search engine company* for free).

Its hard to fight heap based overflows without compromising performance of the system.

have a nice day.