Issue
Hi I'm trying to understand how heap overflows work and I've been reading this article which seems very foggy to me. Below is the page of the article that I am stuck on.
http://www.h-online.com/security/features/A-Heap-of-Risk-747224.html
My understanding ceases after the second half of page 4 in the link. They implement their own heap manager on page 2 which may also be useful. The figure bellow represents the heap data structure after string copy to image data (hopefully this is right).
Root = Hdr Free Memory
_________________ ________________
|*Next = 0xF |----------->0xF|*Next = "AAAA" |
------------------- ------------------
|*Previous = NULL | |*Previous="AAAA"|
------------------- ------------------
|Size = 0 | |Size = "AAAA" |
------------------- ------------------
|Used = 0 | |Used = "AAAA" |
------------------- ------------------
|Free Mem Data |
(Let Root start at 0x0. Also each field is 32 bits and thus 4 bytes wide. "AAAA" stands for the string "AAAA" where each 'A' is a character and therefor one byte of memory.)
From the tutorial they say that when memory is supposedly freed, the function Free_Heap() will want to read from the address "AAAA" = 0x4141414d. There explanation is that the "used" field is an offset of 12 bytes from the beginning of the header section and thus 0x41414141 + 0xc = 0x4141414d. To me that explanation makes no sense for the following reasons.
A) Why would Free_Heap() even try to read from the address in the "used" field when that value only tells Free_Heap() whether or not the data on the heap structure is being used. Unless the "used" field is a pointer to the actual data being written (which is not mentioned in the tutorial), this would not make any sense to me.
B) Assuming that the used field in the heap struct really is a pointer to the data that may be written to, why would the offset have anything to do with from where the heap should be read from? May be if the data section was located right after "used" pointer field (like in a stack), then that would mean that data should be placed at an offset of 0xf and not 0xc so that the data does not overwrite the "used" field.
Thanks for any helpful input to clear this up.
Solution
That part of the article seems either wrong or just really badly written. Although it will read hdr->next->used
to check whether the follow-on memory object is in use, as you say, its used
and size
fields will be 0x41414141, so we won't try to merge with it. Still, the setup is fine, you will shortly afterwards dereference one of those pointers: when freeing the 'line' memory object (the one whose header we stomped), it will attempt to check if its next
and prev
memory blocks are in use. Dereferencing either of those pointer fields will crash or be actively exploited.
Answered By - pmdj