Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 12:43:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/binary-exploitation/heap/heap-overflow.md
CPol c7aecef3b4
GITBOOK-4307: No subject
2024-04-10 15:24:02 +00:00

3.6 KiB
Raw Blame History

Heap Overflow

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

A heap overflow is like a stack overflow but in the heap. Basically it means that some space was reserved in the heap to store some data and stored data was bigger than the space reserved.

In stack overflows we know that some registers like the instruction pointer or the stack frame are going to be restored from the stack and it could be possible to abuse this. In case of heap overflows, there isn't any sensitive information stored by default in the heap chunk that can be overflowed. However, it could be sensitive information or pointers, so the criticality of this vulnerability depends on which data could be overwritten and how an attacker could abuse this.

{% hint style="success" %} In order to find overflow offsets you can use the same patters as in stack overflows. {% endhint %}

Example ARM64

In the page https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/ you can find a heap overflow example where a command that is going to be executed is stored in the following chunk from the overflowed chunk. So, it's possible to modify the executed command by overwriting it with an easy exploit such as:

python3 -c 'print("/"*0x400+"/bin/ls\x00")' > hax.txt
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: