Skip to main content
Information Security

Questions tagged [heap-overflow]

Ask Question

A heap overflow is a class of memory corruption occurring on the heap. It can potentially be used to exploit the faulty program.

35 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
2 votes
1 answer
330 views

This is with reference to Max Kamper's video on GLIBC heap exploitation and these articles I read https://www.crow.rip/crows-nest/binexp/heap/house-of-force-i https://www.crow.rip/crows-nest/binexp/...
localacct's user avatar
  • 209
0 votes
1 answer
289 views

I tried to google this topic but most of them are conflicting each other. On the other side, I found a case where I can use either stack (local variable) or heap for a dynamic string. It's C by the ...
Thor-x86_128's user avatar
  • 133
20 votes
6 answers
11k views

I'm learning about basic x86 overflows in C but normally I code with Python. Is there anyway that programs written in higher level languages can suffer from buffer/heap overflow?
blank's user avatar
  • 235
1 vote
1 answer
1k views

I'm stuck on the Heap1 challenge from Exploit Education. After compiling the source code in a 64bit system, without any security mechanism, I try to overflow the heap in order to overwrite the main ...
rme's user avatar
  • 21
1 vote
0 answers
278 views

The classic malloc overflow, of overwriting pointers in a free chunk, to cause free() unlink to overwrite an arbitrary location with an arbitrary value, is no longer possible with modern glibc (...
SRobertJames's user avatar
  • 317
1 vote
1 answer
900 views

The following questions regard linux processes with a stack that grows downwards from the end of the process memory. If I have a buffer overflow on the heap with unlimited size, are there any ...
anon11's user avatar
  • 11
1 vote
2 answers
302 views

One of recent CVEs particularly 2019-13615 related to VLC media player, attracted my attention because of the developer reaction: Any non-exploitable read overflow get CVSS of 9.8, like VLC is a ...
Croll's user avatar
  • 163
0 votes
1 answer
506 views

I found an interesting blog post A Deep Analysis of the Microsoft Outlook Vulnerability CVE-2018-8587 about Microsoft Outlook heap buffer overflow vulnerability where is described how Microsoft ...
Awaaaaarghhh's user avatar
  • 612
1 vote
1 answer
780 views

With return-oriented programming, when we fill a buffer with the stack contents (arguments and return addresses) for the function calls we plan on "injecting," how do we actually change the stack ...
user9355495's user avatar
  • 285
1 vote
0 answers
177 views

There is a 32-bit linux application. It's possible to overwrite EIP easily. I will call this process: "send a string". It's also possible to send about 10000 custom bytes to heap (it's possible to ...
Semen Lyhin's user avatar
  • 11
1 vote
0 answers
366 views

I am really trying to understand the concept of the attack made possible by the code given below. I notice that strcpy is being used, which does not perform any boundary checks and therefore enables ...
user503842's user avatar
  • 317
1 vote
0 answers
140 views

I am practicing my heap exploit skill with following website. http://hatriot.github.io/blog/2014/09/21/protostar-heap-exploits/. But under the title of heap 3 exploit, I didnot understand with what ...
popo's user avatar
  • 71
1 vote
2 answers
9k views

It is my current understanding that in order to successfully exploit a stack-based buffer overflow vulnerability, we must first overflow the buffer, thus overwriting the return pointer and gaining ...
Henry F's user avatar
  • 636
1 vote
1 answer
261 views

If I call malloc and then overflow the buffer I created, I am then writing to unused memory. Is there any security impact from me being able to do so? I would think you'd want to call malloc twice, ...
returneax's user avatar
  • 572
1 vote
0 answers
426 views

Local only Filesystems (like ntfs or btrfs) consists of many data structures that require very complex code for parsing them. So, such filesystems if implemented in user space can suffer of buffer ...
user2284570's user avatar
  • 1,512
2 votes
1 answer
973 views

Program code (with Pseudo code part): #include <stdio.h> #include <stdlib.h> int main(int argc, char** argv) { int controlled1=10; int controlled2=20; int controlled3=300; //test.bin ...
dev's user avatar
  • 1,007
4 votes
2 answers
1k views

I'm doing a demonstration of memory corruption attacks, and would like to show some working examples of exploits that feature heap corruption (such as use-after-free). My requirements are: A working ...
SRobertJames's user avatar
  • 317
0 votes
1 answer
593 views

I am trying to understand how the malloc implementation in glibc is working. According to the source code of malloc (malloc.c in glibc 2.23) free memory chunks have the following structure. chunk-...
Dennis's user avatar
  • 111
2 votes
1 answer
360 views

Wikipedia's article on Heap Overflow states: there are primarily three ways to protect against heap overflows. Several modern operating systems such as Windows and Linux provide some ...
Protector one's user avatar
  • 133
5 votes
1 answer
1k views

I have a stl::vector (VS 2010 SP1, x86) out-of-bounds read access attempt that causes a crash on only three Windows 10 systems. It is completely reproducible on those systems, but cannot be ...
Patrick's user avatar
  • 151
1 vote
1 answer
2k views

I'm following Stanford CS155 security lesson's presentation to learn integer overflow. I learned today that memcpy() function may lead to overflow. The presentation says, If I have a code something ...
green's user avatar
  • 11
13 votes
1 answer
9k views

I found an heap overflow exploit for a vulnerability in git servers. This lead to lucrative operations on various bug bounty programs (GitHub already promised to put me in their top 10). When it was ...
user2284570's user avatar
  • 1,512
2 votes
1 answer
1k views

I'm missing a part of the process for preparing a payload for an overflow exploit. To crash a program using an overflow vulnerability, lets say the heap. How can we control the memory address it ...
some_id's user avatar
  • 385
2 votes
2 answers
2k views

I am trying to understand how "Integer Overflow" happens here and how it works. The vulnerability exists in the chunk of “tx3g”. Chunk_size is the unit which overflows the sum of size. That's to say, ...
dev's user avatar
  • 1,007
2 votes
0 answers
697 views

I want to write a Proof-of-Concept to exploiting any heap-based vulnerability(e.g. heap overflow, use-after-free) where my ROP(return-to-programming, a kind of code-reuse attacks) payload is deployed ...
Matthewxie's user avatar
  • 29
2 votes
1 answer
1k views

I have been trying to exploit the heap overflow vulnerability for the program below, I am running Linux 14.04. #include <stdio.h> #include <string.h> #include <stdlib.h> int n = 5; ...
user10012's user avatar
  • 191
9 votes
2 answers
927 views

I'm trying to learn about buffer overflow attacks, both on the stack and on the heap. However, I'm confused about when it's possible to determine the address of the buffer. The classic "Smashing the ...
lily's user avatar
  • 977
0 votes
3 answers
932 views

Today malware is mainly spread thanks to vulnerabilities exploited in browsers and their plugins. The attackers use JavaScript to target those vulnerabilities. Two examples of such attacks are drive-...
user avatar
0 votes
1 answer
2k views

Since canary is used by gcc to prevent stack overflow (e.g. -fstack-protector), I am wondering whether glibc uses canary-based approach to defend heap buffer overflow? For example, this paper proposes ...
ZillGate's user avatar
  • 362
4 votes
2 answers
3k views

I'm wondering if anyone has previously proposed, evaluated, or deployed the following measure to harden systems against heap-based buffer overruns: basically, stack canaries, but applied before ...
D.W.'s user avatar
  • 101k
1 vote
2 answers
2k views

Are heap spray exploits possible, if the process we're attacking is a 64-bit process? Naively, it seems like the 64-bit address makes it difficult to mount a heap spray: to fill all (or a significant ...
D.W.'s user avatar
  • 101k
4 votes
2 answers
761 views

If I understand correctly the hearbleed vulnerability, only the heap of the OpenSSL process can be retrieved by an attacker (or part of depending on the memory allocation type that is used). Then, how ...
ack__'s user avatar
  • 2,768
1 vote
2 answers
348 views

Can somebody explain the different steps to produce a heapspray attack (what are the needed vulnerabilities in the targeted software, what are the limitations of such technique, how to proceed, ...) ...
perror's user avatar
  • 923
4 votes
3 answers
1k views

Do all new OSes implement the no execute bit in order to overcome vulnerabilities that could be used to execute malicious code? for example, is it implemented in Win7? Does that mean that the ...
Adban's user avatar
  • 259
1 vote
1 answer
1k views

For a heap overflow to occur and arbitrary code to be executed, the function free() performs the step : hdr->next->next->prev = hdr->next->prev I understand that the address of hdr-&...
sudhacker's user avatar
  • 4,360