May 17, 2005

Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass

Author: Alexander Anisimov

Heap Overflow 
Let`s take a look at this pretty simple example of a vulnerable function:

As we can see here the vulner() function copies data from a string pointed by str to an allocated memory block pointed at by buf, without a bound check. 

A string larger than 127 bytes passed to it will thereby overwrite the data coincidental to this memory block (Which is, actually, a header of the following memory block).