Taking out the guesswork – heap spraying
In Chapter 7, Stack and Heap: Memory Management, we had some fun with buffer overflows. In a nutshell, the concept is pretty simple: we try to stuff too much data into a container of a fixed size, which causes some data to spill out, hopefully overwriting the information that tells the processor what to execute next. We demonstrated this from the perspective of the stack. Now, we'll take a look at the exact same concept, but from the opposite end of memory space: the heap. We're about to discover that the heap is a whole different ballgame, so it will take some innovative thinking to make this work for us. Enter heap spraying, a technique that transforms a tiny target into a large one and thus increases our chances of a bullseye. Before we dive into what is one of my favorite attacks, we need a quick review of what the heap is.
Memory allocation – stack versus heap
In Chapter 7, Stack and Heap: Memory Management, we introduced the stack: the special...