‘AIX Introduction to Heap Overflows’
‘The information has been provided by David Litchfield.
The original article can be found at: http://www.databasesecurity.com/dbsec/aix-heap.pdf‘
‘Exploiting heap overflows:
In terms of exploitation, one way to exploit heap overflows is with the ‘arbitrary 4 byte overwrite’. When the pointers that keep track of heap blocks are updated, an attacker can influence this if they manage to overwrite the inline heap management data. On AIX, when an overflow occurs, to be able to gain control using the 4 byte overwrite one must overflow into the address pointed to by the next free block pointer at __heaps+2580 or a block on the heap that points to a previously freed block.
When the pointer update occurs if we overwrite the real pointer with 0x12345678 then 0x12345678 is written to the address found at 0x12345680 (which is 0x12345678+8.) So assuming at address 0x12345680 we have 0x11223344, 0x12345678 is written to 0x11223344. Further, the value stored at 0x12345684 is written to 0x11223348; on the other side, the value at 0x11223344 is written to 0x12345680 and the value at 0x11223348 is written to 0x12345684.
The full whitepaper can be found at: http://www.databasesecurity.com/dbsec/aix-heap.pdf‘