Heap Overflow

0x0 Enviroment:

  • Windows 7 SP1 32-bit
  • Windbg

0x1 POC (from vulnerability war):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

#include <windows.h>
#include <stdio.h>

int main ( )
{
  HANDLE hHeap;
  char *heap;
  char str[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

  hHeap = HeapCreate(HEAP_GENERATE_EXCEPTIONS, 0x1000, 0xffff);
  getchar();    // halt, attach to process

  heap = HeapAlloc(hHeap, 0, 0x10);
  printf("heap addr:0x%08x\n",heap);

  strcpy(heap,str); //  heap overflow
  HeapFree(hHeap, 0, heap);  // crash

  HeapDestroy(hHeap);
  return 0;
}
vulnerability