Next: Defragment
Up: Technique
Previous: Context
Keep in mind that the goal is to control a buffer in the heap immediately following the
vulnerable buffer.
We accomplish this by arranging the heap so that all holes in it that are big enough to
hold the vulnerable buffer
are surrounded by buffers that we control.
The technique consists of five steps.
- Defragment the heap.
- Make holes in the heap.
- Prepare the blocks around the holes.
- Trigger allocation and overflow.
- Trigger the jump to shellcode.
These steps are described in more detail in the rest of this section.
jake
2008-07-14