Phân đoạn sau đây có chứa các dữ liệu khởi tạo và uninitialized, được cung cấp trong quá trình lắp ráp Lặn sâu hơn vào cấu trúc, chúng tôi di chuyển đến các địa chỉ cao hơn nơi các phần được phân bổ thời gian chạy được chia sẻ bởi stack và heap. | 102 CHAPTER 4 USB Device Overflow In Figure text is a segment that usually contains the program s code used for executing instructions. The following segment contains initialized and uninitialized data which is provided during the assembly Diving deeper into the structure we move to the higher addresses where the portions allocated at run time are shared by the stack and heap. In this scenario the heap retains the dynamic variables and uses the malloc memory allocation or the new operator function. A simple code sample is included below that exemplifies the vulnerable nature of this memory vulnerable argv 1 return 0 int vulnerable char buf HANDLE hp HeapCreate 0 0 0 HLOCAL chunk HeapAlloc hp 0 260 strcpy chunk buf Vulnerability return 0 In the above example if the buffer surpasses 260 bytes then the pointers will be overwritten in the adjacent boundary tag. This will assist the overwriting of an arbitrary memory location with 4 bytes of code when the heap-management cycle initiates. Recently there has been an increase of heap-type overflows found in AV libraries Some of these variants can use a combination of copy operations and integer overflow on the heap. The below example shows vulnerable code responsible for processing TNEF files from Clam AV V and tnefmessage function. string cli_malloc length 1 Vulnerability if fread string 1 length fp length Vulnerability free string return -1 In line 1 above the malloc statement will allocate memory based on the length of a 32-bit integer. With this example the length is capable of being manipulated by the user and a malicious file can be constructed setting the length to -1 resulting in a 0 malloc. This would allocate a small heap buffer of 16 bytes on most 32-bit platforms. In line 2 an overflow occurs in the fread call while the third presentations win-usa-04 bh-win-04-litchfield Testing_for_Heap_Overflow .