> For the complete documentation index, see [llms.txt](https://www.ctfrecipes.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ctfrecipes.com/pwn/heap-exploitation/heap-overflow.md). # Heap overflow Heap overflow, like a Stack Overflow, involve too much data being written to the heap resulting in overwriting data. Overwriting pointers within this data can lead to arbitrary code execution if the program blindly trust data on the heap. ## How it works ? When `malloc()` is used, a pointer to the allocated space of memory is returned. Data will be written to this location. ```c char *a = malloc(0x20); // Return a pointer, here 0x4052a0 char *b = malloc(0x20); // Return a pointer, here 0x4052d0 strcpy(b, "SuperSecretValue"); strcpy(a, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); // Write 32 A ``` ``` address | values ------------+------------------------------------------------- | +----------------- chunk 1 ------------------+ 0x405290: | | 0x0000000000000000 0x0000000000000021 | <-- chunk 1 Metadata 0x4052a0: | | 0x4141414141414141 0x4141414141414141 | <-- chunk 1 Data 0x4052b0: | | 0x4141414141414141 0x4141414141414141 | <-- chunk 1 Data | +----------------- chunk 2 ------------------+ 0x4052c0: | | 0x0000000000000000 0x0000000000000021 | <-- chunk 2 Metadata 0x4052d0: | | 0x5375706572536563 0x72657456616c7565 | <-- chunk 2 Data 0x4052e0: | | 0x0000000000000000 0x0000000000000000 | <-- chunk 2 Data 0x4052f0: | +--------------------------------------------+ ... | ... ``` But there is no size control, if data bigger than size space is written, then it will overwrite the data after the chunk : ```c char *a = malloc(0x20); // Return a pointer, here 0x4052a0 char *b = malloc(0x20); // Return a pointer, here 0x4052d0 strcpy(b, "SuperSecretValue"); // Write 64 A strcpy(a, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); ``` ``` address | values ------------+------------------------------------------------- | +----------------- chunk 1 ------------------+ 0x405290: | | 0x0000000000000000 0x0000000000000021 | <-- chunk 1 Metadata 0x4052a0: | | 0x4141414141414141 0x4141414141414141 | <-- chunk 1 Data 0x4052b0: | | 0x4141414141414141 0x4141414141414141 | <-- chunk 1 Data | +----------------- chunk 2 ------------------+ 0x4052c0: | | 0x4141414141414141 0x4141414141414141 | <-- chunk 2 Metadata 0x4052d0: | | 0x4141414141414141 0x4141414141414141 | <-- chunk 2 Data 0x4052e0: | | 0x0000000000000000 0x0000000000000000 | <-- chunk 2 Data 0x4052f0: | +--------------------------------------------+ ... | ... ``` {% hint style="info" %} Note that the matadatas are overwritten, but it do not really matter at the usage. {% endhint %} ## Resources {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ctfrecipes.com/pwn/heap-exploitation/heap-overflow.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.