Heap overflow, like a Stack Overflow, involve too much data being written to the heap resulting in overwriting data.
Overwriting pointers within this data can lead to arbitrary code execution if the program blindly trust data on the heap.
How it works ?
When malloc() is used, a pointer to the allocated space of memory is returned.
Data will be written to this location.
char*a =malloc(0x20); // Return a pointer, here 0x4052a0char*b =malloc(0x20); // Return a pointer, here 0x4052d0strcpy(b,"SuperSecretValue");strcpy(a,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); // Write 32 A
But there is no size control, if data bigger than size space is written, then it will overwrite the data after the chunk :
char*a =malloc(0x20); // Return a pointer, here 0x4052a0char*b =malloc(0x20); // Return a pointer, here 0x4052d0strcpy(b,"SuperSecretValue");// Write 64 Astrcpy(a,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");