Memory corruption remains a cornerstone of exploitation—adversaries manipulate program memory to hijack execution, escalate privileges, or extract data. This post dissects five memory corruption techniques, focusing on their mechanics, tools, and payloads, then reframes them for ethical penetration testing and system hardening. Targeted at ethical hackers, it assumes familiarity with C, assembly, and debugging. No hand-holding—straight to the bits. Date: March 12, 2025.
Scope Note: This is for authorized testing only. “Hexed heap” denotes adversary tactics analyzed for defensive gain, not malicious use. Stay within legal bounds.
Memory Corruption: The Technical Core
Memory corruption exploits flaws in memory management—buffer overflows, use-after-free, heap spraying—to overwrite critical data or redirect control flow. Adversaries target C/C++ programs lacking bounds checks or modern mitigations (ASLR, DEP). Success requires precision: locate vulnerable buffers, craft payloads, bypass protections. For pentesters, this is a lens to expose weak code and enforce robust defenses. Five techniques follow, with ethical applications.
Technique 1: Stack Buffer Overflow—Smashing the Stack
A classic stack overflow overwrites a function’s return address. Consider this vulnerable code:
#include <string.h>
void vuln(char *input) {
char buf[16];
strcpy(buf, input); // No bounds check
}
int main() {
vuln("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
return 0;
}Input exceeding 16 bytes overwrites the stack, including the return address. With gcc -m32 -fno-stack-protect -o vuln vuln.c (32-bit, no canary), a payload like AAAA…AAAA\xef\xbe\xad\xde (address of system()) can redirect execution.
Ethical Application: Compile and test in a VM. Use gdb (gdb ./vuln; r < <(python -c ‘print(“A”*24 + “\xef\xbe\xad\xde”)’))—did it segfault or jump? Check ASLR (cat /proc/sys/kernel/randomize_va_space)—is it off? Recommend stack canaries (-fstack-protect), bounds checking (strncpy), and ASLR. Overflow’s hexed, stack’s safe.
Technique 2: Heap Overflow—Corrupting the Pile
Heap overflows target dynamically allocated memory. This code’s ripe:
#include <stdlib.h>
#include <string.h>
void vuln(char *input) {
char *buf = malloc(16);
strcpy(buf, input); // Overruns heap
free(buf);
}
int main() {
vuln("BBBBBBBBBBBBBBBBBBBBBBBB");
return 0;
}Compile: gcc -m32 -o heap heap.c. Overflow with 24+ bytes—overwrite heap metadata (e.g., next chunk pointer). Payload: BBBB…BBBB\x00\x00\x00\x00\xef\xbe\xad\xde—redirects on free().
Ethical Application: Test it (gdb ./heap; r < <(python -c ‘print(“B”*24 + “\xef\xbe\xad\xde”)’)). Did it crash predictably? Use valgrind (valgrind ./heap < input) to spot overruns. Push heap hardening: guard pages, safe unlinking (glibc mitigations), memory sanitizers (-fsanitize=address). Heap’s hexed, corruption’s caught.
Technique 3: Use-After-Free—Dangling Doom
Use-after-free (UAF) exploits freed memory reuse. Vulnerable example:
#include <stdlib.h>
#include <string.h>
void vuln() {
char *ptr = malloc(16);
strcpy(ptr, "test");
free(ptr);
strcpy(ptr, "AAAAAAAAAAAAAAAA"); // UAF
}
int main() {
vuln();
return 0;
}Compile: gcc -m32 -o uaf uaf.c. Post-free(), ptr dangles—overwrite it to control execution when reused.
Ethical Application: Run in gdb (break vuln; r; x/10x $esp)—watch memory post-free. Craft a UAF payload (e.g., overwrite with shellcode address). Test mitigations—did asan (-fsanitize=address) catch it? Recommend pointer invalidation, memory tagging (ARM MTE), and leak checks (valgrind). Doom’s hexed, pointers lock.
Technique 4: Format String Exploit—Leaking the Hex
Format string bugs expose memory or hijack flow. Vulnerab
#include <stdio.h>
void vuln(char *input) {
printf(input); // Direct user input
}
int main() {
vuln("%x %x %x %x");
return 0;
}Compile: gcc -m32 -o fmt fmt.c. Input like %x dumps stack; %n writes memory. Payload: %08x.%08x.%n—writes to a crafted address.
Ethical Application: Test it (./fmt < <(python -c ‘print(“%x “*10)’))—did it leak? Use gdb (break printf; r) to trace. Check protections—did -D_FORTIFY_SOURCE block it? Push input sanitization (printf(“%s”, input)), stack cookies, and W^X. Hex leaks, defenses seal.
Technique 5: Heap Spraying—Filling the Void
Heap spraying floods memory with shellcode, increasing exploit reliability. JavaScript example:
var spray = unescape(“%u0c0c%u0c0c” + “%u9090%u9090” + “A”.repeat(0x1000)); while (memory.length < 0x100000) memory.push(spray);
NOP sled (0x9090) and payload (0x0c0c) fill heap—crash jumps there.
Ethical Application: Spray in a browser VM (e.g., old IE)—trigger via crafted HTML. Did DEP (/NXCOMPAT) stop it? Use windbg (!heap -s) to inspect. Recommend DEP enforcement, ASLR, and memory limits (ulimit -v). Void’s hexed, spray’s nullified.
Crafting Your Hexed Heap
Adversaries chain corruption—overflow to UAF to spray. Example:
char *ptr = malloc(16);
strcpy(ptr, "A"*24 + "\xef\xbe\xad\xde"); // Heap overflow
free(ptr);
strcpy(ptr, shellcode); // UAFBuild with gcc -m32 -o combo combo.c. Multi-stage chaos.
Ethical Application: Chain a test—overflow, UAF, spray a logger (echo > log). Test in gdb—trace with info registers. Did mitigations (ASLR, DEP) hold? Push combined defenses: canaries, sanitizers, NX bits. Chaos turns clarity.
Why Corruption Hexes
It’s potent—low-level control, small attack surface. It’s precise—targets memory layouts. It’s persistent—bypasses high-level checks. Adversaries stack it: overflow to spray to shellcode. A viper’s venom in bytes.
Ethical Application: Stack it in a pentest—overflow to UAF. Beat it: ASLR randomization (sysctl -w kernel.randomize_va_space=2), heap isolation, runtime checks. Hex turns harmless.
Unhexing the Heap
Corruption shows: crashes, odd pointers, memory bloat. Tools reveal it: gdb (backtrace), valgrind (–tool=memcheck), windbg (!analyze -v). Case: Heartbleed’s overflow leaked RAM—caught by bounds errors.
Ethical Application: Crash a test binary—watch with gdb (r < input; bt). Did tools flag it? Recommend crash dumps, bounds logging (syslog), memory forensics. Heap’s unhexed, bugs die.
Ethical Leverage
These hexes sharpen pentesting. Stack overflows test mitigations. Heap overflows probe allocators. UAFs stress pointers. Format bugs leak gaps. Spraying checks DEP. Chain ‘em—expose flaws, fix ‘em: ASLR, NX, sanitizers. Hexed heaps build steel.
Legal Line
Labs, VMs, or signed scopes only. Corruption’s a scalpel—wield it ethically.
Wrap-Up
The hexed heap—memory corruption—is an adversary’s dark art, precise and devastating. For ethical hackers, it’s a diagnostic: exploit it, counter it, harden with it. Code’s here—run it, break it, learn. Comments below, more at ethicbreach.com.