I was reading Hacking The Art of Exploitation recently, and in it, it states that the heap grows upwards dynamically toward the stack while the stack grows downward dynamically towards the heap. A bit of experimentation easily confirms this, and that immediately gives me the idea: crash the heap into the stack!
So I write a C program which instantiates an int on the stack and an int on the heap and then prints their addresses. At first it baffles me; about 9 out of 10 times, heap memory starts getting allocated at addresses AFTER the stack, for example:
- Code: Select all
[0x0027ff14] my_Int = 32
[0x009a0f28] my_HeapInt = 26112
[0x009a0f48] my_HeapInt = 26112
I decide that, since 1 in 10 times the heap starts getting allocated before the stack, its worth a try. I added a while loop that keeps allocating heap memory until the heap addresses surpass the stack based my_Int address. This is the result:
- Code: Select all
[0x0027ff14] my_Int = 32
[0x00030f28] my_HeapInt = 26112
[0x00030f48] my_HeapInt = 26112
Attempting to crash heap...
[0x00030f58] my_HeapInt = 26112
[0x00030f68] my_HeapInt = 26112
[0x00030f78] my_HeapInt = 26112
[0x00030f88] my_HeapInt = 26112
[0x00030f98] my_HeapInt = 26112
[0x00030fa8] my_HeapInt = 26112
( for the sake of brevity, i cut out addresses 0x00030fb8 - 0x000313e0 ... )
[0x000313f0] my_HeapInt = 26112
[0x00031400] my_HeapInt = 26112
[0x00031410] my_HeapInt = 26112
[0x00031420] my_HeapInt = 26112
[0x00031430] my_HeapInt = 26112
[0x008f0be0] my_HeapInt = 26112
Did you see that? I set the program to stop when the address of my_HeapInt exceeded the address of my_Int. Well, I guess you can consider a jump from 0x00031430 to 0x008f0be0 to surpass 0x0027ff14 by a wide margin. Da fuq is in between there that it had to jump so far? And wouldn't it be smarter to just start at such a high address in the first place?
So, I can't crash the heap into the stack

So I added a recursive function that infinitely calls itself. Results:
- Code: Select all
[0x0027ff14] my_Int = 32
[0x00020f28] my_HeapInt = 26112
[0x00020f48] my_HeapInt = 26112
Attempting to crash heap...
[0x00020f58] my_HeapInt = 26112
[0x00020f68] my_HeapInt = 26112
[0x00020f78] my_HeapInt = 26112
( skipping addresses 0x00020f88 - 0x00021400 ... )
[0x00021410] my_HeapInt = 26112
[0x00021420] my_HeapInt = 26112
[0x00021430] my_HeapInt = 26112
[0x00990be0] my_HeapInt = 26112
If this prints, then the program has failed at crashing the heap :(
Attempting to crash stack :D
[0x0027fee8] my_Int = 32
[0x0027feb8] my_Int = 32
[0x0027fe88] my_Int = 32
[0x0027fe58] my_Int = 32
[0x0027fe28] my_Int = 32
[0x0027fdf8] my_Int = 32
[0x0027fdc8] my_Int = 32
( skipping 1100 KB worth of my_Int = 32 lines ... )
[0x00084768] my_Int = 32
[0x00084738] my_Int = 32
[0x00084708] my_Int = 32
[0x000846d8] my_Int = 32
[0x000846a8] my_Int = 32
At that point, the program crashed with a "a.exe has stopped responding..." error. I printed all of this to a txt file anticipating the crash. So whats the result? There is still a decent bit of memory between 0x000846a8 ( the address of the last successfully allocated Int variable ) and 0x00021430 (the address of the last Int allocated on the heap before it pole vaults over the stack) . What the fuck is in between them? Am I missing something here? Or is Windows just screwing with me?
Can anyone please help me out with this? I'm as confuzzled by this as a someone is on their first day on /b/.
Source code for anyone who wants to judge my crappy C skills:
- Code: Select all
#include <stdio.h>
void recurse()
{
int my_Int = 32;
int * my_Int_Pointer = &my_Int;
printf("[0x%08x] my_Int = %d\n", my_Int_Pointer, my_Int);
recurse();
}
int main()
{
int my_Int = 32;
int * my_Int_Pointer = &my_Int;
printf("[0x%08x] my_Int = %d\n", my_Int_Pointer, my_Int);
int * my_HeapInt_Pointer = (int *) malloc(4);
*my_HeapInt_Pointer = 26112;
printf("[0x%08x] my_HeapInt = %d\n", my_HeapInt_Pointer, *my_HeapInt_Pointer);
my_HeapInt_Pointer = (int *) malloc(4);
*my_HeapInt_Pointer = 26112;
printf("[0x%08x] my_HeapInt = %d\n", my_HeapInt_Pointer, *my_HeapInt_Pointer);
if(my_HeapInt_Pointer < my_Int_Pointer)
{
printf("\nAttempting to crash heap...\n\n");
while(my_HeapInt_Pointer < my_Int_Pointer)
{
my_HeapInt_Pointer = (int *) malloc(4);
*my_HeapInt_Pointer = 26112;
printf("[0x%08x] my_HeapInt = %d\n", my_HeapInt_Pointer, *my_HeapInt_Pointer);
}
printf("\nIf this prints, then the program has failed at crashing the heap :(\n\n");
printf("Attempting to crash stack :D\n\n");
recurse();
}
}
-WallShadow <3