Talk:Heap spraying

sources? also I think the explanation in Javascript is wrong. Don't you usually write multiple concatenations of your shellcode(+NOPs) into heap? the article states otherwise. 212.23.158.9 (talk) 09:30, 20 January 2009 (UTC)


 * Sources for what?
 * I added details about the shellcode being attached to each string in the array.
 * —  &#x7B;talkcontribs 17:07, 1 February 2009 (UTC)

Clarification request
How does the injected code get executed? Is there a separate mechanism to run the code, or is it just expected that random bugs in the app will sometimes run the injected code?

Doesn't this exploit fill up the heap, or are these blocks of memory returned to the heap with the injected code in them? Shouldn't blocks returned to the heap be cleared of any data?

66.192.121.51 (talk) 15:26, 10 December 2009 (UTC)

Yeah, I was wondering the same thing. the shellcode article does explain it if you read through, but it would be nice... oh heck I'll just write it myself. There. Much better. OsamaBinLogin (talk) 02:27, 9 November 2011 (UTC)
 * Thanks, I should have done that a long time ago. I've rewritten a lot of the article to explain it in a little more details. However, Wikipedia is not the right place to explain how exploits work in general, but basic exploit-writing skills are needed to understand the concepts involved. I'm not sure where to draw the line...
 * Also, heap sprays have come a long way since the first instances and serve many more roles than they used to (no more simple 0x0D0D0D0D nopsled+shellcode). I've constructed entire data structures on the heap to implement things like ret-into-libc, or allow reliable exploitation of complex issues, or allowing the application to continue to function after the exploit worked rather than crash.
 * — SkyLined (talk) 21:50, 9 November 2011 (UTC)

Diagram
There is a diagram at File:Memory during spraying.jpg that apparently illustrates heap spraying. It could be used here with an appropriate caption that explains the meaning of the different colors; in the long run, an English translation could be created. - I tried to come up with a caption myself, but from the article, I didn't get a sufficiently precise idea about the purpose of heap spraying and how it works. - Jochen Burghardt (talk) 11:25, 4 July 2020 (UTC)