Buffer Overflow

Stack overflow

This paper written by Murat explains what are the vulnerabilities called "buffer overflows" and documents the way to write exploits making use of such coding flaws.
On many C implementations it is possible to corrupt the execution stack by writing past the end of an array declared auto in a routine. Code that does this is said to smash the stack, and can cause return from the routine to jump to a random address, in order to execute arbitrary code. This paper written by Aleph One explains how to exploit these vulnerabilities.
This article details the hazards of non-terminated buffers (specifically non-terminated strings), and their potential impact on the security of a application. This issue is discussed from a variety potential situations, culminating with an example exploit which abuses adjacent non-terminated string buffers together to perform program redirection via a buffer overflow.
PERL stack buffer overflow exploits aren't as well explored as C exploits when it comes to munging the stack. This brief paper written by Dethy will outline ways PERL can be used to create a working exploit with greater ease than standard C based exploits.
A buffer overrun is writting to more memory than was reserved. Since this often happens on the stack, an understanding of how the stack works is essential. This paper written by Lefty presents how the stack is implemented on linux, and how to exploit buffer overrun flaws.
This article written by klog demonstrates it is possible to exploit stack overflows even under the worst conditions. Many esoteric techniques where the goal is to exploit trusted processes in the most hostile situations exist, including when privileges are dropped. This paper covers the one-byte overflow case.
For the most part, the techniques that are applicable in C are also available in C++, however, C++ offers new possibilities in regards to buffer overflows, mostly due to the use of object oriented technologies. This paper written by rix analyze one of these possibilities, using the C++ GNU compiler, on an x86 Linux system.
This article written by Sinan "noir" Eren is about recent exposures of many kernel level vulnerabilities and advances in their exploitation which leads to trusted (oops safe) and robust exploits. It focuses on 2 recent vulnerabilities in the OpenBSD kernel. The goal of this paper is to explore and demonstrate generic ways to exploit stack overflows and signed/unsigned vulnerabilities in kernel space.
This paper written by vade79/v9 discusses how to use values returned from programs to create fingerprints. Most of the information contained in this paper will relate to off-by-one buffer miscalculations. While they are very common, not all are exploitable, and often get dismissed due to that. As these bugs may not always yield exploitable conditions, they do tend to relay and leak informations about the victim machine.
Buffer overflows are the result of stuffing more data into a buffer than it can handle. Upon writing past the buffer, the program will often lead to unknown results, even the potential to execute arbitary code, if a certain memory pointer is overwritten. This short paper written by Dethy presents how to exploit them.

Heap overflow

This paper written by jp details several advanced techniques that allow a more generic and reliable exploitation of malloc corruption, allowing an attacker to overwrite an arbitrary 4 byte value anywhere in the process memory.
This paper written by MaXX could be entitled "Smashing The Heap For Fun And Profit". Indeed, the memory allocator used by the GNU C Library (Doug Lea's Malloc) and the associated heap corruption techniques are presented. It is one of the most complete article about heap corruption.
Recently, many kernel level heap (kmalloc) overflows have been discovered which were rated "unclear" with regard to exploitation. This article written by qobaiashi aims at explaining the kernels heap management, with security and exploitation of heap overflows in kernel space in mind.
This paper presents a way to exploit free() corruption and explains how the System V and GNU malloc() are implemented.
This article written by w00w00 provides a better understanding of heap-based overflows along with several methods of exploitation, demonstrations, and some possible solutions/fixes.
This paper presents a concise explanation of a technique to gain control of a C program's flow of execution given that it has been compiled with gcc. This text written by Juan M. Bello Rivas assumes that the reader is familiar with general overflow techniques and the ELF format.
This is short paper written by Pascal Bouchareine shows a way to execute arbitrary instructions using atexit().