How does heap-spray attack work?

Question

I've read two articles about heap-spraying: Wikiepdia and this blog post. I understand how the shell code is introduced in to the program's memory. But how the program is made to jump/call to the address memory located on heap?

What kind of crash makes a call to heap?

Does such attack needs to be conducted with a kind of buffer overflow attack?

Is there any golden rule like the one with buffer overflow ie use the n version of functions (strncpy instead strcpy)?

Answer 1

If I understand correctly,

They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run. Execution flow can be redirected to the heap sprays via buffer overflow or heap overflow flaws.

They're talking about a situation like this:

char buffer[10];
FuncPtr p;

And when you read into buffer there's no overflow protection, and you can write directly into the memory location for p. Later on when your code tries to call p, it will jump to where the attacker wants it to jump, presumably where they injected executable code into your app.

Simple fix: Don't use static buffers (prefer the std:: collection classes) and always check for overflows.