question on remote overflow

From: Minchu Mo (morris_minchu@iwon.com)
Date: 10/29/01


Date: 29 Oct 2001 19:52:01 -0000
Message-ID: <20011029195201.20412.qmail@mail.securityfocus.com>
From: Minchu Mo <morris_minchu@iwon.com>
To: vuln-dev@securityfocus.com
Subject: question on remote overflow


('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus

I am doing a remote overflow experiment on solaris
2.7 /w sparcV9. my RPC
server have a buffer overflow bug in stack, my rpc
client will pass a long
binary code(with hacking code inside) to the server.
Part of the binary will
overflow the buffer and overwrite the return address,
the other part of binary
contains the hacking code downloaded from lsd-pl
(findsck and shell code) and
resides in the heap area. Once the overflow happen,
the control supposed to be
transfered to the heap area and run from there.

With adb/truss tracing the RPC server, I can see the
control was indeed transferred
to the heap and run from there, but if I let the RPC
server run freely, the process
seem to skip the hacking code in heap.

My questions are:
Why control didn't transfer? IS heap also disable from
running code?
Or process under adb run differently from realtime?