question on remote overflowFrom: Minchu Mo (firstname.lastname@example.org)
- Previous message: Robert Freeman: "Re: another fatal bug in NT/2000 "Command Prompt" I/O"
- Next in thread: Dave Aitel: "Re: question on remote overflow"
- Reply: Dave Aitel: "Re: question on remote overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 Oct 2001 19:52:01 -0000 Message-ID: <email@example.com> From: Minchu Mo <firstname.lastname@example.org> To: email@example.com Subject: question on remote overflow('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus
I am doing a remote overflow experiment on solaris
2.7 /w sparcV9. my RPC
server have a buffer overflow bug in stack, my rpc
client will pass a long
binary code(with hacking code inside) to the server.
Part of the binary will
overflow the buffer and overwrite the return address,
the other part of binary
contains the hacking code downloaded from lsd-pl
(findsck and shell code) and
resides in the heap area. Once the overflow happen,
the control supposed to be
transfered to the heap area and run from there.
With adb/truss tracing the RPC server, I can see the
control was indeed transferred
to the heap and run from there, but if I let the RPC
server run freely, the process
seem to skip the hacking code in heap.
My questions are:
Why control didn't transfer? IS heap also disable from
Or process under adb run differently from realtime?