Re: heap overflows
From: Vlad902 (vlad_at_sig11.zemos.net)
Date: 02/26/04
- Previous message: sigsegv_at_ureach.com: "heap overflows"
- Maybe in reply to: sigsegv_at_ureach.com: "heap overflows"
- Next in thread: Steven Hill: "Re: heap overflows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Feb 2004 17:53:33 -0000 To: vuln-dev@securityfocus.com
> printf("copied");
> free(malloced_buffer1);
> free(malloced_buffer2);
This part of the code is incorrect, you're depending
on the first chunk to hold your shellcode, and you
are freeing it before you overwrite the GOT with the
free(malloced_buffer2);. Also you don't a printf();
statement after the free(malloced_buffer2); so it
never returns to the shellcode (if it was there)! I
recommend you remove the free(malloced_buffer1); and
instead of messing with the GOT instead instead just
overwrite __DTOR_END__ and be lazy :)
You may also just for debugging purposes add a
"xccxcc" instead of "xebx0c", which will make
it a trace/breakpoint trap, so that if it ever
hits it, your program will stop with a
trace/breakpoint trap and will core dump, so you
know it is hitting the shellcode.
- Previous message: sigsegv_at_ureach.com: "heap overflows"
- Maybe in reply to: sigsegv_at_ureach.com: "heap overflows"
- Next in thread: Steven Hill: "Re: heap overflows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
