question on remote overflow

[Minchu Mo <morris_minchu () iwon com>]

Mailer: SecurityFocus

I am doing a  remote overflow experiment on solaris 
2.7 /w sparcV9. my RPC 
server have a buffer  overflow bug in stack, my rpc 
client will pass a long 
binary code(with hacking code inside) to the server. 
Part of the binary will
overflow the buffer and overwrite the return address, 
the other part of binary 
contains the hacking code downloaded  from lsd-pl 
(findsck and shell code) and  
resides in the heap area. Once the overflow happen, 
the control supposed to be
transfered to the heap area and run from there.

With adb/truss tracing the RPC server, I can see the 
control was indeed transferred 
to  the heap and run from there, but if I let the RPC 
server run freely, the process
seem to skip the hacking code in heap.

My questions are:
Why control didn't transfer? IS heap also disable from 
running code?
Or process under adb run differently from realtime?