Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Administrivia: List Announcement

From: xenophi1e <oliver.lavery () sympatico ca>
Date: 14 May 2003 15:14:39 -0000
In-Reply-To: <003001c319a0$30ff10f0$0100a8c0 () clippership com>


Well, I dunno about others on this list, but this old vuln by Solar 
Designer gives some good hints:

http://www.securityfocus.com/archive/1/71598

Seems like convincing free() to write to __free_hook or another pointer 
to code would work well here, although I'm not certain it's possible 
given the limited amount of data that can be tweaked in the malloc() 
bookkeeping info if the overwrite is indeed happening in buf1 and is only 
a single byte. 'Course it's a little hard to keep track of without the 
benefit of gdb.

Wish I had a linux box to play with at the moment :{

Cheers,
~ol



If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on
many factors) overwrite the first byte of buf2.  This is going to be (I
think) part of the size of the malloc'd buf2.  What interesting things
can happen when you then free() an incorrectly-sized buf2 (or otherwise
operate on buf2 if this were a real program) is something I am anxious
to learn from others on this list!
Previous By Date Next
Previous By Thread Next

Current thread: