Vulnerability Development mailing list archives
Re: heap overflows
From: "Vlad902" <vlad () sig11 zemos net>
Date: Thu, 26 Feb 2004 17:53:33 -0000
printf("copied"); free(malloced_buffer1); free(malloced_buffer2);
This part of the code is incorrect, you're depending on the first chunk to hold your shellcode, and you are freeing it before you overwrite the GOT with the free(malloced_buffer2);. Also you don't a printf(); statement after the free(malloced_buffer2); so it never returns to the shellcode (if it was there)! I recommend you remove the free(malloced_buffer1); and instead of messing with the GOT instead instead just overwrite __DTOR_END__ and be lazy :) You may also just for debugging purposes add a "xccxcc" instead of "xebx0c", which will make it a trace/breakpoint trap, so that if it ever hits it, your program will stop with a trace/breakpoint trap and will core dump, so you know it is hitting the shellcode.
Current thread:
- heap overflows sigsegv (Feb 26)
- Re: heap overflows Steven Hill (Feb 26)
- <Possible follow-ups>
- Re: heap overflows Vlad902 (Feb 26)
- Re: heap overflows sigsegv (Feb 27)
- Re: heap overflows Vlad902 (Feb 27)