Vulnerability Development mailing list archives

Re: heap overflows

From: "Vlad902" <vlad () sig11 zemos net>
Date: Thu, 26 Feb 2004 17:53:33 -0000

     printf("copied");
     free(malloced_buffer1);
     free(malloced_buffer2);


This part of the code is incorrect, you're depending
on the first chunk to hold your shellcode, and you
are freeing it before you overwrite the GOT with the
free(malloced_buffer2);. Also you don't a printf();
statement after the free(malloced_buffer2); so it
never returns to the shellcode (if it was there)! I
recommend you remove the free(malloced_buffer1); and
instead of messing with the GOT instead instead just
overwrite __DTOR_END__ and be lazy :)


You may also just for debugging purposes add a
"xccxcc" instead of "xebx0c", which will make
it a trace/breakpoint trap, so that if it ever
hits it, your program will stop with a
trace/breakpoint trap and will core dump, so you
know it is hitting the shellcode.

Current thread:

heap overflows sigsegv (Feb 26)
- Re: heap overflows Steven Hill (Feb 26)
- <Possible follow-ups>
- Re: heap overflows Vlad902 (Feb 26)
- Re: heap overflows sigsegv (Feb 27)
- Re: heap overflows Vlad902 (Feb 27)