Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: partial analysis of vulndev-1.c

From: <andrewg () d2 net au>
Date: Wed, 14 May 2003 13:41:37 +1000 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

actually, during debugging i used a modified version with #define SIZE
10. this one did not produce a SIGSEGV.
when realising that others were able to produce one (Nexus for
example),  i checked the unmodified. it produces a SIGSEGV.

does someone know, why the modified does not produce one?


Without looking and finding the original mail, it sounds like an off by one
malloc overflow. So to exploit that, iirc, its

padding[fake fwd][fake bck]padding[amount to reach the fake chunk backwards.

So it would be something like \xf8 or whatever you decide to use.

Hope this helps,
Andrew Griffiths


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+wX0jWCFHEwXrEHMRAgx0AJ9o2sXADTflZWLOkDwyUn+FueY3EgCdF5Ck
RnHpQsRiuedObaBlLM50xU0=MI0H
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: