Re: heap overflows

[Steven Hill <steve () covertsystems org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26 Feb 2004 sigsegv () ureach com wrote:

> Hi everyone,
> some questions about heap overflows:
> a. on examining the memory i find that the 'size' field is one byte more than the total length of the memory chunk. 
> why is this so?
> b. my exploit does not work? am I doing something wrong??
> Environment: 
> Linux 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
> gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
> glibc-2.3.2-11.9 
>
> thanks a zillion

Hey,...

Have a look at the attached vulnerable program and exploit
code. It is very similar to what you are trying to acheive
with regards to heap overflows...in particular a double 
free() vulnerability...

I have also included a command line exploit sequence...

Regards,
        SolarIce

- --

 ---=[ Covert Systems Research ]=-----------------------------//
 = www.covertsystems.org                                      -
 = Exploit Research & Development                             -
 = Specializing in Linux & UNIX Systems                       -
 --------------------------------------------=[ SolarIce ]=---//

 --The more one reads & learns, the less the other person knows.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc2 (GNU/Linux)

iD8DBQFAPrnr+SI9HWArYE4RAoU9AJ9NjvDuelGjPBv0g8+JjU6EjzLFdwCfbsUm
qqG4uTE+yzDgfm7TMh1ALjA=
=nzJT
-----END PGP SIGNATURE-----

Attachment: bof-basics-3.txt
Description:

Attachment: exploit-3-1.c
Description:

Attachment: vuln-3.c
Description: