Vulnerability Development mailing list archives

Re: heap overflows

From: "Vlad902" <vlad () sig11 zemos net>
Date: Fri, 27 Feb 2004 19:36:56 -0000

strcpy(malloced_buffer1,argv[1]);
free(malloced_buffer1);
printf("something inconsequential");
free(malloced_buffer2);


This is still wrong, you have the printf()
statement after free()ing the _first_ buffer,
rather then the one you just modified. You want to
free() the second buffer, then have the printf()
statement, or just be lazy like I recommended and
dont free the first and just overwrite .dtors :).

Steven Hill really explained this much better then
me in his e-mail, and looking at what he said and
his exploit will probably help you out.


Just on a side note, I realized in your original
posting, in the exploit you have:

* objdump --dynamic-reloc <binary>
* In our case it is:
*             0804966c R_386_JUMP_SLOT   printf
*/

#define MALLOCED_SIZE 64
#define RET_LOC 0x08049660


It looks like you kept the original RET_LOC (-12)
that the author had for his binary rather then
replacing it with your own. It is possible that
you both have the same one, but it looks like you
kept the original value and didn't modify it.

Good luck.

Current thread:

heap overflows sigsegv (Feb 26)
- Re: heap overflows Steven Hill (Feb 26)
- <Possible follow-ups>
- Re: heap overflows Vlad902 (Feb 26)
- Re: heap overflows sigsegv (Feb 27)
- Re: heap overflows Vlad902 (Feb 27)