Vulnerability Development mailing list archives
Re: heap overflows
From: "Vlad902" <vlad () sig11 zemos net>
Date: Fri, 27 Feb 2004 19:36:56 -0000
strcpy(malloced_buffer1,argv[1]); free(malloced_buffer1); printf("something inconsequential"); free(malloced_buffer2);
This is still wrong, you have the printf() statement after free()ing the _first_ buffer, rather then the one you just modified. You want to free() the second buffer, then have the printf() statement, or just be lazy like I recommended and dont free the first and just overwrite .dtors :). Steven Hill really explained this much better then me in his e-mail, and looking at what he said and his exploit will probably help you out. Just on a side note, I realized in your original posting, in the exploit you have:
* objdump --dynamic-reloc <binary> * In our case it is: * 0804966c R_386_JUMP_SLOT printf */ #define MALLOCED_SIZE 64 #define RET_LOC 0x08049660
It looks like you kept the original RET_LOC (-12) that the author had for his binary rather then replacing it with your own. It is possible that you both have the same one, but it looks like you kept the original value and didn't modify it. Good luck.
Current thread:
- heap overflows sigsegv (Feb 26)
- Re: heap overflows Steven Hill (Feb 26)
- <Possible follow-ups>
- Re: heap overflows Vlad902 (Feb 26)
- Re: heap overflows sigsegv (Feb 27)
- Re: heap overflows Vlad902 (Feb 27)