|
Vulnerability Development
mailing list archives
Re: heap overflows
From: "Vlad902" <vlad () sig11 zemos net>
Date: Fri, 27 Feb 2004 19:36:56 -0000
strcpy(malloced_buffer1,argv[1]);
free(malloced_buffer1);
printf("something inconsequential");
free(malloced_buffer2);
This is still wrong, you have the printf()
statement after free()ing the _first_ buffer,
rather then the one you just modified. You want to
free() the second buffer, then have the printf()
statement, or just be lazy like I recommended and
dont free the first and just overwrite .dtors :).
Steven Hill really explained this much better then
me in his e-mail, and looking at what he said and
his exploit will probably help you out.
Just on a side note, I realized in your original
posting, in the exploit you have:
* objdump --dynamic-reloc <binary>
* In our case it is:
* 0804966c R_386_JUMP_SLOT printf
*/
#define MALLOCED_SIZE 64
#define RET_LOC 0x08049660
It looks like you kept the original RET_LOC (-12)
that the author had for his binary rather then
replacing it with your own. It is possible that
you both have the same one, but it looks like you
kept the original value and didn't modify it.
Good luck.
 By Date 
By Thread
Current thread:
| 
Intro
