Monday, December 02, 2002, 2:03:04 AM, you wrote: BM> *) Remember with heap based overflows you can write multiple sets of 4 BM> bytes. It's not the registers you are overflowing, but a structure. What do BM> the other structure bytes control? Size does matter! Well, it's not always possible. What if you can overwrite only one free chunk structure? Then, possibility to overwrite choosen 4 bytes will occur in a call to free(), when *BK (previous free chunk pointer) would be replaced with the offset to a newly free()'ed one, containing our supplied data. -- have phun, Vizzy
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 09:14:07 PST