Re: partial analysis of vulndev-1.c

From: andrewgat_private
Date: Tue May 13 2003 - 20:41:37 PDT

Next message: Benjamin A. Okopnik: "Re: Administrivia: List Announcement"

Previous message: Jose Ronnick: "Re: vulndev1.c solution (warning SPOILER)"
In reply to: master of chaos - lord of mean: "Re: partial analysis of vulndev-1.c"
Next in thread: Michael Wojcik: "FW: partial analysis of vulndev-1.c"
Next in thread: Mr. Rufus Faloofus: "Re: Administrivia: List Announcement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> actually, during debugging i used a modified version with #define SIZE
> 10. this one did not produce a SIGSEGV.
> when realising that others were able to produce one (Nexus for
> example),  i checked the unmodified. it produces a SIGSEGV.
>
> does someone know, why the modified does not produce one?

Without looking and finding the original mail, it sounds like an off by one
malloc overflow. So to exploit that, iirc, its

padding[fake fwd][fake bck]padding[amount to reach the fake chunk backwards.

So it would be something like \xf8 or whatever you decide to use.

Hope this helps,
Andrew Griffiths

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
> iD8DBQE+wX0jWCFHEwXrEHMRAgx0AJ9o2sXADTflZWLOkDwyUn+FueY3EgCdF5Ck
> RnHpQsRiuedObaBlLM50xU0=MI0H
> -----END PGP SIGNATURE-----

Next message: Benjamin A. Okopnik: "Re: Administrivia: List Announcement"
Previous message: Jose Ronnick: "Re: vulndev1.c solution (warning SPOILER)"
In reply to: master of chaos - lord of mean: "Re: partial analysis of vulndev-1.c"
Next in thread: Michael Wojcik: "FW: partial analysis of vulndev-1.c"
Next in thread: Mr. Rufus Faloofus: "Re: Administrivia: List Announcement"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 13 2003 - 21:36:27 PDT