('binary' encoding is not supported, stored as-is) In-Reply-To: <003001c319a0$30ff10f0$0100a8c0at_private> Well, I dunno about others on this list, but this old vuln by Solar Designer gives some good hints: http://www.securityfocus.com/archive/1/71598 Seems like convincing free() to write to __free_hook or another pointer to code would work well here, although I'm not certain it's possible given the limited amount of data that can be tweaked in the malloc() bookkeeping info if the overwrite is indeed happening in buf1 and is only a single byte. 'Course it's a little hard to keep track of without the benefit of gdb. Wish I had a linux box to play with at the moment :{ Cheers, ~ol > >If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on >many factors) overwrite the first byte of buf2. This is going to be (I >think) part of the size of the malloc'd buf2. What interesting things >can happen when you then free() an incorrectly-sized buf2 (or otherwise >operate on buf2 if this were a real program) is something I am anxious >to learn from others on this list! >
This archive was generated by hypermail 2b30 : Wed May 14 2003 - 15:34:07 PDT