Hosting Provided By

Re: Administrivia: List Announcement

From: xenophi1e <oliver.lavery(at)sympatico.ca>
Date: Wed May 14 2003 - 11:14:39 EDT

('binary' encoding is not supported, stored as-is)
In-Reply-To: <003001c319a0$30ff10f0$0100a8c0@clippership.com>

Well, I dunno about others on this list, but this old vuln by Solar Designer gives some good hints:

http://www.securityfocus.com/archive/1/71598

Seems like convincing free() to write to __free_hook or another pointer to code would work well here, although I'm not certain it's possible given the limited amount of data that can be tweaked in the malloc() bookkeeping info if the overwrite is indeed happening in buf1 and is only a single byte. 'Course it's a little hard to keep track of without the benefit of gdb.

Wish I had a linux box to play with at the moment :{

Cheers,
~ol

>
>If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on
Received on Wed May 14 18:37:47 2003

This message: [ Message body ]
Next message: xenophi1e: "Re: MSIE integer overflows"
Previous message: Jon Erickson: "Re: vulndev1.c solution (warning SPOILER)"
In reply to Cameron Brown: "RE: Administrivia: List Announcement"
Next in thread: Jose Ronnick: "Re: vulndev1.c solution (warning SPOILER)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT