•The first value is the location of free() since we are going to overwrite it
–$
objdump –R ./heap | grep free
–08049548
R_386_JUMP_SLOT free
•The second value is the location of buf1
–$
ltrace ./heap 2>&1 | grep 300
–malloc(300)
= 0x08049560
•
• Side note: we
could also overwrite .dtors, use an environment
variable for shell code if we are tight on space,
etc etc - just like in the buffer overflow or the
format string examples from earlier