On FreeBSD dump has the same hole i describes in my previous post. Only it is
exploitable :-)
Dump with kerberos has __atexit and __cleanup after all the other variables on the
heap. By overwriting these variables you can start your shellcode.
Most of the credits should go to zen-parse who found and tested this.
-lamagra
Greets to lurux, grue, typo, jolt-freak.
http://lamagra/seKure.de
Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41
