Metasploit mailing list archives
Remote code execution when only able to write 1 byte?
From: pusscat at metasploit.com (Pusscat)
Date: Mon, 12 Mar 2007 09:22:20 -0400
You can certainly still do it in XPSP2, but it'll only hit 1 of every 256 times. ;) The idea is that you're changing the size of the next in use chunk so that it looks inside itself for the next chunk when it finally is freed. Then you've got a standard heap overflow situation, provided you control that chunk. Thank Alex Sotirov for my understanding of this ;) ~ Puss -----Original Message----- From: Nicolas RUFF [mailto:nicolas.ruff at gmail.com] Sent: Sunday, March 11, 2007 6:32 AM To: framework at metasploit.com Subject: Re: [framework] Remote code execution when only able to write 1 byte?
If you are only able to write over 1 byte of the heap, how would it be possible to execute arbitrary code? Thanks.
It used to be possible, but starting with Windows XP SP2, heap structures are cookie-protected and sanity-checked. It's getting worse with Vista, since heap structures are using XOR-ed pointers. Note that this does *not* apply to non Windows managed heaps (e.g. Delphi, Cygwin, etc.) Regards, - Nicolas RUFF
Current thread:
- Remote code execution when only able to write 1 byte? Mathew Rowley (Feb 16)
- Remote code execution when only able to write 1 byte? Alexander Sotirov (Feb 16)
- Remote code execution when only able to write 1 byte? Nicolas RUFF (Mar 11)
- Remote code execution when only able to write 1 byte? Pusscat (Mar 12)