Metasploit mailing list archives

Remote code execution when only able to write 1 byte?

From: pusscat at metasploit.com (Pusscat)
Date: Mon, 12 Mar 2007 09:22:20 -0400

You can certainly still do it in XPSP2, but it'll only hit 1 of every 256
times. ;)

The idea is that you're changing the size of the next in use chunk so that
it looks inside itself for the next chunk when it finally is freed. Then
you've got a standard heap overflow situation, provided you control that
chunk.  Thank Alex Sotirov for my understanding of this ;)

~ Puss

-----Original Message-----
From: Nicolas RUFF [mailto:nicolas.ruff at gmail.com] 
Sent: Sunday, March 11, 2007 6:32 AM
To: framework at metasploit.com
Subject: Re: [framework] Remote code execution when only able to write 1
byte?

If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code?  Thanks.


It used to be possible, but starting with Windows XP SP2, heap
structures are cookie-protected and sanity-checked.

It's getting worse with Vista, since heap structures are using XOR-ed
pointers.

Note that this does *not* apply to non Windows managed heaps (e.g.
Delphi, Cygwin, etc.)

Regards,
- Nicolas RUFF

Current thread:

Remote code execution when only able to write 1 byte? Mathew Rowley (Feb 16)
- Remote code execution when only able to write 1 byte? Alexander Sotirov (Feb 16)
- Remote code execution when only able to write 1 byte? Nicolas RUFF (Mar 11)
  - Remote code execution when only able to write 1 byte? Pusscat (Mar 12)