Metasploit mailing list archives
Remote code execution when only able to write 1 byte?
From: mrowley at esoft.com (Mathew Rowley)
Date: Fri, 16 Feb 2007 09:05:11 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After looking over patch tuesday, the FTP patch for MS07-16 (http://www.microsoft.com/technet/security/bulletin/ms07-016.mspx) caught my eye. I did a little research and found some more information about it (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=473) According to i-defence, "As there can be multiple lines in a reply [from an ftp servre], code in the client breaks the reply up into lines, putting a null byte (character 0x00) after any end of line character. In the case where a line ends exactly on the last character of the reply buffer, the terminating null byte is written outside of the allocated space, overwriting a byte of the heap management structure." If you are only able to write over 1 byte of the heap, how would it be possible to execute arbitrary code? Thanks. - -- \\ Mathew Rowley \\ eSoft Inc. \\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFF1dY647s/xIwy7o0RAgR8AJ9LTuRPR1tCupzD62Jbg0/nd4+zMACcDYxl ZUcpKf1EaUMvAlmTDRk3EQo= =LT/Q -----END PGP SIGNATURE-----
Current thread:
- Remote code execution when only able to write 1 byte? Mathew Rowley (Feb 16)
- Remote code execution when only able to write 1 byte? Alexander Sotirov (Feb 16)
- Remote code execution when only able to write 1 byte? Nicolas RUFF (Mar 11)
- Remote code execution when only able to write 1 byte? Pusscat (Mar 12)