Remote code execution when only able to write 1 byte?

[mrowley at esoft.com (Mathew Rowley)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After looking over patch tuesday, the FTP patch for MS07-16
(http://www.microsoft.com/technet/security/bulletin/ms07-016.mspx)
caught my eye.  I did a little research and found some more
information about it
(http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=473)

According to i-defence, 

"As there can be multiple lines in a reply [from an ftp servre], code in
the client breaks the reply up into lines, putting a null byte
(character 0x00) after any end of line character. In the case where a
line ends exactly on the last character of the reply buffer, the
terminating null byte is written outside of the allocated space,
overwriting a byte of the heap management structure."

If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code?  Thanks.


- -- 


\\ Mathew Rowley
\\ eSoft Inc.
\\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFF1dY647s/xIwy7o0RAgR8AJ9LTuRPR1tCupzD62Jbg0/nd4+zMACcDYxl
ZUcpKf1EaUMvAlmTDRk3EQo=
=LT/Q
-----END PGP SIGNATURE-----