Metasploit mailing list archives
Remote code execution when only able to write 1 byte?
From: asotirov at determina.com (Alexander Sotirov)
Date: Fri, 16 Feb 2007 10:24:39 -0800
Mathew Rowley wrote:
"As there can be multiple lines in a reply [from an ftp servre], code in the client breaks the reply up into lines, putting a null byte (character 0x00) after any end of line character. In the case where a line ends exactly on the last character of the reply buffer, the terminating null byte is written outside of the allocated space, overwriting a byte of the heap management structure." If you are only able to write over 1 byte of the heap, how would it be possible to execute arbitrary code? Thanks.
See http://www.phrack.org/archives/55/P55-08 for some background. The FTP bug is on the heap, but it's conceptually similar. You overwrite the low byte of the size field in the next malloc chunk. That changes the size of the chunk, and the header after it is read from the middle of the chunk. Alex
Current thread:
- Remote code execution when only able to write 1 byte? Mathew Rowley (Feb 16)
- Remote code execution when only able to write 1 byte? Alexander Sotirov (Feb 16)
- Remote code execution when only able to write 1 byte? Nicolas RUFF (Mar 11)
- Remote code execution when only able to write 1 byte? Pusscat (Mar 12)