Metasploit mailing list archives

Remote code execution when only able to write 1 byte?

From: asotirov at determina.com (Alexander Sotirov)
Date: Fri, 16 Feb 2007 10:24:39 -0800

Mathew Rowley wrote:

"As there can be multiple lines in a reply [from an ftp servre], code in
the client breaks the reply up into lines, putting a null byte
(character 0x00) after any end of line character. In the case where a
line ends exactly on the last character of the reply buffer, the
terminating null byte is written outside of the allocated space,
overwriting a byte of the heap management structure."

If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code?  Thanks.


See http://www.phrack.org/archives/55/P55-08 for some background.

The FTP bug is on the heap, but it's conceptually similar. You overwrite the low
byte of the size field in the next malloc chunk. That changes the size of the
chunk, and the header after it is read from the middle of the chunk.

Alex

Current thread:

Remote code execution when only able to write 1 byte? Mathew Rowley (Feb 16)
- Remote code execution when only able to write 1 byte? Alexander Sotirov (Feb 16)
- Remote code execution when only able to write 1 byte? Nicolas RUFF (Mar 11)
  - Remote code execution when only able to write 1 byte? Pusscat (Mar 12)