Remote code execution when only able to write 1 byte?

[nicolas.ruff at gmail.com (Nicolas RUFF)]

> If you are only able to write over 1 byte of the heap, how would it be
> possible to execute arbitrary code?  Thanks.

It used to be possible, but starting with Windows XP SP2, heap
structures are cookie-protected and sanity-checked.

It's getting worse with Vista, since heap structures are using XOR-ed
pointers.

Note that this does *not* apply to non Windows managed heaps (e.g.
Delphi, Cygwin, etc.)

Regards,
- Nicolas RUFF