[framework] Remote code execution when only able to write 1 byte?
Mathew Rowley
mrowley at esoft.com
Fri Feb 16 10:05:11 CST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
After looking over patch tuesday, the FTP patch for MS07-16
(http://www.microsoft.com/technet/security/bulletin/ms07-016.mspx)
caught my eye. I did a little research and found some more
information about it
(http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=473)
According to i-defence,
"As there can be multiple lines in a reply [from an ftp servre], code in
the client breaks the reply up into lines, putting a null byte
(character 0x00) after any end of line character. In the case where a
line ends exactly on the last character of the reply buffer, the
terminating null byte is written outside of the allocated space,
overwriting a byte of the heap management structure."
If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code? Thanks.
- --
\\ Mathew Rowley
\\ eSoft Inc.
\\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFF1dY647s/xIwy7o0RAgR8AJ9LTuRPR1tCupzD62Jbg0/nd4+zMACcDYxl
ZUcpKf1EaUMvAlmTDRk3EQo=
=LT/Q
-----END PGP SIGNATURE-----
More information about the framework
mailing list