[framework] Remote code execution when only able to write 1 byte?
Alexander Sotirov
asotirov at determina.com
Fri Feb 16 12:24:39 CST 2007
Mathew Rowley wrote:
> "As there can be multiple lines in a reply [from an ftp servre], code in
> the client breaks the reply up into lines, putting a null byte
> (character 0x00) after any end of line character. In the case where a
> line ends exactly on the last character of the reply buffer, the
> terminating null byte is written outside of the allocated space,
> overwriting a byte of the heap management structure."
>
> If you are only able to write over 1 byte of the heap, how would it be
> possible to execute arbitrary code? Thanks.
See http://www.phrack.org/archives/55/P55-08 for some background.
The FTP bug is on the heap, but it's conceptually similar. You overwrite the low
byte of the size field in the next malloc chunk. That changes the size of the
chunk, and the header after it is read from the middle of the chunk.
Alex
More information about the framework
mailing list