mailing list archives
Remote code execution when only able to write 1 byte?
From: mrowley at esoft.com (Mathew Rowley)
Date: Fri, 16 Feb 2007 09:05:11 -0700
-----BEGIN PGP SIGNED MESSAGE-----
After looking over patch tuesday, the FTP patch for MS07-16
caught my eye. I did a little research and found some more
information about it
According to i-defence,
"As there can be multiple lines in a reply [from an ftp servre], code in
the client breaks the reply up into lines, putting a null byte
(character 0x00) after any end of line character. In the case where a
line ends exactly on the last character of the reply buffer, the
terminating null byte is written outside of the allocated space,
overwriting a byte of the heap management structure."
If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code? Thanks.
\\ Mathew Rowley
\\ eSoft Inc.
\\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----
- Remote code execution when only able to write 1 byte? Mathew Rowley (Feb 16)