Home page logo

metasploit logo Metasploit mailing list archives

Remote code execution when only able to write 1 byte?
From: mrowley at esoft.com (Mathew Rowley)
Date: Fri, 16 Feb 2007 09:05:11 -0700

Hash: SHA1

After looking over patch tuesday, the FTP patch for MS07-16
caught my eye.  I did a little research and found some more
information about it

According to i-defence, 

"As there can be multiple lines in a reply [from an ftp servre], code in
the client breaks the reply up into lines, putting a null byte
(character 0x00) after any end of line character. In the case where a
line ends exactly on the last character of the reply buffer, the
terminating null byte is written outside of the allocated space,
overwriting a byte of the heap management structure."

If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code?  Thanks.

- -- 

\\ Mathew Rowley
\\ eSoft Inc.
\\ email: echo 'kpmujcw>cqmdr,amk'|perl -pe 's/(.)/chr(ord($1)+2)/ge;'
Version: GnuPG v1.4.5 (GNU/Linux)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]