mailing list archives
Remote code execution when only able to write 1 byte?
From: asotirov at determina.com (Alexander Sotirov)
Date: Fri, 16 Feb 2007 10:24:39 -0800
Mathew Rowley wrote:
"As there can be multiple lines in a reply [from an ftp servre], code in
the client breaks the reply up into lines, putting a null byte
(character 0x00) after any end of line character. In the case where a
line ends exactly on the last character of the reply buffer, the
terminating null byte is written outside of the allocated space,
overwriting a byte of the heap management structure."
If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code? Thanks.
See http://www.phrack.org/archives/55/P55-08 for some background.
The FTP bug is on the heap, but it's conceptually similar. You overwrite the low
byte of the size field in the next malloc chunk. That changes the size of the
chunk, and the header after it is read from the middle of the chunk.