Home page logo

metasploit logo Metasploit mailing list archives

Remote code execution when only able to write 1 byte?
From: nicolas.ruff at gmail.com (Nicolas RUFF)
Date: Sun, 11 Mar 2007 11:31:50 +0100

If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code?  Thanks.

It used to be possible, but starting with Windows XP SP2, heap
structures are cookie-protected and sanity-checked.

It's getting worse with Vista, since heap structures are using XOR-ed

Note that this does *not* apply to non Windows managed heaps (e.g.
Delphi, Cygwin, etc.)

- Nicolas RUFF

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]