mailing list archives
Remote code execution when only able to write 1 byte?
From: pusscat at metasploit.com (Pusscat)
Date: Mon, 12 Mar 2007 09:22:20 -0400
You can certainly still do it in XPSP2, but it'll only hit 1 of every 256
The idea is that you're changing the size of the next in use chunk so that
it looks inside itself for the next chunk when it finally is freed. Then
you've got a standard heap overflow situation, provided you control that
chunk. Thank Alex Sotirov for my understanding of this ;)
From: Nicolas RUFF [mailto:nicolas.ruff at gmail.com]
Sent: Sunday, March 11, 2007 6:32 AM
To: framework at metasploit.com
Subject: Re: [framework] Remote code execution when only able to write 1
If you are only able to write over 1 byte of the heap, how would it be
possible to execute arbitrary code? Thanks.
It used to be possible, but starting with Windows XP SP2, heap
structures are cookie-protected and sanity-checked.
It's getting worse with Vista, since heap structures are using XOR-ed
Note that this does *not* apply to non Windows managed heaps (e.g.
Delphi, Cygwin, etc.)
- Nicolas RUFF