Plenty of background regarding even getting to a place to start hunting for bugs on this printer, leading up two heap based overflows in
pjcc_act_checkUserPassword2, and some discussion about exploiting the DryOS heap allocator.
The overflows were simple unchecked copies in fixed size buffers with the lengths (and buffer content) for
hash in the packet being attacker controlled and trusted without consideration for whether or not the target buffer could hold the supplied lengths. This provided a straight forward overflow and ability to corrupt heap-metadata.
They targeted a
next pointer belonging a freed-block in memory. With an
echo command, they could get this fake free block reallocated, and overwrite the data, giving them an semi-arbitrary write primitive. The main constraint appears to have been that the first few bytes would be interpreted as part of the chunk header for stuff like
size. So if it was pointed somewhere with a small value it might not be reclaimed easily or with precision.
This primitive was used to corrupt some of the state information, and specifically the
echo command handler function pointer, pointing it towards their shellcode.