Vulnerability Development mailing list archives
Apache Exploit
From: Stefan Esser <sesser () php net>
Date: Thu, 20 Jun 2002 10:30:48 +0200
Hi, i heard several people looking at the gobbles exploit and believing it can only be fake: here is my little explanation how bsd memcpy can be exploited: first a snipset of the bsd memcpy code: ... 1: addl %ecx,%edi /* copy backwards. */ addl %ecx,%esi std [1] andl $3,%ecx /* any fractional bytes? */ decl %edi decl %esi rep movsb [X] movl 20(%esp),%ecx /* copy remainder by words */ shrl $2,%ecx subl $3,%esi subl $3,%edi rep movsl ... In Apache we trigger exactly this piece of code: bsd thinks the two buffers are overlapping and so it wants to copy backward. The problem is that you are able to overwrite the call to memcpy including the supplied paramters (dst, src, length). With up to 3 bytes ([1]) depending on alignment. if you align everything perfectly you can set the 3 high bytes of length to zero and so change how many dwords memcpy tries to copy in our case 0x000000?? This is only possible because the code reads the length param again from stack [X]... This way you can easily survive the call and overwrite the saved instruction pointer before the memcpy call... just my 0.02 cents Stefan Esser - e-matters Security
Current thread:
- Apache Exploit Stefan Esser (Jun 20)
- Re: Apache Exploit Blue Boar (Jun 20)
- Re: Apache Exploit Randy Taylor (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 20)
- Message not available
- Re: Apache Exploit Randy Taylor (Jun 21)
- Re: Apache Exploit David Bernick (Jun 21)
- Re: Apache Exploit T0aD (Jun 22)
- Re: Apache Exploit Alex Balayan (Jun 23)
- Re: Apache Exploit Randy Taylor (Jun 24)
- Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit Randy Taylor (Jun 20)
- Re: Apache Exploit Blue Boar (Jun 20)