Vulnerability Development mailing list archives
Re: Apache Exploit
From: Stefan Esser <sesser () php net>
Date: Fri, 21 Jun 2002 11:35:54 +0200
On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote:
Stefan Esser wrote:including the supplied paramters (dst, src, length). With up to 3 bytes ([1]) depending on alignment. if you align everything perfectly you can set the 3 high bytes of length to zero and so change how many dwords memcpy tries to copy in our case 0x000000??
I should just point out the slight error in this analysis - in fact, the exploit only overwrites two bytes of the length (incidentally, the
Hi Ben, i never said that i was analysing the exploit when writing the part above, infact i just saw what he did (without checking any offsets). I immediantly recognised that he abuses this flaw in the memcpy routine. I knew this technique before he demonstrated that the so called experts were wrong. But those experts also told the world that the php fileupload vulnerability would be to hard to exploit in the wild... If he overwrites only 2 bytes then it is his problem. If the alignment is perfect (and you can make it perfect with apache) you can write up to 3 bytes. Stefan Esser - e-matters Security
Current thread:
- Re: Apache Exploit, (continued)
- Re: Apache Exploit Randy Taylor (Jun 24)
- Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit 3APA3A (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 20)
- Re[2]: Apache Exploit dullien (Jun 20)
- Re[2]: Apache Exploit Michal Zalewski (Jun 20)
- Re: Apache Exploit Jefferson Ogata (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 21)
- Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 21)
- Re: Apache Exploit Ben Laurie (Jun 26)