Vulnerability Development mailing list archives

Re: Apache Exploit

From: Stefan Esser <sesser () php net>
Date: Fri, 21 Jun 2002 11:35:54 +0200

On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote:

Stefan Esser wrote:


including the supplied paramters (dst, src, length). With up to
3 bytes ([1]) depending on alignment. if you align everything perfectly
you can set the 3 high bytes of length to zero and so change how many
dwords memcpy tries to copy in our case 0x000000??


I should just point out the slight error in this analysis - in fact, the 
exploit only overwrites two bytes of the length (incidentally, the


Hi Ben,

i never said that i was analysing the exploit when writing the part above,
infact i just saw what he did (without checking any offsets). I immediantly
recognised that he abuses this flaw in the memcpy routine. I knew this
technique before he demonstrated that the so called experts were wrong.
But those experts also told the world that the php fileupload vulnerability
would be to hard to exploit in the wild...

If he overwrites only 2 bytes then it is his problem. If the alignment is
perfect (and you can make it perfect with apache) you can write up to
3 bytes. 


Stefan Esser - e-matters Security

Current thread:

Re: Apache Exploit, (continued)
- - - Re: Apache Exploit Randy Taylor (Jun 24)
    - Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit 3APA3A (Jun 20)
  - Re: Apache Exploit Stefan Esser (Jun 20)
  - Re[2]: Apache Exploit dullien (Jun 20)
    - Re[2]: Apache Exploit Michal Zalewski (Jun 20)
    - Re: Apache Exploit Jefferson Ogata (Jun 20)
    - Re: Apache Exploit Michal Zalewski (Jun 21)
    - Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Ben Laurie (Jun 21)
  - Re: Apache Exploit Stefan Esser (Jun 21)
    - Re: Apache Exploit Ben Laurie (Jun 26)