Vulnerability Development mailing list archives
Re: Apache Exploit
From: Ben Laurie <ben () algroup co uk>
Date: Tue, 25 Jun 2002 15:00:33 +0100
Stefan Esser wrote:
On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote:Stefan Esser wrote:including the supplied paramters (dst, src, length). With up to 3 bytes ([1]) depending on alignment. if you align everything perfectly you can set the 3 high bytes of length to zero and so change how manydwords memcpy tries to copy in our case 0x000000??I should just point out the slight error in this analysis - in fact, the exploit only overwrites two bytes of the length (incidentally, theHi Ben, i never said that i was analysing the exploit when writing the part above, infact i just saw what he did (without checking any offsets). I immediantly recognised that he abuses this flaw in the memcpy routine. I knew this technique before he demonstrated that the so called experts were wrong. But those experts also told the world that the php fileupload vulnerability would be to hard to exploit in the wild... If he overwrites only 2 bytes then it is his problem. If the alignment is perfect (and you can make it perfect with apache) you can write up to3 bytes.
Indeed. In fact, he wanted to only overwrite 2 bytes, so it isn't really a problem.
Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Current thread:
- Re[2]: Apache Exploit, (continued)
- Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit 3APA3A (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 20)
- Re[2]: Apache Exploit dullien (Jun 20)
- Re[2]: Apache Exploit Michal Zalewski (Jun 20)
- Re: Apache Exploit Jefferson Ogata (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 21)
- Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 21)
- Re: Apache Exploit Ben Laurie (Jun 26)