Re: Sendmail's prescan exploit thoughts

[Michal Zalewski <lcamtuf () coredump cx>]

On Tue, 1 Apr 2003, Alexander Cuttergo wrote:

> The only way to fool prescan() checks seems to be to pass to it a
> string "\\\377\\\377\\\377\\\377....", that is, backslash followed by
> character 255.

I already talked to Alexander privately, in general, no, this is not the
only sequence that can be used, although the set of characters is indeed
quite limited, making the ability to suceed somewhat dependant on the
actual compiler output if you want to overwrite eip bytes. But you don't
have to - you also have frame pointer and some local pointers and other
variables past pvpbuf in almost every location where prescan() is called.

> though ;) ). But then the overwritten saved base pointer would point
> within pvpbuf, which contains only backslashes, which is not useful.

pvpbuf does not have to contain only backslashes until pvpbuf is almost
full. So yes, you can likely overwrite frame pointer to point to a
user-supplied data.

> 3) we can overwrite two least bytes of saved base pointer with 0x005c.

You can overwrite any number of eip and ebp bytes with several
combinations, and it is sometimes possible to point to an interesting code
or stack location. Technologies like stack randomization might make it
easier to achieve a good result by overwriting more than two bytes.

I have seen two exploits so far, one of them fully functional, but local -
which, of course, I can't prove or discuss, really, but I do believe it's
not that much of an issue to exploit this.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-04-04 09:05 --