Apache Exploit

From: Stefan Esser (sesserat_private)
Date: Thu Jun 20 2002 - 01:30:48 PDT

  • Next message: cc: "Re: Re: apache chunked encoding"

    Hi,
    
    i heard several people looking at the gobbles exploit and believing it
    can only be fake:
    
    here is my little explanation how bsd memcpy can be exploited:
    
    first a snipset of the bsd memcpy code:
    
    ...
    1:
    	addl	%ecx,%edi	/* copy backwards. */
    	addl	%ecx,%esi
    	std
    [1]	andl	$3,%ecx		/* any fractional bytes? */
    	decl	%edi
    	decl	%esi
    	rep
    	movsb
    [X]	movl	20(%esp),%ecx	/* copy remainder by words */
    	shrl	$2,%ecx
    	subl	$3,%esi
    	subl	$3,%edi
    	rep
    	movsl
    ...
    
    In Apache we trigger exactly this piece of code: bsd thinks the two
    buffers are overlapping and so it wants to copy backward.
    The problem is that you are able to overwrite the call to memcpy
    including the supplied paramters (dst, src, length). With up to
    3 bytes ([1]) depending on alignment. if you align everything perfectly
    you can set the 3 high bytes of length to zero and so change how many
    dwords memcpy tries to copy in our case 0x000000?? 
    This is only possible because the code reads the length param again from
    stack [X]... This way you can easily survive the call and overwrite 
    the saved instruction pointer before the memcpy call...
    
    
    just my 0.02 cents
    
    Stefan Esser - e-matters Security
    



    This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 09:09:00 PDT