On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote: > Stefan Esser wrote: > > > >including the supplied paramters (dst, src, length). With up to > >3 bytes ([1]) depending on alignment. if you align everything perfectly > >you can set the 3 high bytes of length to zero and so change how many > >dwords memcpy tries to copy in our case 0x000000?? > > I should just point out the slight error in this analysis - in fact, the > exploit only overwrites two bytes of the length (incidentally, the Hi Ben, i never said that i was analysing the exploit when writing the part above, infact i just saw what he did (without checking any offsets). I immediantly recognised that he abuses this flaw in the memcpy routine. I knew this technique before he demonstrated that the so called experts were wrong. But those experts also told the world that the php fileupload vulnerability would be to hard to exploit in the wild... If he overwrites only 2 bytes then it is his problem. If the alignment is perfect (and you can make it perfect with apache) you can write up to 3 bytes. Stefan Esser - e-matters Security
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 09:33:23 PDT