Re: Apache Exploit

From: Stefan Esser (sesserat_private)
Date: Fri Jun 21 2002 - 02:35:54 PDT

  • Next message: Ben Laurie: "Re: Apache Exploit"

    On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote:
    > Stefan Esser wrote:
    > >
    > >including the supplied paramters (dst, src, length). With up to
    > >3 bytes ([1]) depending on alignment. if you align everything perfectly
    > >you can set the 3 high bytes of length to zero and so change how many
    > >dwords memcpy tries to copy in our case 0x000000?? 
    
    > 
    > I should just point out the slight error in this analysis - in fact, the 
    > exploit only overwrites two bytes of the length (incidentally, the 
    
    Hi Ben,
    
    i never said that i was analysing the exploit when writing the part above,
    infact i just saw what he did (without checking any offsets). I immediantly
    recognised that he abuses this flaw in the memcpy routine. I knew this
    technique before he demonstrated that the so called experts were wrong.
    But those experts also told the world that the php fileupload vulnerability
    would be to hard to exploit in the wild...
    
    If he overwrites only 2 bytes then it is his problem. If the alignment is
    perfect (and you can make it perfect with apache) you can write up to
    3 bytes. 
    
    
    Stefan Esser - e-matters Security
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 09:33:23 PDT