Stefan Esser wrote: > On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote: > >>Stefan Esser wrote: >> >>>including the supplied paramters (dst, src, length). With up to >>>3 bytes ([1]) depending on alignment. if you align everything perfectly >>>you can set the 3 high bytes of length to zero and so change how many >>>dwords memcpy tries to copy in our case 0x000000?? >> > >>I should just point out the slight error in this analysis - in fact, the >>exploit only overwrites two bytes of the length (incidentally, the > > > Hi Ben, > > i never said that i was analysing the exploit when writing the part above, > infact i just saw what he did (without checking any offsets). I immediantly > recognised that he abuses this flaw in the memcpy routine. I knew this > technique before he demonstrated that the so called experts were wrong. > But those experts also told the world that the php fileupload vulnerability > would be to hard to exploit in the wild... > > If he overwrites only 2 bytes then it is his problem. If the alignment is > perfect (and you can make it perfect with apache) you can write up to > 3 bytes. Indeed. In fact, he wanted to only overwrite 2 bytes, so it isn't really a problem. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 09:45:53 PDT