Stefan Esser wrote:
> On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote:
>
>>Stefan Esser wrote:
>>
>>>including the supplied paramters (dst, src, length). With up to
>>>3 bytes ([1]) depending on alignment. if you align everything perfectly
>>>you can set the 3 high bytes of length to zero and so change how many
>>>dwords memcpy tries to copy in our case 0x000000??
>>
>
>>I should just point out the slight error in this analysis - in fact, the
>>exploit only overwrites two bytes of the length (incidentally, the
>
>
> Hi Ben,
>
> i never said that i was analysing the exploit when writing the part above,
> infact i just saw what he did (without checking any offsets). I immediantly
> recognised that he abuses this flaw in the memcpy routine. I knew this
> technique before he demonstrated that the so called experts were wrong.
> But those experts also told the world that the php fileupload vulnerability
> would be to hard to exploit in the wild...
>
> If he overwrites only 2 bytes then it is his problem. If the alignment is
> perfect (and you can make it perfect with apache) you can write up to
> 3 bytes.

Indeed. In fact, he wanted to only overwrite 2 bytes, so it isn't really
a problem.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]