Home page logo

bugtraq logo Bugtraq mailing list archives

Apache Exploit
From: Stefan Esser <sesser () php net>
Date: Thu, 20 Jun 2002 10:30:48 +0200


i heard several people looking at the gobbles exploit and believing it
can only be fake:

here is my little explanation how bsd memcpy can be exploited:

first a snipset of the bsd memcpy code:

        addl    %ecx,%edi       /* copy backwards. */
        addl    %ecx,%esi
[1]     andl    $3,%ecx         /* any fractional bytes? */
        decl    %edi
        decl    %esi
[X]     movl    20(%esp),%ecx   /* copy remainder by words */
        shrl    $2,%ecx
        subl    $3,%esi
        subl    $3,%edi

In Apache we trigger exactly this piece of code: bsd thinks the two
buffers are overlapping and so it wants to copy backward.
The problem is that you are able to overwrite the call to memcpy
including the supplied paramters (dst, src, length). With up to
3 bytes ([1]) depending on alignment. if you align everything perfectly
you can set the 3 high bytes of length to zero and so change how many
dwords memcpy tries to copy in our case 0x000000?? 
This is only possible because the code reads the length param again from
stack [X]... This way you can easily survive the call and overwrite 
the saved instruction pointer before the memcpy call...

just my 0.02 cents

Stefan Esser - e-matters Security

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]