Re: Sendmail's prescan exploit thoughts

["Roland Postle" <mail () blazde co uk>]

> Thoughts, anyone ?

A couple...

The overflown string doesn't have to end with \0, if you terminate the
prescan()ed string with some valid chars (eg "...\\\377\\\377a") the length
check will fail and exit without appending a null.

I haven't found anyway to avoid an error (ie. a call to usererr()) which
then triggers an exception, which is caught beyond the stack frame you
overwrite (in smtp()). Hence the relevant function never actually returns,
and your overwritten saved eip/ebp value never gets used. However you can
overwrite the exception handler structure (and it's saved registers) in some
cases. I've experimented a bit with moving ebp further down the stack, but
not found a way to control the data it points too. I think that's the only
chance for a semi-generic exploit.

As you say, you can also overwrite some variables on the stack which may get
used before the exception's thrown (the addr argument in parseaddr() is one
that comes to mind) but in the binaries I've looked at all the useful ones
are kept live in registers, so overwriting them has no affect.

- Blazde