Full Disclosure mailing list archives
Re: Re: Buffer Overflow in ActivePerl?
From: Frederic Krueger <igetspam () bigfoot com>
Date: Tue, 18 May 2004 16:04:49 +0200
Hi.. Volker Tanger wrote:
Your command line parameters for perl.exe are probably:
1.) -e
2.) "$a="
3.) A
4.) " x 256; system($a)"
Thus are you sure you get $A set with 256 "A"s?
In short: He doesn't.. Perl will just issue a syntax error ;) Besides:The info on the http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt makes me think it's more of a kernel32.dll bug than a perl bug, especially if you look at part of the dump (notice the stack position? ;)):
ChildEBP RetAddr Args to Child 0140fc08 77c2ab2e 00220000 00000000 0182adc8 ntdll!RtlFreeHeap+0x3a1
0140fc50 280834b3 0182adc8 ffffffff 00223c48 MSVCRT!free+0xc3 0140fd3c 2808aaa1 00000000 01828764 0182add4 perl58!Perl_my_socketpair+0xed8 0140fd64 2808a9d8 01828764 0182864c 00000002 perl58!Perl_do_spawn+0xd8 0140fd9c 2805d784 00226678 00224064 28024499 perl58!Perl_do_spawn+0xf 0140fe24 280862de 00224064 77f944a8 00000007 perl58!Perl_runops_standard+0xc 0140ff3c 00401012 00000003 00223c10 00222bc8 perl58!RunPerl+0x86 0140ffc0 77e814c7 77f944a8 00000007 7ffdf000 perl+0x1012 0140fff0 00000000 00401016 00000000 00000000 kernel32!GetCurrentDirectoryW+0x44 *----> Raw Stack Dump <----* 000000000140fb4c 88 3f 22 00 c8 ad 82 01 - 00 00 00 00 41 00 41 00 .?".........A.A. 000000000140fb5c 41 00 41 00 41 00 41 00 - 41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. ...But then I've never really used the Windows Debugger (or did any Windows Debugging at all for that matter)..
It just looks like kernel32 is having the hickup here..And no, I'm not complaining that he isn't even stating the ActivePerl version that supposedly allowed passing the full string to the kernel32-getcurdir function..
Besides (as stated elsewhere here): It's not crashing on Win2K SP3 german edition, ActivePerl 5.8.x [x=1..4] .
Bye, Frederic _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Buffer Overflow in ActivePerl ? Oliver () greyhat de (May 17)
- Re: Buffer Overflow in ActivePerl ? morning_wood (May 17)
- Re: Buffer Overflow in ActivePerl ? Troels Bay (May 17)
- Re: Buffer Overflow in ActivePerl ? Stef (May 17)
- Re: Buffer Overflow in ActivePerl ? Troels Bay (May 18)
- Re: Buffer Overflow in ActivePerl ? Troels Bay (May 17)
- Re: Buffer Overflow in ActivePerl ? morning_wood (May 17)
- Re: Buffer Overflow in ActivePerl ? rich . sf (May 17)
- RE: Re: Buffer Overflow in ActivePerl ? Bill Royds (May 18)
- Re: Buffer Overflow in ActivePerl? Axel Beckert (May 18)
- Re: Re: Buffer Overflow in ActivePerl? Volker Tanger (May 18)
- Re: Re: Buffer Overflow in ActivePerl? Frederic Krueger (May 18)
- Re: Re: Buffer Overflow in ActivePerl? Volker Tanger (May 18)
- Re: Buffer Overflow in ActivePerl ? Frederic Krueger (May 18)
- ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? morning_wood (May 20)
- Re: ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? Clint Bodungen (May 20)
- ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ? morning_wood (May 20)
- Re: Buffer Overflow in ActivePerl ? Nick FitzGerald (May 18)
- Re: Re: Buffer Overflow in ActivePerl ? npguy (May 18)
- Re: Re: Buffer Overflow in ActivePerl ? morning_wood (May 18)
- Re: Buffer Overflow in ActivePerl ? Curt Sampson (May 19)
- Re: Buffer Overflow in ActivePerl ? overlord_q (May 18)
- Re: Buffer Overflow in ActivePerl ? rich . sf (May 18)
- <Possible follow-ups>
- RE: Buffer Overflow in ActivePerl ? mattmurphy () kc rr com (May 17)