RE: Exploiting Buffer Overflows in CGI Scripts

[Stuart Adamson <stuart.adamson () evolution net>]

> * How can someone issue a "Host:" tag after the "GET ... HTTP/1.0"
>   line, if the evil buffer will get apache to process the request.
>
> As for your question on how Host can be delivered.. you are 
> not exploiting 
> the apache daemon, you are exploiting the script it calls.  
> So the apache is 
> processing everything fine, it is after that when apache 
> calls apon the cgi 
> that things go wrong.  Nothing (or very very little) to do 
> with how apache 
> handles things.

I suspect what's going on here is that part of the exploit code
in the URI is actually a carriage return.  Therefore apache is seeing

GET <first_bit_of_exploit_code_here>\r\n
<last_bit_of_exploit_code> HTTP/1.0

As the first line doesn't contains the HTTP version it assumes that it's
HTTP/0.9 and so processes the request immediately.

You need to pass a host header if you are attacking a web site on a shared
server using name based virtual hosts which is why this is a problem
(and the fact that all your exploit code won't be reaching the CGI ;))


Stuart