Vulnerability Development mailing list archives
RE: Exploiting Buffer Overflows in CGI Scripts
From: Stuart Adamson <stuart.adamson () evolution net>
Date: Thu, 6 Jun 2002 20:06:52 +0100
* How can someone issue a "Host:" tag after the "GET ... HTTP/1.0" line, if the evil buffer will get apache to process the request. As for your question on how Host can be delivered.. you are not exploiting the apache daemon, you are exploiting the script it calls. So the apache is processing everything fine, it is after that when apache calls apon the cgi that things go wrong. Nothing (or very very little) to do with how apache handles things.
I suspect what's going on here is that part of the exploit code in the URI is actually a carriage return. Therefore apache is seeing GET <first_bit_of_exploit_code_here>\r\n <last_bit_of_exploit_code> HTTP/1.0 As the first line doesn't contains the HTTP version it assumes that it's HTTP/0.9 and so processes the request immediately. You need to pass a host header if you are attacking a web site on a shared server using name based virtual hosts which is why this is a problem (and the fact that all your exploit code won't be reaching the CGI ;)) Stuart
Current thread:
- Exploiting Buffer Overflows in CGI Scripts franciozzy (Jun 04)
- Re: Exploiting Buffer Overflows in CGI Scripts Vladimir P (Jun 04)
- <Possible follow-ups>
- Re: Exploiting Buffer Overflows in CGI Scripts b0iler _ (Jun 06)
- RE: Exploiting Buffer Overflows in CGI Scripts Stuart Adamson (Jun 06)