[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40AA1801.6000203@bigfoot.com>
From: igetspam at bigfoot.com (Frederic Krueger)
Subject: Re: Buffer Overflow in ActivePerl?
Hi..
Volker Tanger wrote:
>Your command line parameters for perl.exe are probably:
> 1.) -e
> 2.) "$a="
> 3.) A
> 4.) " x 256; system($a)"
>
>Thus are you sure you get $A set with 256 "A"s?
>
>
In short: He doesn't.. Perl will just issue a syntax error ;)
Besides:
The info on the
http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt makes me
think it's more of a kernel32.dll bug than a perl bug, especially if you
look at part of the dump (notice the stack position? ;)):
ChildEBP RetAddr Args to Child
0140fc08 77c2ab2e 00220000 00000000 0182adc8 ntdll!RtlFreeHeap+0x3a1
0140fc50 280834b3 0182adc8 ffffffff 00223c48 MSVCRT!free+0xc3
0140fd3c 2808aaa1 00000000 01828764 0182add4 perl58!Perl_my_socketpair+0xed8
0140fd64 2808a9d8 01828764 0182864c 00000002 perl58!Perl_do_spawn+0xd8
0140fd9c 2805d784 00226678 00224064 28024499 perl58!Perl_do_spawn+0xf
0140fe24 280862de 00224064 77f944a8 00000007 perl58!Perl_runops_standard+0xc
0140ff3c 00401012 00000003 00223c10 00222bc8 perl58!RunPerl+0x86
0140ffc0 77e814c7 77f944a8 00000007 7ffdf000 perl+0x1012
0140fff0 00000000 00401016 00000000 00000000 kernel32!GetCurrentDirectoryW+0x44
*----> Raw Stack Dump <----*
000000000140fb4c 88 3f 22 00 c8 ad 82 01 - 00 00 00 00 41 00 41 00 .?".........A.A.
000000000140fb5c 41 00 41 00 41 00 41 00 - 41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
...
But then I've never really used the Windows Debugger (or did any Windows
Debugging at all for that matter)..
It just looks like kernel32 is having the hickup here..
And no, I'm not complaining that he isn't even stating the ActivePerl
version that supposedly allowed passing the full string to the
kernel32-getcurdir function..
Besides (as stated elsewhere here): It's not crashing on Win2K SP3
german edition, ActivePerl 5.8.x [x=1..4] .
Bye,
Frederic
Powered by blists - more mailing lists