Re: Exploiting Buffer Overflows in CGI Scripts

From: b0iler _ (b0ilerat_private)
Date: Wed Jun 05 2002 - 23:48:48 PDT

Next message: Admin: "Re: DNS Version check."

Previous message: Nexus: "Re: DNS Version check."
Maybe in reply to: franciozzyat_private: "Exploiting Buffer Overflows in CGI Scripts"
Next in thread: Stuart Adamson: "RE: Exploiting Buffer Overflows in CGI Scripts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"I was looking for papers on exploiting buffer overflows in CGI Scripts,
but just couldn't manage to find any.

I have several questions about:
* How apache or other webservers handles requests with binary data
  (shellcode).
* How can someone issue a "Host:" tag after the "GET ... HTTP/1.0"
  line, if the evil buffer will get apache to process the request.
* On the above topic, is there any tricks to code the shellcode in
  order to avoid the webserver to do so?"

First, lets look at what cgi scripts are.  They are code which the web 
server calls apon to do some processing.  So when you are exploitting a cgi 
it might be coded in C, perl, php, or pretty much any language which can 
take input and send output.  With this in mind you do not need to read 
papers on how to exploit cgi scripts, but just any script coded in that 
language.  Be it C, perl, or any other.  I saw a reference to rfp's paper in 
phrack, this has nothing to do with exploiting buffer overflows in cgi.  
This is only problems with using perl as cgi, which are afaik safe from 
buffer overflows (using a newer version of perl).  Your best bet would be to 
study how to exploit buffer overflows in C and then exploit cgi's written in 
C.

As for your question on how Host can be delivered.. you are not exploiting 
the apache daemon, you are exploiting the script it calls.  So the apache is 
processing everything fine, it is after that when apache calls apon the cgi 
that things go wrong.  Nothing (or very very little) to do with how apache 
handles things.

shellcode isn't in binary.  I won't explain this since you'll learn about it 
when you read more on buffer overflows.

There isn't many buffer overflows in CGI scripts, since there isn't many CGI 
scripts coded in C (I am unaware of jsp,asp,php,perl, etc.. having much 
problems with buffer overflows).  To exploit cgi's in perl try reading 
http://b0iler.eyeonsecurity.net/tutorials/hackingcgi.htm  which covers alot 
of ways to break and secure perl scripts used as cgi.

ps. A buffer overflow faq might be nice.  There is way too many questions 
about them from newbies.  Might help them understand the papers better if 
they know some of the basics first.

http://b0iler.eyeonsecurity.net



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

Next message: Admin: "Re: DNS Version check."
Previous message: Nexus: "Re: DNS Version check."
Maybe in reply to: franciozzyat_private: "Exploiting Buffer Overflows in CGI Scripts"
Next in thread: Stuart Adamson: "RE: Exploiting Buffer Overflows in CGI Scripts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 08:54:12 PDT