Re: Exploiting Buffer Overflows in CGI Scripts

From: b0iler _ (b0ilerat_private)
Date: Wed Jun 05 2002 - 23:48:48 PDT

  • Next message: Admin: "Re: DNS Version check."

    "I was looking for papers on exploiting buffer overflows in CGI Scripts,
    but just couldn't manage to find any.
    
    I have several questions about:
    * How apache or other webservers handles requests with binary data
      (shellcode).
    * How can someone issue a "Host:" tag after the "GET ... HTTP/1.0"
      line, if the evil buffer will get apache to process the request.
    * On the above topic, is there any tricks to code the shellcode in
      order to avoid the webserver to do so?"
    
    First, lets look at what cgi scripts are.  They are code which the web 
    server calls apon to do some processing.  So when you are exploitting a cgi 
    it might be coded in C, perl, php, or pretty much any language which can 
    take input and send output.  With this in mind you do not need to read 
    papers on how to exploit cgi scripts, but just any script coded in that 
    language.  Be it C, perl, or any other.  I saw a reference to rfp's paper in 
    phrack, this has nothing to do with exploiting buffer overflows in cgi.  
    This is only problems with using perl as cgi, which are afaik safe from 
    buffer overflows (using a newer version of perl).  Your best bet would be to 
    study how to exploit buffer overflows in C and then exploit cgi's written in 
    C.
    
    As for your question on how Host can be delivered.. you are not exploiting 
    the apache daemon, you are exploiting the script it calls.  So the apache is 
    processing everything fine, it is after that when apache calls apon the cgi 
    that things go wrong.  Nothing (or very very little) to do with how apache 
    handles things.
    
    shellcode isn't in binary.  I won't explain this since you'll learn about it 
    when you read more on buffer overflows.
    
    There isn't many buffer overflows in CGI scripts, since there isn't many CGI 
    scripts coded in C (I am unaware of jsp,asp,php,perl, etc.. having much 
    problems with buffer overflows).  To exploit cgi's in perl try reading 
    http://b0iler.eyeonsecurity.net/tutorials/hackingcgi.htm  which covers alot 
    of ways to break and secure perl scripts used as cgi.
    
    ps. A buffer overflow faq might be nice.  There is way too many questions 
    about them from newbies.  Might help them understand the papers better if 
    they know some of the basics first.
    
    http://b0iler.eyeonsecurity.net
    
    
    
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
    



    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 08:54:12 PDT