"I was looking for papers on exploiting buffer overflows in CGI Scripts, but just couldn't manage to find any. I have several questions about: * How apache or other webservers handles requests with binary data (shellcode). * How can someone issue a "Host:" tag after the "GET ... HTTP/1.0" line, if the evil buffer will get apache to process the request. * On the above topic, is there any tricks to code the shellcode in order to avoid the webserver to do so?" First, lets look at what cgi scripts are. They are code which the web server calls apon to do some processing. So when you are exploitting a cgi it might be coded in C, perl, php, or pretty much any language which can take input and send output. With this in mind you do not need to read papers on how to exploit cgi scripts, but just any script coded in that language. Be it C, perl, or any other. I saw a reference to rfp's paper in phrack, this has nothing to do with exploiting buffer overflows in cgi. This is only problems with using perl as cgi, which are afaik safe from buffer overflows (using a newer version of perl). Your best bet would be to study how to exploit buffer overflows in C and then exploit cgi's written in C. As for your question on how Host can be delivered.. you are not exploiting the apache daemon, you are exploiting the script it calls. So the apache is processing everything fine, it is after that when apache calls apon the cgi that things go wrong. Nothing (or very very little) to do with how apache handles things. shellcode isn't in binary. I won't explain this since you'll learn about it when you read more on buffer overflows. There isn't many buffer overflows in CGI scripts, since there isn't many CGI scripts coded in C (I am unaware of jsp,asp,php,perl, etc.. having much problems with buffer overflows). To exploit cgi's in perl try reading http://b0iler.eyeonsecurity.net/tutorials/hackingcgi.htm which covers alot of ways to break and secure perl scripts used as cgi. ps. A buffer overflow faq might be nice. There is way too many questions about them from newbies. Might help them understand the papers better if they know some of the basics first. http://b0iler.eyeonsecurity.net _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 08:54:12 PDT