RE: Exploiting Buffer Overflows in CGI Scripts

From: Stuart Adamson (stuart.adamsonat_private)
Date: Thu Jun 06 2002 - 12:06:52 PDT

  • Next message: Ben Floyd: "RE: Trillian Messaging Software"

    > * How can someone issue a "Host:" tag after the "GET ... HTTP/1.0"
    >   line, if the evil buffer will get apache to process the request.
    >
    > As for your question on how Host can be delivered.. you are 
    > not exploiting 
    > the apache daemon, you are exploiting the script it calls.  
    > So the apache is 
    > processing everything fine, it is after that when apache 
    > calls apon the cgi 
    > that things go wrong.  Nothing (or very very little) to do 
    > with how apache 
    > handles things.
    
    I suspect what's going on here is that part of the exploit code
    in the URI is actually a carriage return.  Therefore apache is seeing
    
    GET <first_bit_of_exploit_code_here>\r\n
    <last_bit_of_exploit_code> HTTP/1.0
    
    As the first line doesn't contains the HTTP version it assumes that it's
    HTTP/0.9 and so processes the request immediately.
    
    You need to pass a host header if you are attacking a web site on a shared
    server using name based virtual hosts which is why this is a problem
    (and the fact that all your exploit code won't be reaching the CGI ;))
    
    
    Stuart
    



    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 14:21:00 PDT