Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Exploiting Buffer Overflows in CGI Scripts

Re: Exploiting Buffer Overflows in CGI Scripts

From: b0iler _ <b0iler_at_hotmail.com>
Date: Thu, 06 Jun 2002 00:48:48 -0600

"I was looking for papers on exploiting buffer overflows in CGI Scripts,
but just couldn't manage to find any.

I have several questions about:
* How apache or other webservers handles requests with binary data
  (shellcode).
* How can someone issue a "Host:" tag after the "GET ... HTTP/1.0"
  line, if the evil buffer will get apache to process the request.
* On the above topic, is there any tricks to code the shellcode in
  order to avoid the webserver to do so?"

First, lets look at what cgi scripts are. They are code which the web
server calls apon to do some processing. So when you are exploitting a cgi
it might be coded in C, perl, php, or pretty much any language which can
take input and send output. With this in mind you do not need to read
papers on how to exploit cgi scripts, but just any script coded in that
language. Be it C, perl, or any other. I saw a reference to rfp's paper in
phrack, this has nothing to do with exploiting buffer overflows in cgi.
This is only problems with using perl as cgi, which are afaik safe from
buffer overflows (using a newer version of perl). Your best bet would be to
study how to exploit buffer overflows in C and then exploit cgi's written in
C.

As for your question on how Host can be delivered.. you are not exploiting
the apache daemon, you are exploiting the script it calls. So the apache is
processing everything fine, it is after that when apache calls apon the cgi
that things go wrong. Nothing (or very very little) to do with how apache
handles things.

shellcode isn't in binary. I won't explain this since you'll learn about it
when you read more on buffer overflows.

There isn't many buffer overflows in CGI scripts, since there isn't many CGI
scripts coded in C (I am unaware of jsp,asp,php,perl, etc.. having much
problems with buffer overflows). To exploit cgi's in perl try reading
http://b0iler.eyeonsecurity.net/tutorials/hackingcgi.htm which covers alot
of ways to break and secure perl scripts used as cgi.

ps. A buffer overflow faq might be nice. There is way too many questions
about them from newbies. Might help them understand the papers better if
they know some of the basics first.

http://b0iler.eyeonsecurity.net

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
Received on Jun 06 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos