Re: Rumours about Apache 1.3.22 exploits

[Erik Tayler <erik () digitaloffense net>]

How large is the binary you have (73501867)? I have two different versions of 
what appear the be the same exploit, and I have seen others as well (all with 
the exact same functionality and strings output, yet different sizes).

-rw-r--r--    1 nein     users       41948 Feb 28 23:08 73501867.bin
-rw-r--r--    1 nein     users        3118 Mar  5 02:06 73501867.strings
-rw-r--r--    1 nein     users       33189 Feb 28 23:03 php4x.bin
-rw-r--r--    1 nein     users        3118 Feb 28 23:03 php4x.strings

I've heard that there are several version floating around to "throw people 
off", none of which are actually functional. Both of mine are dynamically 
linked, unstripped. Any thoughts would be appreciated.

Erik Tayler
erik at digitaloffense dot net

On Thursday 28 February 2002 11:03 am, VeNoMouS wrote:
> Actally I was pasted on a so called exploit this afternoon which claims to
> exploit via post but was only pasted on a binary,
> how ever please watch out for this I beleave its a working exploit but it
> also seems to open up a udp port on 3049 and some how seems to cloning the
> last proc , when stracing the 3049 all it seems to do is sit there and
> recv(...) and does nothing when you type anything.
>
> binary is called 73501867 - x86/linux mod_php v4.0.2rc1-v4.0.5 by lorian.
>
> Has any one seen this about before?? Is this a trojan , if not then why
> does it open udp 3049 even after a reboot.
> i trace the proc opening that port kill it and it seems to clone some how
> my last proc and then 2mins l8r opens the port again.
>
> Any ideas?
>
>
> ----- Original Message -----
> From: "Olaf Kirch" <okir () caldera de>
> To: "H D Moore" <hdm () digitaloffense net>
> Cc: <fractalg () highspeedweb net>; <vuln-dev () securityfocus com>
> Sent: Wednesday, February 27, 2002 3:07 AM
> Subject: Re: Rumours about Apache 1.3.22 exploits
>
> > > There is a bug in the php_split_mime function in PHP 3.x and 4.x. There
>
> is a
>
> > > working exploit floating around which provides a remote bindshell for
>
> PHP
>
> > > versions 4.0.1 to 4.0.6 with a handful of default offsets for different
> > > platforms.
> >
> > Blechch. This code is really icky. There's really an sprintf down there
> > in the code that looks bad (apart from a few other things that look bad).
> > But if I don't misread the patch, the sprintf is still there in 4.1.1.
> >
> > > Since the PHP developers commited another change to the affected
> > > source file (rfc1687.c) about two days ago, speculation is that there
> > > is
>
> yet
>
> > > another remote exploit.
> >
> > Not in the public CVS (has been removed?)
> >
> > Olaf
> > --
> > Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we
> > play okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah
> > kin.ir.samse.qurax okir () caldera de    +-------------------- Why Not?!
> > ----------------------- UNIX, n.: Spanish manufacturer of fire
> > extinguishers.