Full Disclosure mailing list archives
Re: Apache 2.2.17 exploit?
From: halfdog <me () halfdog net>
Date: Tue, 04 Oct 2011 22:13:35 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 halfdog wrote:
Hello Kai, Kai wrote:Hi halfdog,Just for those, who want to build their own apache shell code for testing purposes, this snip might be of some use. ...wasn't that bug fixed a long ago? https://bugs.php.net/bug.php?id=38915 ---> https://issues.apache.org/bugzilla/show_bug.cgi?id=46425 sorry if i'm talking about different thing.Thanks for the link. I have to look into it closer, perhaps my code is just working because I dup2 the fd to stdin before exec, which might get rid of the FD_CLOEXEC. At least in tests, where I injected code into mpm-worker on x86 (32bit) using gdb and other methods, it succeeded in giving me remote shell.
Yes, it's the the dup2 that does the trick: man: dup, dup2 - duplicate a file descriptor The two descriptors do not share file descriptor flags (the close-on-exec flag). The close-on-exec flag (FD_CLOEXEC; see fcntl(2)) for the duplicate descriptor is off. That is why, the tcp-sock fd stays alive after execv("/bin/sh", ...) hd http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOi4TuxFmThv7tq+4RAi5bAJ9P7/gQ4tF7LKhJ/+kAndcmUVOZZACfabNt rBoepsZNTJ6Ygoob2jrPtYg= =u+TM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache 2.2.17 exploit?, (continued)
- Re: Apache 2.2.17 exploit? Darren Martyn (Oct 04)
- Re: Apache 2.2.17 exploit? halfdog (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? Kai (Oct 04)
- Re: Apache 2.2.17 exploit? Andrew Farmer (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? Valdis . Kletnieks (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? halfdog (Oct 04)
- Re: Apache 2.2.17 exploit? halfdog (Oct 04)
- Re: Apache 2.2.17 exploit? Andrew Farmer (Oct 04)
- Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
- Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
- Re: Apache 2.2.17 exploit? Laurelai (Oct 03)