Re: Follow up:Apache Nosejob

["Darroch" <darroch.royden () blueyonder co uk>]

Jeremy,

from;
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:02.apach
e.asc

...
II.  Problem Description

     Versions of the apache http daemon before release 1.05 do
     not properly restrict shell meta-characters transmitted to
     the daemon via form input (via GET or POST).
...

try using POST instead of GET.

regards,


----- Original Message -----
From: "Jeremy Junginger" <jjunginger () interactcommerce com>
To: <pen-test () securityfocus com>; <vuln-dev () securityfocus com>
Sent: Thursday, August 22, 2002 6:15 PM
Subject: Follow up:Apache Nosejob


After perfiorming some research, I noticed that the apache worm that is
plaguing FreeBSD machines uses the following settings (please correct me
if I'm wrong):

FreeBSD 4.5 x86 / Apache/1.3.20 (Unix):
D=-146,
B= 0xbfbfde00,
R= 6
Z= 36

FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
D=-134
B= 0xbfbfdb00
R= 3
Z=36

After seeing this, I think I have a patched version of Apache installed,
as the second exploit, which should work, does not.  If any of you have
an older, vulnerable version of apache or know where I can find one, let
me know.  Anyways, thanks for the help.

-Jeremy

***************************
ORIGINAL MESSAGE:
***************************

Good Morning,

I've got a lab set up with the following host:

FreeBSD 4.5
Apache 1.3.23 (downloaded from
http://packetstormsecurity.org/UNIX/admin/apache_1.3.23.tar.gz )

And am running the apache-nosejob script against it in order to
understand the chunked encoding vulnerability:

http://packetstorm.decepticons.org/0206-exploits/apache-nosejob.c

When I ran ./apache-nosejob -o f -h x.x.x.x(address of host), the script
ran for over 12 hours with no successful penetration :).  I have also
tried the script with the -b 0x80a0000, -d -150, -z 36, -r 6 switches to
no avail.  Perhaps you could suggest some alternate r|d|z values for the
Brute Force settings?  Thanks,

-Jeremy