Jeremy, from; ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-96:02.apach e.asc ... II. Problem Description Versions of the apache http daemon before release 1.05 do not properly restrict shell meta-characters transmitted to the daemon via form input (via GET or POST). ... try using POST instead of GET. regards, ----- Original Message ----- From: "Jeremy Junginger" <jjungingerat_private> To: <pen-testat_private>; <vuln-devat_private> Sent: Thursday, August 22, 2002 6:15 PM Subject: Follow up:Apache Nosejob After perfiorming some research, I noticed that the apache worm that is plaguing FreeBSD machines uses the following settings (please correct me if I'm wrong): FreeBSD 4.5 x86 / Apache/1.3.20 (Unix): D=-146, B= 0xbfbfde00, R= 6 Z= 36 FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) D=-134 B= 0xbfbfdb00 R= 3 Z=36 After seeing this, I think I have a patched version of Apache installed, as the second exploit, which should work, does not. If any of you have an older, vulnerable version of apache or know where I can find one, let me know. Anyways, thanks for the help. -Jeremy *************************** ORIGINAL MESSAGE: *************************** Good Morning, I've got a lab set up with the following host: FreeBSD 4.5 Apache 1.3.23 (downloaded from http://packetstormsecurity.org/UNIX/admin/apache_1.3.23.tar.gz ) And am running the apache-nosejob script against it in order to understand the chunked encoding vulnerability: http://packetstorm.decepticons.org/0206-exploits/apache-nosejob.c When I ran ./apache-nosejob -o f -h x.x.x.x(address of host), the script ran for over 12 hours with no successful penetration :). I have also tried the script with the -b 0x80a0000, -d -150, -z 36, -r 6 switches to no avail. Perhaps you could suggest some alternate r|d|z values for the Brute Force settings? Thanks, -Jeremy
This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 12:58:38 PDT