记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Explo

2013-08-15 18:00
  1. /*
  2. * Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Exploit (CVE-2010-0425)
  3. * ------------------------------------------------------------------------------
  4. *
  5. * Advisory: http://www.senseofsecurity.com.au/advisories/SOS-10-002
  6. * Description:
  7. * pwn-isapi.cpp exploits a dangling pointer vulnerabilty in Apache 2.2.14 mod_isapi.
  8. * Due to the nature of the vulnerability, and exploitation method, DEP should be limited to essential 
  9. * Windows programs and services. At worst, if DEP is enabled for the Apache process, you could cause 
  10. * a constant DoS by looping this (since apache will automatically restart) :)
  11. *
  12. * Note that the exploit code may need to be run multiple times before a shell is spawned (70%
  13. * success rate - tested on three different systems). Furthermore, the exploit code may require 
  14. * modification to exploit this vulnerability on different platforms. This is due to loaded memory 
  15. * references to the unloaded DLL (they will be different for each ISAPI module). Do not test
  16. * this code in a VM otherwise the code may fail to send the RESET packet (something to do with
  17. * VMware gracefully closing the connection, instead of sending a RESET packet) - I didnt want
  18. * to have to use raw packets on Windows. 
  19. *
  20. * Shellcode Note: 
  21. * The shellcode writes "pwn-isapi" to "sos.txt" which is created in the current working directory. 
  22. * Most operating systems should be supported by this shellcode. I've used Skylined's method of finding
  23. * the base address of kernel32.dll for Windows 7 and modified it so that it will find the base 
  24. * address of msvcrt.dll instead. I've also added another check so that it will be able to detect
  25. * "msvcrt.dll" on Windows Server 2003 (this OS loads msvcrt.dll in 5th position, and before this
  26. * DLL string is read, another DLL (RPCRT4.dll) length is verifiied which matches the length of 
  27. * msvcrt.dll. So the added check will verify the presents of "m" before proceeding. 
  28. *
  29. * Author: 
  30. * Brett Gervasoni (brettg [at] senseofsecurity.com.au)
  31. *
  32. * Copyright Sense of Security Pty Ltd 2010. 
  33. * http://www.senseofsecurity.com.au
  34. */
  35.  
  36. #include <iostream>
  37. #include <windows.h>
  38. #include <winsock.h>
  39. #include <string>
  40. #include <direct.h>
  41.  
  42. #pragma comment(lib, "wsock32.lib")
  43.  
  44. using namespace std; 
  45.  
  46. #define SERVER_PORT 80

代码略......

Exploit 参考

Exploit : http://www.8090sec.com/Exploit/Apache_2.2.14_mod_isapi.cpp

编译好的测试通过~~ http://www.8090sec.com/Exploit/Apache_2.2.14_mod_isapi.exe


 
视频参考
 
 http://www.8090sec.com/uploads/soft/SOS-10-002-apache-isapi.mp4

http://www.exploit-db.com/exploits/11650

http://www.senseofsecurity.com.au/advisories/SOS-10-002



知识来源: www.8090sec.com/zuixinloudong/111545.html

阅读:796125 | 评论:0 | 标签:exp

想收藏或者和大家分享这篇好文章→复制链接地址

“Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Explo”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云