I haven’t been posting on this blog for a while. It doesn’t mean I’m not doing research – I’m just not a big fan of releasing anything and most of my work stays private. Anyway because Apache released new version of their Http Server one of my research was burned. New version of Apache fixes remote code execution vulnerability in default instalation! This vulnerability is quite old and have been exploited in the wild for last 5 years 🙂
This vulnerability is fixed and no longer be 0day I decided to publish exploit code for this bug. How is it work? Find below:
pi3-darkstar ~ # gcc Apache_0day.c -o Apache_0day pi3-darkstar ~ # ./Apache_0day -h ...::: -=[ Apache 2.2.xx 0day exploit (by Adam 'pi3' Zabrocki) ]=- :::... Usage: ./Apache_0day <options> Options: -v <victim> -p <port> -h this help screen pi3-darkstar ~ # ./Apache_0day -v xxx.gov ...::: -=[ Apache 2.2.xx 0day exploit (by Adam 'pi3' Zabrocki) ]=- :::... [+] Host alive? ... YES! [+] Connecting... DONE! [+] Checking server... VULNERABLE! [+] Calculating zones... DONE! [+] Let's play with APR allocator.................................................................................................... ................................................................................................................................................................ .................................................................................................... DONE! [+] Spawning childs................................................................................... DONE! [+] Addresses? ... YES! [+] @APR child 1... DONE! (0xffffffffbffffe01) [+] @APR child 2... DONE! (0xffffffffbceffe01) [+] Trying ret-into-system... [+] Connecting to bindshell... pi3 was here :-) Executing shell... uid=0(root) gid=0(root) grupy=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Linux pi3-test 2.6.32.13-grsec #1 SMP Thu May 13 17:07:21 CEST 2010 i686 i686 i386 GNU/Linux # cat /etc/shadow|head -1 root:$6$vxdYpCQF$0qPMKMwxwVxLGNSZbOUYxK0n33C2lxCPdQq5n5rtr70dNkNPjEWCmjvKCZOKVP.cOM2PMc3JtOruts7F53/hp.:15104:0::::: # exit;!
Looks nice, isn’t it? 🙂 Now realize it was used in the wild for last 5 years… so better check your machine if no rootkits was installed 🙂
As I promised at the beginning of this post, here is the exploit code: Apache 0day.
Best regards,
Adam Zabrocki
Comments
Leave a Reply
Mario on 04.02.2012
xDDD
Someone on 04.02.2012
Surely if it’s been around for 5 years then it’s less of a 0day and more a 1825day?
gizmore on 04.02.2012
How to compile the code?
I tried perl, brainfuck and whitespace … no luck … any hints?
Thanks for this amusing post!
gizmore
admin on 04.02.2012
@someone:
Unfortunately even more because in the mean time we had 2 leap years ;(
N on 04.05.2012
Won’t compile 🙁
Первоапрельские шутки 2012 года (дополнено) : Записки начинающего линуксоида on 04.05.2012
[…] Опубликован эксплоит для 0-day уязвимости в Apache 2.2.x, позволяющий удалённо выполнить код на сервере; […]
ro1ri on 04.11.2012
Rofl !
And there you see the ones who try to compile it without reading it before xD
Nice one !
pentests on 08.17.2012
not download…
Skitter on 04.28.2015
Damn, you got me there 😛 But after a while I’ve actually managed to compiled it with the trollCompiler v 4.3.1. And it’s working ;d
Ermya on 04.12.2017
lol , where is the code ? http://site.pi3.com.pl/priv/apache_0day.c.txt
its jut for fun ?!!!!
pi3 on 04.18.2017
1st of April publication shouldn’t be taken too seriously ;p