Apache 2.2.xx 0day exploit : pi3 blog

I haven’t been posting on this blog for a while. It doesn’t mean I’m not doing research – I’m just not a big fan of releasing anything and most of my work stays private. Anyway because Apache released new version of their Http Server one of my research was burned. New version of Apache fixes remote code execution vulnerability in default instalation! This vulnerability is quite old and have been exploited in the wild for last 5 years 🙂

This vulnerability is fixed and no longer be 0day I decided to publish exploit code for this bug. How is it work? Find below:

pi3-darkstar ~ # gcc Apache_0day.c -o Apache_0day
pi3-darkstar ~ # ./Apache_0day -h

    ...::: -=[ Apache 2.2.xx 0day exploit  (by Adam 'pi3' Zabrocki) ]=- :::...

    Usage: ./Apache_0day <options>

        Options:
             -v <victim>
             -p <port>
             -h this help screen

 pi3-darkstar ~ # ./Apache_0day -v xxx.gov

    ...::: -=[ Apache 2.2.xx 0day exploit  (by Adam 'pi3' Zabrocki) ]=- :::... 

            [+] Host alive? ... YES!
            [+] Connecting... DONE!
            [+] Checking server... VULNERABLE!
            [+] Calculating zones... DONE!
            [+] Let's play with APR allocator....................................................................................................
................................................................................................................................................................
.................................................................................................... DONE!
            [+] Spawning childs................................................................................... DONE!
            [+] Addresses? ... YES!
                    [+] @APR child 1... DONE! (0xffffffffbffffe01)
                    [+] @APR child 2... DONE! (0xffffffffbceffe01)
            [+] Trying ret-into-system...
            [+] Connecting to bindshell...

pi3 was here :-) Executing shell...
uid=0(root) gid=0(root) grupy=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Linux pi3-test 2.6.32.13-grsec #1 SMP Thu May 13 17:07:21 CEST 2010 i686 i686 i386 GNU/Linux
# cat /etc/shadow|head -1
root:$6$vxdYpCQF$0qPMKMwxwVxLGNSZbOUYxK0n33C2lxCPdQq5n5rtr70dNkNPjEWCmjvKCZOKVP.cOM2PMc3JtOruts7F53/hp.:15104:0:::::
# exit;!

Looks nice, isn’t it? 🙂 Now realize it was used in the wild for last 5 years… so better check your machine if no rootkits was installed 🙂

As I promised at the beginning of this post, here is the exploit code: Apache 0day.

 

Best regards,

Adam Zabrocki

Comments

  1. Mario on 04.02.2012

    xDDD

  2. Someone on 04.02.2012

    Surely if it’s been around for 5 years then it’s less of a 0day and more a 1825day?

  3. gizmore on 04.02.2012

    How to compile the code?
    I tried perl, brainfuck and whitespace … no luck … any hints?

    Thanks for this amusing post!
    gizmore

  4. admin on 04.02.2012

    @someone:
    Unfortunately even more because in the mean time we had 2 leap years ;(

  5. N on 04.05.2012

    Won’t compile 🙁

  6. Первоапрельские шутки 2012 года (дополнено) : Записки начинающего линуксоида on 04.05.2012

    […] Опубликован эксплоит для 0-day уязвимости в Apache 2.2.x, позволяющий удалённо выполнить код на сервере; […]

  7. ro1ri on 04.11.2012

    Rofl !

    And there you see the ones who try to compile it without reading it before xD
    Nice one !

  8. pentests on 08.17.2012

    not download…

  9. Skitter on 04.28.2015

    Damn, you got me there 😛 But after a while I’ve actually managed to compiled it with the trollCompiler v 4.3.1. And it’s working ;d

  10. Ermya on 04.12.2017

    lol , where is the code ? http://site.pi3.com.pl/priv/apache_0day.c.txt
    its jut for fun ?!!!!

  11. pi3 on 04.18.2017

    1st of April publication shouldn’t be taken too seriously ;p

Leave a Reply




CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.