[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Apache 2.2.17 exploit?
- To: Kai <kai@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Apache 2.2.17 exploit?
- From: halfdog <me@xxxxxxxxxxx>
- Date: Tue, 04 Oct 2011 22:13:35 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
halfdog wrote:
> Hello Kai, Kai wrote:
>> Hi halfdog,
>
>>> Just for those, who want to build their own apache shell code
>>> for testing purposes, this snip might be of some use. ...
>
>> wasn't that bug fixed a long ago?
>> https://bugs.php.net/bug.php?id=38915 --->
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=46425 sorry if
>> i'm talking about different thing.
>
> Thanks for the link. I have to look into it closer, perhaps my
> code is just working because I dup2 the fd to stdin before exec,
> which might get rid of the FD_CLOEXEC. At least in tests, where I
> injected code into mpm-worker on x86 (32bit) using gdb and other
> methods, it succeeded in giving me remote shell.
Yes, it's the the dup2 that does the trick:
man: dup, dup2 - duplicate a file descriptor
The two descriptors do not share file descriptor flags (the
close-on-exec flag). The close-on-exec flag (FD_CLOEXEC; see fcntl(2))
for the duplicate descriptor is off.
That is why, the tcp-sock fd stays alive after execv("/bin/sh", ...)
hd
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFOi4TuxFmThv7tq+4RAi5bAJ9P7/gQ4tF7LKhJ/+kAndcmUVOZZACfabNt
rBoepsZNTJ6Ygoob2jrPtYg=
=u+TM
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/