Full Disclosure mailing list archives
Re: Apache 2.2.17 exploit?
From: halfdog <me () halfdog net>
Date: Tue, 04 Oct 2011 21:57:41 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Kai, Kai wrote:
Hi halfdog,Just for those, who want to build their own apache shell code for testing purposes, this snip might be of some use. It uses the still open tcp connections to the server to spawn the shells, so that no backconnect is needed. Of course, it does not give remote root but only httpd user privs. And you should send "exec 1>&0" as first command if you want to see remote shell stdout.wasn't that bug fixed a long ago? https://bugs.php.net/bug.php?id=38915 ---> https://issues.apache.org/bugzilla/show_bug.cgi?id=46425 sorry if i'm talking about different thing.
Thanks for the link. I have to look into it closer, perhaps my code is just working because I dup2 the fd to stdin before exec, which might get rid of the FD_CLOEXEC. At least in tests, where I injected code into mpm-worker on x86 (32bit) using gdb and other methods, it succeeded in giving me remote shell. hd - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOi4EzxFmThv7tq+4RAvyTAJoD41tl+gapCGhgYbkuCZrdaSqpkgCfZ5Ew HXuO9fRUHd4bJWyTu0QaWi0= =2uWq -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache 2.2.17 exploit?, (continued)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? Darren Martyn (Oct 04)
- Re: Apache 2.2.17 exploit? halfdog (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? Kai (Oct 04)
- Re: Apache 2.2.17 exploit? Andrew Farmer (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? Valdis . Kletnieks (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? xD 0x41 (Oct 04)
- Re: Apache 2.2.17 exploit? halfdog (Oct 04)
- Re: Apache 2.2.17 exploit? halfdog (Oct 04)
- Re: Apache 2.2.17 exploit? Andrew Farmer (Oct 04)
- Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
- Re: Apache 2.2.17 exploit? GloW - XD (Oct 03)
- Re: Apache 2.2.17 exploit? Laurelai (Oct 03)