Bug #1000
windows/http/apache_modjk_overflow is not working for me
| Status: | Closed | Start date: | 03/02/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Joshua J. Drake | % Done: | 100% |
|
| Category: | modules - exploits | |||
| Target version: | Metasploit 3.4.1 | |||
| Resolution: | Release Note: |
Description
The windows/http/apache_modjk_overflow is not working for me.
Tested on:
Windows XP SP3
Apache 1.3.37 with mod_jk 1.2.20
Telnet to Apache shows mod_jk working:
Server: Apache/1.3.37 (Win32) mod_jk/1.2.20
log files and manual tests also confirm mod_jk is working.
attaching a debugger to Apache shows that the exploit is crashing
mod_jk, but code execution is not achieved.
This is an initial bug report to let you know the exploit does not work out of the box for me,
I'm gonna take a look at it to understand why it is failing because esp contains shellcode and other things indicate it should work.
Associated revisions
modify badchars, minor cleanups, fixes #1000
git-svn-id: file:///home/svn/framework3/trunk@9647 4d416f70-5f16-0410-b530-b9f4589650da
see #1000, remove encoder in favor of auto-selection
git-svn-id: file:///home/svn/framework3/trunk@9648 4d416f70-5f16-0410-b530-b9f4589650da
History
Updated by Hernan Ochoa almost 2 years ago
after some debugging:
the seh frame seems to be well built. vulnerable code jumps to hard-coded pop/pop/ret but the encoded payload crashes in a xor [esi], esi because esi = ffffffff.
if I debug apache, let the seh frame do its thing, let the pop/pop/ret do its thing, and then I manually replace in memory the alphanum encoded payload with the raw/not encoded version of the payload, everything works as expected.
I did all testing with payloads windows/shell/bind_tcp and windows/shell_bind_tcp.
it seems to be a problem of the alpahum encoder.
Updated by Hernan Ochoa almost 2 years ago
I modified apache_modjk_overflow.rb to use my custom shellcode (not alphanum but without 00s etc) instead of the shelcode generated my metasploit and the exploit works great.
So, although I'm not familiar with the inner workings of the alphanum encoder, I think the problem is in the alphanum encoder.
Updated by Joshua J. Drake almost 2 years ago
Hernano reports that this exploit contains the shellcode he used:
http://downloads.securityfocus.com/vulnerabilities/exploits/22791-unohope.py
Updated by Joshua J. Drake almost 2 years ago
I reproduced the lack of working, but its not clear why. It does look like it may be the alpha encoder. Also, this exploit says to use the encoder "AlphanumUpper" but it actually ends up being mixed case... odd.
Updated by HD Moore almost 2 years ago
- Target version set to 18
Updated by HD Moore almost 2 years ago
- Target version changed from 18 to Metasploit 3.4.0
Updated by James Lee over 1 year ago
- Target version changed from Metasploit 3.4.0 to Metasploit 3.4.1
Updated by James Lee over 1 year ago
- Category set to modules - exploits
- Assignee set to Joshua J. Drake
Updated by Joshua J. Drake over 1 year ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Applied in changeset r9647.
Updated by Joshua J. Drake over 1 year ago
In my test (Apache 1.3.37 with mod_jk/1.2.20 for 1.3.37), the set of bad characters was different from what the module had.
I removed \x2b and \x3a. I added \x3b. Works for me now.. Not sure how it will work against various other versions.. Perhaps 2b and 3a are bad, but only in some installs.. Hernan?
Updated by James Lee over 1 year ago
- Status changed from Resolved to Closed