.

[solved]Problems with a windows xp apache 1.3.x pen test

<<

phate867

Newbie
Newbie

Posts: 9

Joined: Wed Feb 27, 2013 10:57 am

Post Thu Apr 11, 2013 9:19 am

[solved]Problems with a windows xp apache 1.3.x pen test

Hello,
for study purposes I have to break an old apache version, the 1.3.x.

I'm focusing on the chunked encoding vulnerability because it can allow me to execute arbitrary code and, using metasploit, I managed to hack an apache 1.3.9 version on windows xp sp2.

Problem is that I have to do this on a compiled version too...the metasploit hacking seems to work just with the binaries, if I compile myself the apache 1.3.9 the exploit seems to not work.

Final objective is to inject some detection code into apache's source code, so just hacking the binary version is not enough...can you help me out?
It's really strange because compilation goes just fine, I did it by command line using vc++ 6 with command:
  Code:
nmake /f _apacher

as guide suggests....moreover I checked source code too and it presents the boundary condition which is used by the exploit.

edit:
by the way I came to discover what piece of code was exploited by reading a comment on an exploit's source code found in the web, if you have some good reference to this chunked encoding exploit be free to direct me as I'd like to understand better (I already checked securityfocus.com and nist but they just mention the weakness, I'd like some deepest analysis).
Last edited by phate867 on Sun Apr 14, 2013 1:08 pm, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 11, 2013 2:03 pm

Re: Problems with a windows xp apache 1.3.x pen test

Is the chunked encoding feature a core component of Apache, or is something that's optional that may need to be added via a configure script before you run make?

Does Visual C++ 6 include any compiler security checks by default? I know /GS is default now, but I don't think it was way back then.

You might want to try and learn how they compiled the versions you're able to exploit and see if there are any differences in configuration or compiler options.
The day you stop learning is the day you start becoming obsolete.
<<

phate867

Newbie
Newbie

Posts: 9

Joined: Wed Feb 27, 2013 10:57 am

Post Thu Apr 11, 2013 4:06 pm

Re: Problems with a windows xp apache 1.3.x pen test

Problem is that I don't know where to search for informations about how was apache compiled...I'm sure that the flaw is in the core, so my configure should be correct.

Visualc++ 6 is another problem: as it was discontinued it's not easy to find informations anymore...for now I'll try to search the net and microsoft forums, thanks for this advice.
<<

phate867

Newbie
Newbie

Posts: 9

Joined: Wed Feb 27, 2013 10:57 am

Post Sat Apr 13, 2013 9:36 am

Re: Problems with a windows xp apache 1.3.x pen test

I found this maillist about the exploit module I am using:

http://seclists.org/metasploit/2005/q1/85

the part:
If this fails, there is a chance
that this is a custom build of Apache and that you will need to use an
operating system specific return address instead.


seem to be my case. I don't know how to find this os specific return address though...can I have some hint, any good advice in order to set the return address correctly?
I attach you the module, it's really quite simple and already configured to change return addresses
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Apr 13, 2013 12:35 pm

Re: Problems with a windows xp apache 1.3.x pen test

# All return addresses are pop/pop/ret's...


So, this is an SEH-based exploit.

Start with these for an understanding of exploitation basics:
http://www.thegreycorner.com/2010/01/be ... rflow.html
https://www.corelan.be/index.php/2009/0 ... overflows/
https://www.corelan.be/index.php/2009/0 ... al-part-2/

Then learn about SEH-based exploitation:
http://www.thegreycorner.com/2010/01/se ... rflow.html
https://www.corelan.be/index.php/2009/0 ... art-3-seh/
https://www.corelan.be/index.php/2009/0 ... e-part-3b/

You essentially just need to find an address that points to a pop, pop, return instruction chain. Easier said than done if you've never done this before though :)
The day you stop learning is the day you start becoming obsolete.
<<

phate867

Newbie
Newbie

Posts: 9

Joined: Wed Feb 27, 2013 10:57 am

Post Sun Apr 14, 2013 1:08 pm

Re: Problems with a windows xp apache 1.3.x pen test

Thank you, I solved!!:D
In order to find the right address I used the msfpescan utility, then I just added my own build to the already existing exploit module and it worked :)
Thanks for links too, last 3 in particular are very interesting.
Last edited by phate867 on Sun Apr 14, 2013 1:12 pm, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Apr 14, 2013 4:31 pm

Re: [solved]Problems with a windows xp apache 1.3.x pen test

Awesome nice work!
The day you stop learning is the day you start becoming obsolete.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software