Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache chunked encoding exploitation |
|
| Author |
|
phate867
Joined: 10 Apr 2013
Posts: 5
Location: IT
|
 Posted: Thu 11 Apr '13 23:12 Post subject: Apache chunked encoding exploitation |
 |
|
Hello, for study purposes I need to exploit an old 1.3.9 apache version using this vulnerability.
I managed to do so with a binary version for win xp, anyway I need to exploit a version compiled by me, as I'll add some diagnostic instructions in the apache code.
I successfully managed to compile the 1.3.9 code using vc++ 6, anyway the compiled version is not exploitable anymore!
I think there are some differences between the original compilation process and mine...I know it's a very difficult question but does anyone know if a particular configuration/compiler option was done to compile the 1.3.9 version so I can repeat it? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 12 Apr '13 0:06 Post subject: |
|
|
I don't know exactly which one you are talking about however one that I read (Apache-Slasher.c) states 2 things, mod_include gets involved as does kernal32.dll.
| Quote: | * You would expect the resulting SEH sequence to terminate the application,
* but it does not. While Apache itself does not establish SEH frames, the
* kernel32.dll library *does* for every thread when it is created. The
* irritating application error dialog boxes are actually triggered from
* inside this SEH frame. The corruption of this frame causes execution to
* jump to an attacker-supplied payload -- the shellcode. |
kernal32.dll could have been changed in your OS that traps this & doesn't allow the operation to continue. What I am looking at is Dec. 2003, so XP was a bit over a year old?
You may have to try on an older/less patched version of Windows to exploit it. |
|
| Back to top |
|
phate867
Joined: 10 Apr 2013
Posts: 5
Location: IT
|
| Posted: Mon 15 Apr '13 0:17 Post subject: |
|
|
| Thanks for answering, anyway I solved inspecting the assembly listing and finding an appropriate return address for the exploit |
|
| Back to top |
|
|
|
|
|
|
