Exploiting the unexploitable
Recently i discovered a vulnerability in Apache mod_isapi that when exploited provides the attacker with SYSTEM privileges to the remote host, without authentication (provided the DLL you call doesn't require authentication - this would be rare and most likely only basic auth authetication would prevent the bug from being triggered). Below are some interesting notes about this bug.
Triggering the vulnerability:
- Send a normal request with the keep-alive flag set and a sized content-length value.
- Follow this request by a RESET packet.
Apache's processing:
The function: ap_get_client_block() fails, and "res" becomes less than 0.
1530: while (read < cid->ecb->cbAvailable &&
1531: ((res = ap_get_client_block(r, (char*)cid->ecb->lpbData + read,
1532: cid->ecb->cbAvailable - read)) > 0)) {
1533: read += res;
1534: }
The call to unload the DLL.
1536: if (res < 0) {
1537: isapi_unload(isa, 0); // <-- CALL TO UNLOAD
1538: return HTTP_INTERNAL_SERVER_ERROR;
1539: }
"yes, yes, so what?"
Now we have an "orphaned" callback pointer.
"a what?"
Exploiting the vulnerability:
Now we send another request to exploit the vulnerability. In this request we call a function published by the ISAPI module that has just been unloaded. Since the DLL is no longer in memory we will be calling invalid memory, unless we make that memory valid.
We make the memory valid by attempting to make Apache allocate user supplied data and the best way to do this that i could think of was to send a large request.
In the example proof of concept code, and demonstration video i was using an ISAPI module called "SMTPSend.dll". Nothing fancy just a simple ISAPI module.
After unloading the DLL and sending another packet i noticed it would crash when calling "0x0074xxxx". The proof of concept code will send a payload request that will hit above this address, from memory i think 0x007Axxxx. However with other versions of the code i was able to hit higher addresses again by increasing the size of the packet.
Disadvantages:
* Reliability just isn't there. Most of the time, each ISAPI module will be different.
* Apache would allocate large chunks of user supplied data followed by a pile of nulls, destroying a large nopsled, and it sucks to land in the middle of them.
* DEP owns this attack since we cannot directly control EIP.
The advantage of exploiting a bugs like this is that i was able to exploit the bug and take _control_.
Before developing an exploit for this bug it was said that this bug could not be exploited by a "hacker". 5 days later i had a working exploit.
Finally, well done to Apache for their prompt response and fix.
Update: The monday i brought the exploit code into work, the guy behind me (Tim) decided to film it, so check it out for a bit of a laugh:
http://www.bmgsec.com.au/downloads/apache-pwnage.m4v
comments (11)
Lol .. but seriously.. great exploit .. i have been trying to get my head around CVE-2010-0425 which is a tad different but pretty much exactly the same.. but failing
i tryed the same command as you
program.exe 127.0.0.1 SMTPSend.dll?Send.dll but it didnt work :/ any tips?
Yes i did mean to say mod_isapi not mod_usapi :)
thanks!
Try the code a few times. If you still cannot get it to work attach a debugger and check and see where its landing. If its not landing in the shellcode you might need to adjust the payload packet by altering string lengths etc.
Let me know how you go.
Before you run the exploit you need to setup an Apache server that is using an ISAPI module so that mod_isapi is used.
In the examples i created i used the ISAPI module SMTPSend.dll. This is just a random ISAPI module i found and used for testing.
Once you have this DLL installed and apache setup correctly you can then run the exploit.
hope that helps.
Does we need any change when do this test on Windows 7 ?
Ive done everything but nothing happen
Nope should be all good.
I have tried the SOS-10-002-pwn-isapi.c file but I cant find the sos.txt file would you mind sending me the .c file that you used in the demo clip ?
Thanks in advance....
I would however its privately owned by the company i work for and they will not release it due to the potential impact it could have in the wild.
Thanks.