local/dn?attributes?scope?filter?extensions?ext Apache Exploits...
-
Upload
myrtle-knight -
Category
Documents
-
view
219 -
download
0
Transcript of local/dn?attributes?scope?filter?extensions?ext Apache Exploits...
http://localhost/re/ldap://local/dn?attributes?scope?filter?extensions?ext
Apache ExploitsApache Exploitshttp://localhost/re/ldap://local/dn?attributes?scope?filter?
extensions
Apache ExploitsApache Exploits
http://.../ldap://local/dn?attributes?scope?filter?extensions?ext
static char *escape_absolute_uri(char *, unsigned int) {…if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }
Apache Exploit CodeApache Exploit Code
if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }
Disassembled CodeDisassembled Code
loop: jge end_loop mov ecx, [ebp-18h] mov [ebp+ecx*4-14h], eax jmp loopend_loop: push offset buf_over! (00409a38)
Community LearningCommunity Learning
ApacheApache
Central Management
System
ApacheApache ApacheApache
……
Constrains Constrains Constrains
Patch (Manual)Patch (Manual)- application of failure oblivious - application of failure oblivious computingcomputing
Apache Exploit After Apache Exploit After PatchingPatchinghttp://localhost/re/ldap://local/dn?attributes?scope?filter?
extensions?ext
SummarySummaryImplemented preliminary binary
variable learning (BVL)Applied BVL to Apache (exploit)Found valid constraintsThe (manual) patch can prevent
the exploit