西瓜注释:经过测试,在我的xp sp3的主机上攻击apache 2.2.11,按照演示视频中的操作未能成功,经检查本机没有smtpsend.dll文件,不知道是不是跟这个有关,在更换为其他的dll文件后,仍旧未能成功,请高手测试过的人指教一下。
IT安全公司 Sense of Security在Apache的HTTP web server中发 现了一 个严重的漏洞,该漏洞允许远程攻击者获得一个数据库的完整控制权。该漏洞存在于Apache核心的mod_isapi模块中。
利用该漏洞,一位攻 击者能远程提升系统权限,从而威胁到数据安全。Apache 2.2.14及早期版本的用户应该尽快升级到 Apache 2.2.15。不过,该漏洞只影响到在Windows上运行的Apache web server。Sense of Security公开了利用该漏洞的一 个概念验证演示(视 频)。
Details. The Apache HTTP Server, commonly referred to as Apache, is a popular open source web server software. mod_isapi is a core module of the Apache package that implements the Internet Server extension API. The extension allows Apache to serve Internet Server extensions (ISAPI .dll modules) for Microsoft Windows based hosts. By sending a specially crafted request followed by a reset packet it is possible to trigger a vulnerability in Apache mod_isapi that will unload the target ISAPI module from memory. However function pointers still remain in memory and are called when published ISAPI functions are referenced. This results in a dangling pointer vulnerability. Successful exploitation results in the execution of arbitrary code with SYSTEM privileges. Proof of Concept. Proof of concept code is available for this vulnerability. The payload will write a text file (sos.txt) to the Apache working directory demonstrating that code execution is possible. The code can be downloaded from the following link: http://www.senseofsecurity.com.au/advisories/SOS-10-002-pwn-isapi.cpp Furthermore, a video demonstrating the exploitation of this vulnerability using a bind shell has been created. Solution. Upgrade to the latest version of Apache HTTP Server (currently 2.2.15). Discovered by. Brett Gervasoni from Sense of Security Labs.
http://www.naughter.com/smtpsend.html
这个exp的演示,说明了。参数中的DLL代表,apache加载的一个dll模块。
格式为 dll名?函数名
你可以下载他例子中用的smtpsend.dll