Immunity, Inc.
Name nginx_chunk
CVE cve-2013-2028
Exploit Pack CANVAS
DescriptionNginx Chunked Encoding Exploit
NotesCVE Name: cve-2013-2028
VENDOR: Nginx
Repeatability:
The repeatability of this exploit depends on the number of nginx worker processes (configured in conf/nginx.conf; the default is 4).
The exploit will take over one of the processes to spawn a shell. This means the worker process is unavailable to process requests while the shell is running.
The master process will not spawn a replacement worker until the shell exits. So, if you create a number of shells equal to the number of worker processes, the server will not respond to any requests until at least one process exits.

Notes:
*** This exploit will take several (up to 20) minutes to run. ***
The stack cookie/canary is dynamically determined, as well as function addresses.

This exploit will give you a Canvas UnixShellNode running under the nginx worker process account (typically nobody).
To get a full-featured Canvas Linux node, you should check to see if the target supports running 32-bit binaries.
The way to do it on some distros (including RedHat Linux) is:
service ia32el status (Piped Command)
If the return value is 0, then the IA-32 Execution Layer is installed and running. You can build a 32-bit Linux MOSDEF trojan, upload and execute it.


DevNotes:
Linux appears to be the only vulnerable platform. recv() BSD and Windows will return an error.
* BSD will generate a log entry like the following:
2013/05/13 09:46:35 [alert] 4124#0: *1 recv() failed (22: Invalid argument), client: 10.10.201.243, server: , request: "POST /none.hp HTTP/1.1", host: "10.10.201.201"
* MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/ms740121(v=vs.85).aspx

Tested on:
Nginx 1.3.12 on Ubuntu 12.04 LTS (Precise)
Nginx 1.4.0 on Ubuntu 12.04 LTS (Precise)

This exploit will only work against Ubuntu 64bit targets.
This exploit depends on TCP packet fragmentation and will not work reliably
when executed on non-Linux CANVAS hosts.


CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028

Learn more about the CANVAS Exploit Pack here: CANVAS