10
CVSSv2

CVE-2010-0425

Published: 05/03/2010 Updated: 06/06/2021
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 up to and including 2.0.63, 2.2.0 up to and including 2.2.14, and 2.3.x prior to 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote malicious users to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers."

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache http_server 2.3.0

apache http_server 2.3.3

apache http_server 2.3.6

apache http_server 2.3.1

apache http_server 2.3.2

apache http_server 2.3.5

apache http_server 2.3.4

apache http_server 2.0.58

apache http_server 2.0.60

apache http_server 2.0.52

apache http_server 2.0.47

apache http_server 2.0.44

apache http_server 2.0.28

apache http_server 2.0.36

apache http_server 2.0.39

apache http_server 2.0.57

apache http_server 2.0.56

apache http_server 2.0.48

apache http_server 2.0.43

apache http_server 2.0.32

apache http_server 2.0.35

apache http_server 2.0.41

apache http_server 2.0.40

apache http_server 2.0.63

apache http_server 2.0.55

apache http_server 2.0.54

apache http_server 2.0.46

apache http_server 2.0.49

apache http_server 2.0.38

apache http_server 2.0.59

apache http_server 2.0.9

apache http_server 2.0.61

apache http_server 2.0.51

apache http_server 2.0.50

apache http_server 2.0.53

apache http_server 2.0.42

apache http_server 2.0.45

apache http_server 2.0.34

apache http_server 2.0.37

apache http_server 2.2.14

apache http_server 2.2.2

apache http_server 2.2.7

apache http_server 2.2.10

apache http_server 2.2.11

apache http_server -

apache http_server 2.2.6

apache http_server 2.2.0

apache http_server 2.2.1

apache http_server 2.2.3

apache http_server 2.2.4

apache http_server 2.2.12

apache http_server 2.2.13

apache http_server 2.2.8

apache http_server 2.2.9

Vendor Advisories

Director uses a version of Apache httpd that has several publicly documented vulnerabilities The most severe vulnerability allows an attacker to gain complete control over a Director installation ...

Exploits

; Write-to-file Shellcode ; ; This shellcode was used in the exploit for: CVE-2010-0425 ; Supported: Windows 2000, WinXP, Server 2003, Server 2008, Vista, Windows 7 ; ; Size: 278 bytes ; //////////////////////////////////////////////////////////////////////////////// ; \x31\xc0\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x56\x08\x8b\x7e\x20 ...
/* * Apache 2214 mod_isapi Dangling Pointer Remote SYSTEM Exploit (CVE-2010-0425) * ------------------------------------------------------------------------------ * * Advisory: wwwsenseofsecuritycomau/advisories/SOS-10-002 * * Description: * pwn-isapicpp exploits a dangling pointer vulnerabilty in Apache 2214 mod_isapi * Du ...

Mailing Lists

Apache version 2214 mod_isapi remote SYSTEM exploit Due to the nature of the vulnerability, and exploitation method, DEP should be limited to essential Windows programs and services At worst, if DEP is enabled for the Apache process, you could cause a constant DoS by looping this (since apache will automatically restart) ...

Metasploit Modules

Apache mod_isapi Dangling Pointer

This module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension for versions 2.2.14 and earlier. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.

msf > use auxiliary/dos/http/apache_mod_isapi
      msf auxiliary(apache_mod_isapi) > show actions
            ...actions...
      msf auxiliary(apache_mod_isapi) > set ACTION <action-name>
      msf auxiliary(apache_mod_isapi) > show options
            ...show and set options...
      msf auxiliary(apache_mod_isapi) > run

Github Repositories

PDF电子书下载不求人,看这篇文章就够了→ wwwchendianrongcom/pdf#711163085书名:信息安全技术大讲堂从实践中学习METASPLOIT 5渗透测试作者:大学霸IT达人页数:319定价:¥890出版社:机械工业出版社出版日期:2018-05-01ISBN:9787111630852目录 前言第1章 环境配置111 Metasploit概述112 安装要求11

PDF电子书下载不求人,看这篇文章就够了→ wwwchendianrongcom/pdf#711163085书名:信息安全技术大讲堂从实践中学习METASPLOIT 5渗透测试作者:大学霸IT达人页数:319定价:¥890出版社:机械工业出版社出版日期:2018-05-01ISBN:9787111630852目录 前言第1章 环境配置111 Metasploit概述112 安装要求11

Network reconnaissance and vulnerability assessment tools.

ReconScan The purpose of this project is to develop scripts that can be useful in the pentesting workflow, be it for VulnHub VMs, CTFs, hands-on certificates, or real-world targets The project currently consists of two major components: a script invoking and aggregating the results of existing tools, and a second script for automated analysis of the aforementioned results from

Network reconnaissance and vulnerability assessment tools.

ReconScan The purpose of this project is to develop scripts that can be useful in the pentesting workflow, be it for VulnHub VMs, CTFs, hands-on certificates, or real-world targets The project currently consists of two major components: a script invoking and aggregating the results of existing tools, and a second script for automated analysis of the aforementioned results from

Network reconnaissance and vulnerability assessment tools.

ReconScan The purpose of this project is to develop scripts that can be useful in the pentesting workflow, be it for VulnHub VMs, CTFs, hands-on certificates, or real-world targets The project currently consists of two major components: a script invoking and aggregating the results of existing tools, and a second script for automated analysis of the aforementioned results from

repository ini digunakan untuk belajar

ReconScan The purpose of this project is to develop scripts that can be useful in the pentesting workflow, be it for VulnHub VMs, CTFs, hands-on certificates, or real-world targets The project currently consists of two major components: a script invoking and aggregating the results of existing tools, and a second script for automated analysis of the aforementioned results from

References

NVD-CWE-noinfohttp://svn.apache.org/viewvc?view=revision&revision=917870http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=917870&r2=917869&pathrev=917870http://www.securityfocus.com/bid/38494http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/win32/mod_isapi.c?r1=917870&r2=917869&pathrev=917870http://www.senseofsecurity.com.au/advisories/SOS-10-002http://httpd.apache.org/security/vulnerabilities_22.htmlhttp://www.securitytracker.com/id?1023701http://www.vupen.com/english/advisories/2010/0634http://www-01.ibm.com/support/docview.wss?uid=swg1PM09447http://www.kb.cert.org/vuls/id/280613http://httpd.apache.org/security/vulnerabilities_20.htmlhttp://secunia.com/advisories/38978http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247http://secunia.com/advisories/39628http://www.vupen.com/english/advisories/2010/0994http://lists.vmware.com/pipermail/security-announce/2010/000105.htmlhttp://www.vmware.com/security/advisories/VMSA-2010-0014.htmlhttp://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/56624https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8439https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3Ehttps://www.exploit-db.com/exploits/11650https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3Ehttps://nvd.nist.govhttps://packetstormsecurity.com/files/86964/Apache-2.2.14-mod_isapi-Remote-SYSTEM-Exploit.htmlhttps://www.exploit-db.com/exploits/14288/https://www.kb.cert.org/vuls/id/280613