Old Apache (<2.2.15)/PHP(5.2.14) vulnerabilities.

[thurlol]

So I'm learning about exploits and vulnerabilities and such and the test server reports having these old versions. The only exploit I can find is to do with mod_isapi, and the server doesn't seem vulnerable. I just find it sort of odd that an old server wouldn't be full of vulnerabilities? What am I doing wrong?

[afman]

I haven't taken a look at that particular version myself but I can tell you that if you have just autoscanned for vulnerabilities the server may or may not actually be vulnerable. The following might help you understand why:

1.) I'm making the assumption that you have scanned for some vulnerabilities using a tool such as Nessus, Armitage, Metasploit. Those checks are based on pattern recognition. Frequently patterns may appear that would tell you that a service is vulnerable when it really isn't. For example the famous RPC DCOM exploit. If you scan Windows Server 2003 SP2 armitage will tell you that it is vulnerable. In fact, it is not because SP2 includes a patch that puts bounds checking on the buffer that was exploited in RPC.

2.) Sometimes the addresses just don't line up. Exploits invariably must have some hardcoded addresses in them. To gain control of a computer you must jump to just the right addresses; the eventual goal is to get the EIP (next instruction pointer) to execute malicious code. However, sometimes code has to be relocated by the operating system, sometimes a NOP sled might be missed, or maybe the stars, suns, and moons just didn't line up.

There's a huge amount going on under the hood that takes a great deal of time to understand. In some circumstances restarting the computer I was targeting resulted in the exploit working. You never know what finicky thing might happen that moves one byte to where it wasn't originally causing the exploit to fail.