vendor:
Sysax Multi Server
by:
Paul Purcell
7.5
CVSS
HIGH
Remote Code Execution
CWE
Product Name: Sysax Multi Server
Affected Version From: 6.5
Affected Version To: 6.5
Patch Exists: YES
Related CWE:
CPE:
Platforms Tested: Windows XP SP3 English
2016
Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
This is a post authentication exploit that requires the HTTP file sharing service to be running on Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the service. Once exploited, the shellcode runs with SYSTEM privileges. In this example, we attack folder_ in dltslctd_name1.htm. The root path of the user shouldn't break the buffer offset in the stack, though the user will need to have permission to delete folders. If the user has file delete permissions, file_ will work as well. mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can be modified to adapt to a users permissions.
Mitigation:
Update to the latest version (6.51) which contains the patch.