None of the stuff below matters because my original exploit sucked, but I managed to convert it to a Metasploit module and automate the SID gathering process: http://www.exploit-db.com/exploits/18420/
Jan 15, 2012:
Here are the notes and assumptions for the Sysax bug I found:
- HTTP has to be enabled as a connection protocol which is not a default setting. This essentially turns the FTP server into a web based file transfer service.
- This exploit requires authentication.
- The authenticated user needs to have "create" permission for folders enabled, which is also not a default setting.
- This exploit requires a "SID" parameter. This can be found by logging into the web app and clicking on the "create folder" link. The SID is in your address bar. It's 40 bytes long between the = and &. I could not figure out how this was generated by the system so this is a manual process.
- Sysax Multi Server runs as LOCALSYSTEM by default ;)
Bravo to the vendor for quickly addressing this issue 2 days after I reported it and posting a fix, version 5.52.
The vendor already removed the old version from their site. To get a copy of the vulnerable 5.50 version you can get it from here: http://www.mediafire.com/?ctj75imtvl1d353
For the exploit, go here: http://www.exploit-db.com/exploits/18382/