Monday, February 27, 2012

Sysax Multi Server SSH Username Exploit

3/3/2012 - UPDATE :
Today @sinn3r ported this exploit to the Metasploit framework

4/30/2012 - UPDATE:
This issue has been fixed by Sysax. Please download version 5.60 or later from their site.

It's still raining Sysax exploits. This is the worst one yet - a pre authentication universal SEH overwrite.

It is pretty straight forward. Send 10,000 bytes in a username, control SEH and execute our egghunter to find our shell.

Nothing complicated with home path lengths or SID gathering either. The only small issue was with the shellcode, there were a number of bad chars but that was solved by using the alpha/mixed encoder. I tested this exploit on 3 different versions of their software and they're all vulnerable (<= 5.53). It's likely this bug has been around for a long time.

The software is here:
(exploit-db is hosting the wrong version of the software)

The exploit is here:


Goodie said...

everytime when I try to run it I get:
File "./", line 15
print "[+] Usage: ./filename <Target
IndentationError: expected an indented block

im using it like this:
./ ip port

Craig said...

For some reason the script exploit-db put up to download has all the indents taken out. Look at the text on the actual exploit site and just make sure all the indents match what you see in your downloaded script.