3/3/2012 - UPDATE :
Today @sinn3r ported this exploit to the Metasploit framework
4/30/2012 - UPDATE:
This issue has been fixed by Sysax. Please download version 5.60 or later from their site.
It's still raining Sysax exploits. This is the worst one yet - a pre authentication universal SEH overwrite.
It is pretty straight forward. Send 10,000 bytes in a username, control SEH and execute our egghunter to find our shell.
Nothing complicated with home path lengths or SID gathering either. The only small issue was with the shellcode, there were a number of bad chars but that was solved by using the alpha/mixed encoder. I tested this exploit on 3 different versions of their software and they're all vulnerable (<= 5.53). It's likely this bug has been around for a long time.
The software is here: http://www.mediafire.com/?d3nquu1j3n3u57v
(exploit-db is hosting the wrong version of the software)
The exploit is here: http://www.exploit-db.com/exploits/18535/