CVE-2012-6530
published 2013-01-31CVE-2012-6530: Stack-based buffer overflow in Sysax Multi Server before 5.52, when HTTP is enabled, allows remote authenticated users with the create folder permission to…
PriorityP357high7.1CVSS 2.0
AVNACHAuSCCICAC
EXPLOIT
EPSS
46.07%
98.7th percentile
Stack-based buffer overflow in Sysax Multi Server before 5.52, when HTTP is enabled, allows remote authenticated users with the create folder permission to execute arbitrary code via a crafted request.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysax | multi_server | <= 5.50 | — |
| sysax | multi_server | — | — |
| sysax | multi_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xda\xdc\xd9\x74\x24\xf4\x5f\x2b\xc9\xb8\xb7\x6e\xc5\xe9\xb1\x56
- →Detect exploit HTTP POST to /scgi endpoint with pid=mk_folder2_name1.htm, which is the trigger path for the create folder buffer overflow. ↗
- →Detect HTTP POST to /scgi?sid=0&pid=dologin used by the exploit to harvest a SID token prior to exploitation. ↗
- →Detect multipart/form-data POST to /scgi with form field 'e2' containing an oversized value (>648 bytes), indicative of the buffer overflow payload delivery. ↗
- →Successful exploitation results in SYSTEM/LOCALSYSTEM access; monitor for sysax server process spawning cmd.exe or bind shell on port 4444. ↗
- →The exploit requires a valid 40-byte SID token in the URL query string; alert on /scgi requests where the sid parameter is exactly 40 alphanumeric characters followed by exploit-specific pid values. ↗
- →The exploit uses a base64-encoded credential blob with a 0x0a (newline) delimiter between username and password posted to the login endpoint; detect anomalous base64 POST bodies to /scgi?pid=dologin. ↗
- ·The vulnerability is only exploitable when the HTTP option is enabled on Sysax Multi Server; deployments with HTTP disabled are not affected. ↗
- ·Exploitation requires authenticated credentials with the 'create folder' permission; unauthenticated or unprivileged accounts cannot trigger the overflow. ↗
- ·The ROP/return addresses used in the exploit are specific to Windows XP SP3 and Windows Server 2003 SP1/SP2 without DEP; the exploit does not include a DEP bypass. ↗
- ·The bad characters for payload encoding are \x00 and \x2F (null byte and forward slash); payloads containing these bytes will be corrupted. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sysax Multi Server 5.50 - Create Folder Remote Code Execution Buffer Overflow (Metasploit)
exploitdb·2012-01-26
CVE-2012-6530 Sysax Multi Server 5.50 - Create Folder Remote Code Execution Buffer Overflow (Metasploit)
Sysax Multi Server 5.50 - Create Folder Remote Code Execution Buffer Overflow (Metasploit)
---
##########################################################################################################
#Title: Sysax Multi Server 5.50 Create Folder Remote Code Exec BoF (MSF Module)
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit and Server 2003 SP2 32bit(No DEP)
#Notes: My original exploit => http://www.exploit-db.com/exploits/18382/
#did not automate the SID gathering process, but this one does. Thanks to todb for the pointers.
##########################################################################################################
require 'msf/core'
require 'base64'
class Metasploit3 'Sysax Multi Server 5.50 Create Folder BoF',
'Description' => %q{
This module exploits a sta
Exploit-DB
Sysax Multi Server 5.50 - Create Folder Buffer Overflow
exploitdb·2012-01-18
CVE-2012-6530 Sysax Multi Server 5.50 - Create Folder Buffer Overflow
Sysax Multi Server 5.50 - Create Folder Buffer Overflow
---
#!/usr/bin/python
##########################################################################################################
#Title: Sysax Multi Server 5.50 Create Folder BOF
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit and Server 2003 SP2 32bit(No DEP)
#Date Discovered: January 13, 2012
#Vendor Contacted: January 15, 2012
#Vendor Response: January 16, 2012
#Vendor Fix: Version 5.52 released on January 17, 2012 fixes issue
#Additional exploit details, notes and assumptions can be found here:
#http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html
##########################################################################################################
import socket,sys
if len(sys.argv) != 5:
print "[+] U
Metasploit
Sysax Multi Server 5.64 Create Folder Buffer Overflow
metasploit
Sysax Multi Server 5.64 Create Folder Buffer Overflow
Sysax Multi Server 5.64 Create Folder Buffer Overflow
This module exploits a stack buffer overflow in the create folder function in Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the vulnerability valid credentials with the create folder permission must be provided. The HTTP option must be enabled on Sysax too. This module will log into the server, get a SID token, find the root folder, and then proceed to exploit the server. Successful exploits result in SYSTEM access. This exploit works on XP SP3, and Server 2003 SP1-SP2.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/18382http://www.exploit-db.com/exploits/18420http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.htmlhttp://www.securityfocus.com/bid/51548http://www.exploit-db.com/exploits/18382http://www.exploit-db.com/exploits/18420http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.htmlhttp://www.securityfocus.com/bid/51548
2013-01-31
Published