New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Disk Pulse Enterprise Login Buffer Overflow #7502
Conversation
Just out of curiosity, what's wrong with generate_egghunter? Is it broken? |
Not exactly sure. If I use that, then my exploit never works, shellcode is On Oct 28, 2016 12:54 AM, "sinn3r" notifications@github.com wrote:
|
I've had problems with generate_egghunter in the past as well and had to write my own routines. Only thing I'd change would be either including the source for each stub in comments, or assembling them with Metasm doing something like:
It becomes a problem if somewhere down the line either our customers or us try to debug some issue with it even if it's a simple egghunter. I know there's a lot of old code in framework that includes mystery binary blobs but there has never been a better time to learn from bad decisions. |
@wwebb-r7 I took your suggestion and with a little bit of modification added the following code:
But after reloading and trying to exploit, I get a message that |
@Chiggins it wouldn't surprise me to find out that it doesn't support it. I'll take a look myself when I get a chance. |
Works. Aside from the spaces at EOL that are causing the build to fail, and the code in comments issue we discussed, it's ready to land. |
Got those all cleaned up and building. Let me know what else I could do. |
Thanks. Merged. |
Release NotesThis update adds an exploit module for a stack based buffer overflow vulnerability in Disk Pulse Enterprise 9.0.34 which grants SYSTEM privileges to the user. |
Adding a buffer overflow exploit for Disk Pulse Enterprise 9.0.34 for Microsoft Windows. This module is porting a PoC exploit which can be found on the Exploit DB page.
At it's current stage, this exploit is fully functional though it has two imperfections:
generate_egghunter()
generate_seh_record()
I spent some time trying to get these to work, but I'm at wits end trying to figure it out. After talking with @wvu-r7 on IRC, figured that since the exploit works that I'd go ahead and submit a PR.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/http/disk_pulse_enterprise_bof
set payload windows/meterpreter/reverse_tcp
exploit