CVE-2017-6187
published 2017-02-22CVE-2017-6187: Buffer overflow in the built-in web server in DiskSavvy Enterprise 9.4.18 allows remote attackers to execute arbitrary code via a long URI in a GET request.
PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.05%
98.1th percentile
Buffer overflow in the built-in web server in DiskSavvy Enterprise 9.4.18 allows remote attackers to execute arbitrary code via a long URI in a GET request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| disksavvy | disksavvy_enterprise | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x53
bytes↗
t00wt00w
bytes↗
\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0
bytes↗
\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31
- →Exploit sends an oversized HTTP GET request with a URI of ~2487+ bytes ('A' padding) to the DiskSavvy Enterprise built-in web server on TCP port 80; detect abnormally long GET request URIs exceeding normal bounds. ↗
- →The exploit uses a fixed SEH overwrite return address 0x10142e38 (pop edi / pop esi / ret gadget); look for this value in network traffic or memory at the SEH chain offset. ↗
- →The exploit uses a WoW64 egghunter with the egg tag 't00wt00w' (hex 74 30 30 77 74 30 30 77); scanning process memory or network payload for this tag can identify exploitation attempts. ↗
- →The exploit uses a short JMP-over SEH stub '\xeb\x08\x90\x90' as the nSEH record; this 4-byte sequence at the SEH overwrite offset is a strong indicator of exploitation. ↗
- →The exploit sets Content-Length: 5900 in the HTTP headers while the actual GET URI carries the overflow payload; a mismatch between Content-Length and a GET request (which has no body) is anomalous and detectable. ↗
- →The Metasploit module targets DiskSavvy Enterprise v9.1.14 and v9.3.14 in addition to 9.4.18; detection should cover all three versions. ↗
- →The bind shell payload opens TCP port 4444 on the victim; monitor for unexpected listening services on port 4444 on Windows hosts running DiskSavvy Enterprise. ↗
- ·The exploit targets 64-bit Windows using WoW64 egghunters; two distinct egghunter variants exist — one for Windows 7 SP1 x64 and one for Windows 10 x64. The Win10 variant only supports x86_64 platform. ↗
- ·The Metasploit module was tested on Windows XP SP3 and Windows 7 SP1, while the EDB PoC was tested on Windows 7 Pro SP1 x64 and Windows 10 Pro x64; coverage may differ across OS versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Disk Savvy Enterprise 9.4.18 - Remote Buffer Overflow (SEH)
exploitdb·2017-02-22
CVE-2017-6187 Disk Savvy Enterprise 9.4.18 - Remote Buffer Overflow (SEH)
Disk Savvy Enterprise 9.4.18 - Remote Buffer Overflow (SEH)
---
# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters
# Date: 2017-02-22
# Exploit Author: Peter Baris
# Vendor Homepage: www.saptech-erp.com.au
# Software Link: http://www.disksavvy.com/downloads.html
# Version: 9.4.18
# Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64
# WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems
# Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit
# Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version
# If you require a WoW64 egghunter for addi
Metasploit
DiskSavvy Enterprise GET Buffer Overflow
metasploit
DiskSavvy Enterprise GET Buffer Overflow
DiskSavvy Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1.
No writeups or analysis indexed.
2017-02-22
Published