Vulnerability analysis - SEH based buffer overflow

The vulnerability lies in parsing the GET request by the web server component of Disk Pulse 9.9.16. An attacker can craft malicious GET requests and cause the SEH frame to overwrite, which will cause the attacker to gain complete access to the program's flow. The attacker will gain full access to the system with the highest level of privileges since Disk Pulse runs with Administrator rights.

Let's make use of the vulnerability and exploit the system as follows:

Merely setting the RHOST and the LPORT (Gateway port which will allow us access to the successful exploitation of the target), we are ready to exploit the system. We can see that as soon as we run the exploit, we have Meterpreter session 5 opened, which marks a successful compromise of the target. We can verify our list of sessions using the sessions -i command as follows:

Let's interact with session 5 and check the level of access we have:

Issuing the getuid command, we can see that we already have NT AUTHORITY SYSTEM, the highest level of privilege on the Windows OS.

For more information on the vulnerability, refer to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13696.